1.4.4.1 Ensure 'aaa command authorization' is configured correctly

Information

Defines the source of authorization for the commands entered by an administrator/user

Rationale:

Requiring authorization for commands enforces separation of duties and provides least privilege access for specific job roles.

Solution

Run the following to determine the remote the TACACS+/RADIUS servers (server_group_name) as source of authorization and the local database (LOCAL) as fallback method if the remote servers are not available.

hostname(config)# aaa authorization command <server-group_name> LOCAL

This implies that locally, each privilege has its sets of commands configured and username associated just in accordance with the privilege and command definition in the remote servers.

See Also

https://workbench.cisecurity.org/files/3246

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2(9), CSCv7|4.3

Plugin: Cisco

Control ID: 86a6ab8638fa0628a212c756348a24533cc9d60af428ed1346d03b881a3ae72b