|
Command-Level Authorization
Feb 06,2010 00:00
by
alperen
Beginning with PIX Firewall software v6.2, the PIX Firewall devices support command-level authorization. This is user-defined command privilege levels (0 to 15) for PIX Firewall CLI commands, similar to the privilege levels supported on Cisco routers (Chapter 2) and switches. Local command authorization is done by assigning privilege levels to commands and users with the privilege and user name commands, respectively. Remote command authorization is done through one or more TACACS+ AAA servers. By using a Cisco Secure ACS server, you can define authorized CLI command sets on a per-user basis without needing to define command sets across all users. This feature is consistent with other downloadable Cisco Secure ACS features covered in several chapters. Privilege-level command tracing is supported using the PIX Firewall Syslog features. Privilege configuration updates are displayed in the show version command output. Remote Command AuthorizationAs seen earlier in this chapter, PIX Firewall users can authenticate using an AAA TACACS+ or RADIUS server, or by using the LOCAL user database. Command authorization can be implemented using the LOCAL database or a TACACS+ server. Implementing command authorization assumes the following software and hardware versions:
Use the Configuration mode aaa authorization command command to enable command authorization. Only one command authorization method can be defined at a time. Use the no form of the command to remove the entry. The syntax is as follows:
The following example shows defining the LOCAL database to perform command authorization: Pix(config)# aaa authorization command LOCAL The next section looks at the privilege-level features incorporated into the PIX Firewall to facilitate command-level authorization. |