Cisco ASA 5505 User Manual

37-24

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 37 Configuring Management Access

Configuring AAA for System Administrators

To configure local command authorization, perform the following steps:

Detailed Steps

Command

Purpose

Step 1

privilege

[show | clear | cmd] level level

[mode {enable | cmd}] command command

Example:

hostname(config)# privilege show level 5

command filter

Assigns a command to a privilege level.

Repeat this command for each command that you want to
reassign.

The options in this command are the following:

•

show | clear | cmd—These optional keywords let you set the
privilege only for the show, clear, or configure form of the
command. The configure form of the command is typically
the form that causes a configuration change, either as the
unmodified command (without the show or clear prefix) or as
the no form. If you do not use one of these keywords, all
forms of the command are affected.

•

level level—A level between 0 and 15.

•

mode {enable | configure}—If a command can be entered in
user EXEC or privileged EXEC mode as well as
configuration mode, and the command performs different
actions in each mode, you can set the privilege level for these
modes separately:

–

enable—Specifies both user EXEC mode and privileged
EXEC mode.

–

configure—Specifies configuration mode, accessed
using the configure terminal command.

•

command command—The command you are configuring.
You can only configure the privilege level of the main
command. For example, you can configure the level of all aaa
commands, but not the level of the aaa authentication
command and the aaa authorization command separately.

Step 2

aaa authorization exec

authentication-server

Example:

hostname(config)# aaa authorization exec

authentication-server

Supports administrative user privilege levels from RADIUS.

Enforces user-specific access levels for users who authenticate for
management access (see the aaa authentication console LOCAL
command).

Without this command, the ASA only supports privilege levels for
local database users and defaults all other types of users to level
15.

This command also enables management authorization for local,
RADIUS, LDAP (mapped), and TACACS+ users.

Use the aaa authorization exec LOCAL command to enable
attributes to be taken from the local database. See the

“Limiting

User CLI and ASDM Access with Management Authorization”
section on page 37-21

for information about configuring a user on

a AAA server to accommodate management authorization.