Cisco Systems ASA5515K9, ASA 5500 Configuring TACACS+ Command Authorization

37-29

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter37 Configuring Management Access

Configuring AAA for System Administrators

–

logout

–

pager

–

show pager

–

clear pager

–

quit

–

show version

Configuring TACACS+ Command Authorization

If you enable TACACS+ command authorization, and a user enters a command at the CLI, the ASA

sends the command and username to the TACACS+ server to determine if the command is authorized.

Before you enable TACACS+ command authorization, be sure that you are logged into the ASA as a user

that is defined on the TACACS+ server, and that you have the necessary command authorization to

continue configuring the ASA. For example, you should log in as an admin user with all commands

authorized. Otherwise, you could become unintentionally locked out.

Do not save your configuration until you are sure that it works the way you want. If you get locked out

because of a mistake, you can usually recover access by restarting the ASA. If you still get locked out,

see the “Recovering from a Lockout” section on page37-31.

Be sure that your TACACS+ system is completely stable and reliable. The necessary level of reliability

typically requires that you have a fully redundant TACACS+ server system and fully redundant

connectivity to the ASA. For example, in your TACACS+ server pool, include one server connected to

interface 1, and another to interface 2. You can also configure local command authorization as a fallback

method if the TACACS+ server is unavailable. In this case, you need to configure local users and

command privilege levels according to procedures listed in the “Configuring Command Authorization”

section on page 37-22.

To configure TACACS+ command authorization, enter the following command:

Detailed Steps

Command Purpose

aaa authorization command

tacacs+_server_group [LOCAL]

Example:

hostname(config)# aaa authorization

command group_1 LOCAL

Performs command authorization using a TACACS+ server.

You can configure the ASA to use the local database as a fallback method

if the TACACS+ server is unavailable. To enable fallback, specify the

server group name followed by LOCAL (LOCAL is case sensitive). We

recommend that you use the same username and password in the local

database as the TACACS+ server because the ASA prompt does not give

any indication which method is being used. Be sure to configure users in

the local database (see the “Adding a User Account to the Local Database”

section on page 35-20) and command privilege levels (see the

“Configuring Local Command Authorization” section on page37-23).