Command authorization

Command authorization is a way of facilitating and controlling administration of the PIX Security Appliance. There are three types of command authorizations that can be used to control which users execute certain commands :

  • Enable-level command authorization with passwords
  • Command authorization using the local user database
  • Command authorization using Access Control Server (ACS)

The first type of command authorization, enable level with passwords, allows the administrator to use the enable command with the priv_level option to access a PIX Security Appliance privilege level, and then use any command assigned to that privilege level or a lower privilege level . To configure this type of command authorization, the administrator must create and password-protect the privilege levels, assign privilege levels to commands, and enable the command authorization feature.

The PIX Security Appliance supports up to sixteen privilege levels, levels zero through fifteen. Privilege levels can be created and secured by using the enable password command . Access to a particular privilege level can be gained from the > prompt by entering the enable command with a privilege level designation and entering the password for that level when prompted. When inside a privilege level, the commands assigned to that level as well as commands assigned to lower privilege levels can be executed. For example, from privilege level 15, every command can be executed because this is the highest privilege level. If a privilege level is not specified when entering enable mode, the default of 15 is used. Therefore, creating a strong password for level 15 is important.

To assign commands to privilege levels, use the privilege command. Replace the level argument with the privilege level, and replace the command argument with the command to assign to the specified level. The show , clear , or configure parameter can be used to optionally set the privilege level for the show , clear , or configure command modifiers of the specified command. The privilege command can be removed by using the no keyword.

In Figure , privilege levels are set for the different command modifiers of the access-list command. The first privilege command entry sets the privilege level of show access-list to 8. The second privilege command entry sets the privilege level of the configure modifier to 10. The aaa authorization command LOCAL command is then used to enable command authorization. The user knows the highest privilege level to which the access-list command is assigned and also knows the password for that level. The user is therefore able to view and create ACLs by entering level 10.

Use the privilege command without a show , clear , or configure parameter to set the privilege level for all the modifiers of the command. For example, to set the privilege level of all modifiers of the access-list command to a single privilege level of 10, enter the following command:

privilege level 10 command access-list

For commands that are available in multiple modes, use the mode parameter to specify the mode in which the privilege level applies. Do not use the mode parameter for commands that are not mode-specific.

To view the command assignments for each privilege level, use the show running-config privilege all command . The system displays the current assignment of each CLI command to a privilege level.

Use the show privilege level command with the level option to display the command assignments for a specific privilege level. Use the show privilege command command to display the privilege level assignment of a specific command. To view the user account that is currently logged in, enter the show curpriv command .

Lab Activity

Lab Exercise: Configure User Authentication and Command Authorization using ASDM

In this lab exercise, students will configure command authorization, local user authentication, and SSH.

Lab Activity

Lab Exercise: Configure SSH, Command Authorization, and Local User Authentication using CLI

In this lab exercise, students will configure and verify SSH operation. Students will then configure command authorization and local user authentication.