Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 Configuring TACACS+ Command Authorization

40-27

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter40 Configuring Management Access

Configuring AAA for System Administrators

–

show pager

–

clear pager

–

quit

–

show version

Configuring TACACS+ Command Authorization

If you enable TACACS+ command authorization, and a user enters a command at the CLI, the ASA

sends the command and username to the TACACS+ server to determine if the command is authorized.

Before you enable TACACS+ command authorization, be sure that you are logged into the ASA as a user

that is defined on the TACACS+ server, and that you have the necessary command authorization to

continue configuring the ASA. For example, you should log in as an admin user with all commands

authorized. Otherwise, you could become unintentionally locked out.

Do not save your configuration until you are sure that it works the way you want. If you get locked out

because of a mistake, you can usually recover access by restarting the ASA. If you still get locked out,

see the “Recovering from a Lockout” section on page40-29.

Be sure that your TACACS+ system is completely stable and reliable. The necessary level of reliability

typically requires that you have a fully redundant TACACS+ server system and fully redundant

connectivity to the ASA. For example, in your TACACS+ server pool, include one server connected to

interface 1, and another to interface 2. You can also configure local command authorization as a fallback

method if the TACACS+ server is unavailable. In this case, you need to configure local users and

command privilege levels according to procedures listed in the “Configuring Command Authorization”

section on page 40-22.

To configure TACACS+ command authorization, perform the following steps:

Detailed Steps

Step1 To perform command authorization using a TACACS+ server, choose Configuration > Device

Management > Users/AAA > AAA Access > Authorization, and check the Enable authorization for

command access > Enable check box.

Step2 From the Server Group drop-down list, choose a AAA server group name.

Step3 (Optional) you can configure the ASA to use the local database as a fallback method if the AAA server

is unavailable. To do so, check the Use LOCAL when server group fails check box. We recommend

that you use the same username and password in the local database as the AAA server, because the ASA

prompt does not give any indication which method is being used. Be sure to configure users in the local

database (see the “Adding a User Account to the Local Database” section on page38-22) and command

privilege levels (see the “Configuring Local Command Authorization” section on page40-22).

Step4 Click Apply.

The command authorization settings are assigned, and the changes are saved to the running

configuration.

Cisco Systems Configuring TACACS+ Command Authorization