Beginning with PIX Firewall software v6.2, the PIX Firewall
devices support command-level authorization. This is user-defined command
privilege levels (0 to 15) for PIX Firewall CLI commands, similar to the
privilege levels supported on Cisco routers (Chapter 2) and switches. Local
command authorization is done by assigning privilege levels to commands and
users with the privilege and user name
commands, respectively. Remote command authorization is done through one or more
TACACS+ AAA servers.
By using a Cisco Secure ACS server, you can define authorized CLI
command sets on a per-user basis without needing to define command sets across
all users. This feature is consistent with other downloadable Cisco Secure ACS
features covered in several chapters.
Privilege-level command tracing is supported
using the PIX Firewall Syslog features. Privilege configuration updates are
displayed in the show version command output.
Remote Command Authorization
As seen earlier in this chapter, PIX Firewall users can
authenticate using an AAA TACACS+ or RADIUS server, or by using the LOCAL user
database. Command authorization can be implemented using the LOCAL database or a
TACACS+ server. Implementing command authorization assumes the following
software and hardware versions:
Use the Configuration mode aaa authorization
command command to enable command authorization. Only one command
authorization method can be defined at a time. Use the no form of the command to
remove the entry. The syntax is as follows:
Pix(config)# aaa authorization command {LOCAL | tacacs_server_tag}
Pix(config)# no
aaa authorization command {LOCAL | tacacs_server_tag}
The following example shows defining the LOCAL database to perform
command authorization:
Pix(config)# aaa authorization command LOCAL
Pix(config)# show aaa
aaa authorization command LOCAL
Pix(config)#
The next section looks at the privilege-level features
incorporated into the PIX Firewall to facilitate command-level authorization.
Sections
Comments (0 posted)
Syndication
