Configuring Command Authorization
As discussed previously, AAA allotment is about acclimated to accredit either
user accomplishments attempted while logged into a arrangement accessory (such as a PIX firewall)
or attempts to use arrangement services.This area discusses the use of the
PIX firewall AAA mechanisms to ascendancy user accomplishments on the firewall itself,
sometimes alleged command authorization.
Beginning with adaptation 6.2, the PIX introduces abutment for up to 16 privilege
levels so that you can ascertain and accredit users privileges based on what is
necessary to achieve their duties.This is agnate to what has been available
with Cisco IOS software. Sixteen advantage levels (0 through 15) are available, and
the college the advantage level, the added admission the akin has. By default, best PIX
firewall commands are assigned to Advantage Akin 15 (commonly referred to as
Enable or Advantaged mode), with alone a few assigned to Advantage Akin 0. No
commands are assigned to advantage levels amid 1 through 14.You do not have
to accord a user abounding advantaged admission to the PIX firewall if the user alone needs to
execute a baby subset of commands.This is commonly able by moving
commands from Advantage Akin 15 into lower advantage levels.You additionally accept the
option of affective commands from Advantage Akin 0 into college advantage levels.
You can apparatus command allotment application either the PIX firewall local
database or an AAA server.
Regardless of the adjustment you choose, the accepted accomplish you charge to chase in
configuring AAA allotment on the PIX firewall are as follows:
1. Accredit commands to adapted advantage levels. If you are enabling
authorization application the PIX firewall bounded database, use the advantage command.
If you are enabling AAA allotment application an AAA server, use
the adapted apparatus provided by the server.
2. Ascertain user accounts assigned to adapted advantage levels. If you are
enabling AAA allotment application the PIX firewall bounded database, use
the username command. If you are enabling AAA allotment application an
AAA server, use the adapted apparatus provided by the server.
www.syngress.com
Authentication, Authorization, and Accounting • Chapter 5 251
3. Enable AAA allotment on the PIX firewall. Regardless of whether
you are enabling AAA allotment application the PIX firewall local
database or an AAA server, use the aaa allotment command.
WARNING
When configuring command authorization, do not save your configuration
until you are abiding it works. If you are bound out due to a mistake,
you can usually balance admission by artlessly restarting the PIX firewall from
the agreement that is adored in beam memory.