2010年10月6日 星期三

ASA – Command Authorization

 

There are three ways to fulfill this.

  • using enable command
  • using locally defined username and password
  • using AAA defined username and password with AAA server

 

Using enable command for authorization

Create different enable password for desired privilege level.

ASA-Roy(config)# enable password level9 level 9
ASA-Roy(config)# enable password level11 level 11

Adjust the commands’ privilege level.
In this example, level9 can show access-list and level 11 can configure access-list.

ASA-Roy(config)# privilege show level 9 mode exec command access-list
ASA-Roy(config)# privilege configure level 11 command access-list

It is important to be careful that ‘parent’ command should be adjust accordingly also, otherwise you will not be able to use the command even if it is configured correctly.
For example, you need to enable ‘configure terminal’ for privilege 11 otherwise you will not be able to enter global configuration mode to issue the ‘access-list’ command.

Enable command authorization and make sure your are NOT enable the “enable authentication” command thru AAA or LOCAL.

ASA-Roy(config)# aaa authorization command LOCAL
ASA-Roy(config)# no aaa authentication enable console LOCAL
or
ASA-Roy(config)# no aaa authentication enable console AAA_Method

If you do, you will get the following error message when you try to issue ‘enable privilege_level’ command.

ASA-Roy> sh curpriv
Username : admin_asa
Current privilege level : 1
Current Mode/s : P_UNPR
ASA-Roy> enable 9
Enabling to privilege levels is not allowed when configured for
AAA authentication. Use 'enable' only.

 

Using local user for command authorization

ASA-Roy(config)# aaa authentication enable console LOCAL
ASA-Roy(config)# username level9 password level9 privilege 9
ASA-Roy(config)# username level11 password level11 privilege 11

User Access Verification

Password:
Type help or '?' for a list of available commands.
ASA-Roy> enable
Username: level11
Password: *******
ASA-Roy# sh curpriv
Username : level11
Current privilege level : 11
Current Mode/s : P_PRIV

 

Using external AAA server for command authorization

aaa authorization command AAA_GROUP LOCAL
ASA-Roy# sh run aaa-
aaa-server AAA_GROUP protocol tacacs+
aaa-server AAA_GROUP (inside) host 1.1.1.1
key *****


ACS Screenshot

image
image
image

沒有留言: