40-21
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter40 Configuring Management Access
Configuring AAA for System Administrators
Limiting User CLI and ASDM Access with Management Authorization
If you configure CLI or enable authentication, you can limit a local user, RADIUS, TACACS+, or LDAP
user (if you map LDAP attributes to RADIUS attributes) from accessing the CLI, ASDM, or the enable
command.
Note Serial access is not included in management authorization, so if you enable the Authentication > Serial
option, then any user who authenticates can access the console port.
To limit user CLI and ASDM access, perform the following steps:
Detailed Steps
Step1 To enable management authorization, choose Configuration > Device Management > Users/AAA >
AAA Access > Authorization, and check the Perform authorization for exec shell access > Enable
check box.
This option also enables support of administrative user privilege levels from RADIUS, which can be
used in conjunction with local command privilege levels for command authorization. See the
“Configuring Local Command Authorization” section on page40-22 for more information.
Step2 To configure the user for management authorization, see the following requirements for each AAA
server type or local user:
RADIUS or LDAP (mapped) users—Use the IETF RADIUS numeric Service-Type attribute, which
maps to one of the following values:
Service-Type 6 (Administrative)—Allows full access to any services specified by the
Authentication tab options
Service-Type 7 (NAS prompt)—Allows access to the CLI when you configure the Telnet or SSH
authentication options, but denies ASDM configuration access if you configure the HTTP
option. ASDM monitoring access is allowed. If you configure enable authentication with the
Enable option, the user cannot access privileged EXEC mode using the enable command.
Service-Type 5 (Outbound)—Denies management access. The user cannot use any services
specified by the Authentication tab options (excluding the Serial option; serial access is
allowed). Remote access (IPsec and SSL) users can still authenticate and terminate their remote
access sessions.
TACACS+ users—Request authorization with the “service=shell” entry, and the server responds
with PASS or FAIL.
PASS, privilege level 1—Allows full access to any services specified by the Authentication tab
options.
PASS, privilege level 2 and higher—Allows access to the CLI when you configure the Telnet or
SSH authentication options, but denies ASDM configuration access if you configure the HTTP
option. ASDM monitoring access is allowed. If you configure enable authentication with the
Enable option, the user cannot access privileged EXEC mode using the enable command.
FAIL—Denies management access. The user cannot use any services specified by the
Authentication tab options (excluding the Serial option; serial access is allowed).