Manualshelf

Troubleshooting guide

ManualsBrandsCisco ManualsComputer equipmentWide Area Virtualization Engine 274
231232233234235236237238239240
1-31
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
Chapter 1 Configuring Administrative Login Authentication, Authorization, and Accounting
Configuring AAA Command Authorization
Configuring AAA Command Authorization
Command authorization enforces authorization through an external AAA server for each command
executed by the CLI user. All commands executed by a CLI user are authorized before they are executed.
RADIUS, Windows domain, and local users are not affected.
Note Only commands executed through the CLI interface are subject to command authorization.
When command authorization is enabled, you must specify "permit null" on the TACACS+ server to
allow authorized commands with no arguments to be executed.
To configure command authorization for a WAAS device or device group, follow these steps:
Step 1 From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2 Choose Configure > Security > AAA > Command Authorization Settings. The Command
Authorization window appears.
Step 3 Check the Command Authorization Level check box for the desired level.
Level 0—Only EXEC commands are authorized by the TACACS+ server before they are executed,
regardless of user level (normal or super). Global configuration commands are not allowed.
Level 15—Both EXEC and global configuration level commands are authorized by the TACACS+
server before they are executed, regardless of user level (normal or super).
Note You must have a TACACS+ server configured before you can configure command authorization.
Step 4 Click Submit to save the settings.
Configuring AAA Accounting for WAAS Devices
Accounting tracks all user actions and when the actions occurred. It can be used for an audit trail or for
billing for connection time or resources used (bytes transferred). Accounting is disabled by default.
The WAAS accounting feature uses TACACS+ server logging. Accounting information is sent to the
TACACS+ server only, not to the console or any other device. The syslog file on the WAAS device logs
accounting events locally. The format of events stored in the syslog is different from the format of
accounting messages.
The TACACS+ protocol allows effective communication of AAA information between WAAS devices
and a central server. It uses TCP for reliable connections between clients and servers. WAAS devices
send authentication and authorization requests, as well as accounting information to the
TACACS+ se rver.
Note Before you can configure the AAA accounting settings for a WAAS device, you must first configure the
TACACS+ server settings for the WAAS device. (See the About TACACS+ Server Authentication
Settings” section on page 1-14.)