Configuring tacacs+ command authorization – Cisco ASA 5505 User Manual
Page 769
37-29
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 37 Configuring Management Access
Configuring AAA for System Administrators
–
login
–
logout
–
pager
–
show pager
–
clear pager
–
quit
–
show version
Configuring TACACS+ Command Authorization
If you enable TACACS+ command authorization, and a user enters a command at the CLI, the ASA
sends the command and username to the TACACS+ server to determine if the command is authorized.
Before you enable TACACS+ command authorization, be sure that you are logged into the ASA as a user
that is defined on the TACACS+ server, and that you have the necessary command authorization to
continue configuring the ASA. For example, you should log in as an admin user with all commands
authorized. Otherwise, you could become unintentionally locked out.
Do not save your configuration until you are sure that it works the way you want. If you get locked out
because of a mistake, you can usually recover access by restarting the ASA. If you still get locked out,
see the
“Recovering from a Lockout” section on page 37-31
Be sure that your TACACS+ system is completely stable and reliable. The necessary level of reliability
typically requires that you have a fully redundant TACACS+ server system and fully redundant
connectivity to the ASA. For example, in your TACACS+ server pool, include one server connected to
interface 1, and another to interface 2. You can also configure local command authorization as a fallback
method if the TACACS+ server is unavailable. In this case, you need to configure local users and
command privilege levels according to procedures listed in the
“Configuring Command Authorization”
.
To configure TACACS+ command authorization, enter the following command:
Detailed Steps
Command
Purpose
aaa authorization command
tacacs+_server_group [LOCAL]
Example:
hostname(config)# aaa authorization
command group_1 LOCAL
Performs command authorization using a TACACS+ server.
You can configure the ASA to use the local database as a fallback method
if the TACACS+ server is unavailable. To enable fallback, specify the
server group name followed by LOCAL (LOCAL is case sensitive). We
recommend that you use the same username and password in the local
database as the TACACS+ server because the ASA prompt does not give
any indication which method is being used. Be sure to configure users in
the local database (see the
“Adding a User Account to the Local Database”
) and command privilege levels (see the
“Configuring Local Command Authorization” section on page 37-23