Command authorization is a way of facilitating and controlling
administration of the PIX Security Appliance. There are three types of command
authorizations that can be used to control which users execute certain commands
:
Enable-level command authorization with passwords
Command authorization using the local user database
Command authorization using Access Control Server (ACS)
The first type of command authorization, enable level with passwords,
allows the administrator to use the enable command with the
priv_level option to access a PIX Security Appliance
privilege level, and then use any command assigned to that privilege level or a
lower privilege level
. To
configure this type of command authorization, the administrator must create and
password-protect the privilege levels, assign privilege levels to commands, and
enable the command authorization feature.
The PIX Security Appliance
supports up to sixteen privilege levels, levels zero through fifteen. Privilege
levels can be created and secured by using the enable
password command
. Access to a
particular privilege level can be gained from the > prompt by entering the
enable command with a privilege level designation and
entering the password for that level when prompted. When inside a privilege
level, the commands assigned to that level as well as commands assigned to
lower privilege levels can be executed. For example, from privilege level 15,
every command can be executed because this is the highest privilege level. If a
privilege level is not specified when entering enable mode, the default of 15
is used. Therefore, creating a strong password for level 15 is important.
To assign commands to privilege levels, use the
privilege command. Replace the level argument with the
privilege level, and replace the command argument with the command to assign to
the specified level. The show, clear,
or configure parameter can be used to optionally set the
privilege level for the show, clear, or
configure command modifiers of the specified command. The
privilege command can be removed by using the
no keyword.
In Figure
, privilege
levels are set for the different command modifiers of the access-list
command. The first privilege command entry sets the
privilege level of show access-list to 8. The second
privilege command entry sets the privilege level of the
configure modifier to 10. The aaa authorization
command LOCAL command is then used to enable command authorization.
The user knows the highest privilege level to which the
access-list command is assigned and also knows the password
for that level. The user is therefore able to view and create ACLs by entering
level 10.
Use the privilege command without a
show, clear, or
configure parameter to set the privilege level for all the
modifiers of the command. For example, to set the privilege level of all
modifiers of the access-list command to a single privilege
level of 10, enter the following command:
privilege
level 10 command access-list
For commands that are
available in multiple modes, use the mode parameter to
specify the mode in which the privilege level applies. Do not use the
mode parameter for commands that are not mode-specific.
To view the command assignments for each privilege level, use the
show running-config privilege all command
. The system
displays the current assignment of each CLI command to a privilege level.
Use the show privilege level command with the
level option to display the command assignments for a
specific privilege level. Use the show privilege command
command to display the privilege level assignment of a
specific command. To view the user account that is currently logged in, enter
the show curpriv command.
Lab
Exercise: Configure SSH, Command Authorization, and Local User Authentication
using CLI
In this lab exercise, students will configure and verify SSH
operation. Students will then configure command authorization and local user
authentication.