Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Command Authotization on Pix 6.3 and ACS v3.3


I am researching on how to enable command authorization on a pix firewall software v6.3 through an ACS v3.3.

I only have a production unit so i am very cautious on doing test configuration on the firewall. I might get locked-up and kicked in the butt. =)

Inputs on the step-by-step configuration of ACS and pix would be greatly appreciated.

Thanks in advance!



Re: Command Authotization on Pix 6.3 and ACS v3.3


On the ACS side, the config you choose very much depends on the scale of your deployment.

If you have one or two users, you can define per-user command authorisation within ACS.

If you have many users, you should do this at group level.

Moving on, if you have many devices you can look at creating pixshell command sets and grouping the devices into Network Device Groups (NDGs). Within each group you then map from NDGs to command sets.

This gives the functionality of an RBAC (Role Based Access Control) server. Where a member of a group has a certain role with associated rights based on what NDG being configured.

You may also want to use NARs to prevent certain admins even being able to logon to the device.

So the first job is to scope your deployment and figure out what level of config (and hence complexity) is required in ACS.

Then get a copy of extraxi aaa-reports! to audit your ACS logs :)


CreatePlease login to create content