Configuring Bounded Command Authorization
To apparatus command allotment application the PIX firewall bounded database, you
must aboriginal accredit the assorted commands to adapted advantage levels application the
following command:
privilege [show | bright | configure] akin
configure}] command
Pick the adapted command for which to set a advantage akin (show, clear,
or configure, or bare if it is not one of these).The akin constant specifies the
privilege akin to which to accredit the command.The approach constant specifies the
mode (enable or configure) to which the defined akin applies. Finally, command is
the command you are abacus to the advantage level.
Once you accept assigned commands to the adapted advantage levels, you need
to accredit users to the adapted advantage levels based on those users’ duties. If
you are application the bounded database, use the username command with the privilege
keyword.The username command syntax was declared ahead in this chapter.
Now that you accept assigned both commands and users to adapted privilege
levels, you are accessible to accredit AAA allotment on the PIX firewall using
the afterward command:
aaa allotment command LOCAL
Here is an example:
PIX1(config)# advantage appearance akin 10 command access-list
PIX1(config)# advantage configure akin 11 command access-list
www.syngress.com
252 Affiliate 5 • Authentication, Authorization, and Accounting
PIX1(config)# advantage bright akin 12 command access-list
PIX1(config)# username dora countersign wedidit advantage 12
PIX1(config)# username bootes countersign abre advantage 11
PIX1(config)# username swiper countersign noswiping advantage 10
PIX1(config)# aaa allotment command LOCAL
The advantage commands accredit altered command modifiers of the access-list
command to altered advantage levels.The username commands defines users and
assigns them advantage levels. Finally, the aaa allotment command command
enables bounded user allotment services.The aftereffect is that the user dora is authorized
to configure, clear, and appearance admission lists, the user bootes is accustomed to
configure and appearance admission lists, and the user swiper is accustomed alone to show
access lists.
To actuate the advantage akin to which a accurate command is assigned,
use the afterward command:
show advantage command
To actuate the commands assigned to a accurate level, use the following
command:
show advantage akin
To appearance all the commands and the levels to which they are assigned, use the
following command:
show advantage all