Cisco Systems OL-16647-01 Configuring TACACS+ Command Authorization

16-27

Cisco ASDM User Guide

OL-16647-01

Chapter 16 Configuring Management Access

Configuring AAA for System Administrators

The Variant column displays show, clear, or cmd. You can set the privilege only for the show, clear,

or configure form of the command. The configure form of the command is typically the form that

causes a configuration change, either as the unmodified command (without the show or clear prefix)

or as the no form.

To change the level of a command, double-click it or click Edit. You can set the level between 0 and

15. You can only configure the privilege level of the main command. For example, you can configure

the level of all aaa commands, but not the level of the aaa authentication command and the

aaa authorization command separately.

To change the level of all shown commands, click Select All and then Edit.

Click OK to accept your changes.

Step 4 To support administrative user privilege levels from RADIUS, check Perform authorization for exec

shell access > Enable.

Without this option, the security appliance only supports privilege levels for local database users and

defaults all other types of users to level 15.

This option also enables management authorization for local, RADIUS, LDAP (mapped), and TACACS+

users. See the “Limiting User CLI and ASDM Access with Management Authorization” section on

page 16-22 for more information.

Step 5 Click Apply.

Configuring TACACS+ Command Authorization

If you enable TACACS+ command authorization, and a user enters a command at the CLI, the security

appliance sends the command and username to the TACACS+ server to determine if the command is

authorized.

When configuring command authorization with a TACACS+ server, do not save your configuration until

you are sure it works the way you want. If you get locked out because of a mistake, you can usually

recover access by restarting the security appliance. If you still get locked out, see the “Recovering from

a Lockout” section on page 16-32.

Be sure that your TACACS+ system is completely stable and reliable. The necessary level of reliability

typically requires that you have a fully redundant TACACS+ server system and fully redundant

connectivity to the security appliance. For example, in your TACACS+ server pool, include one server

connected to interface 1, and another to interface 2. You can also configure local command authorization

as a fallback method if the TACACS+ server is unavailable. In this case, you need to configure local users

and command privilege levels according to the “Configuring Command Authorization” section on

page 16-23.

This section includes the following topics:

• TACACS+ Command Authorization Prerequisites, page 16-27

• Configuring Commands on the TACACS+ Server, page 16-28

• Enabling TACACS+ Command Authorization, page 16-30

Configure CLI and enable authentication (see the “Configuring Authentication for CLI, ASDM, and

enable command Access” section on page 16-20).