Table Of Contents
Configuring Authentication, Authorization, and Accounting
Overview
Configuring the Accounting Server
Specifying AAA Accounting Settings
Configuring the Authentication Server
Specifying AAA Authentication Settings
Configuring the AAA Policy
Authentication Failover
Unreachable Failover
Example
Specifying the Policy that Controls the Behavior of Authentication and Authorization
Configuring Privileges
Configuration Example
Creating and Customizing Privileges
Configuring Accounting Event Logging
Configuring Accounting Event Logging
Configuring Console Authentication
Specifying Whether the Console Connection is Subject to Authentication
Configuring Authentication, Authorization, and Accounting
Last Updated: July 21, 2010
This chapter contains procedures for:
•
Configuring the Accounting Server
•Configuring the Authentication Server
•Configuring the AAA Policy
•Configuring Privileges
•Configuring Accounting Event Logging
•Configuring Console Authentication
Overview
Release 7.0 provides a set of new features for Authentication, Authorization, and Accounting (AAA). These features expand on the authentication and authorization functionality available in previous releases, such as determining which user could access restricted services by assigning predefined privileges to groups.
In release 7.0, you can create new privileges and customize existing privileges and then assign these privileges to groups as you did in previous releases.
In addition, release 7.0 also includes these new AAA features:
•The ability to log AAA accounting information that enables you to easily audit configuration changes, maintain security, accurately allocate resources, and determine who should be billed for the use of resources.
•The ability to use a remote RADIUS server for authentication.
•The ability to configure failover capabilities to for the accounting and authentication servers.
To configure the AAA features, use the following procedures:
•Configuring the Accounting Server
•Configuring the Authentication Server
•Configuring the AAA Policy
•Configuring Privileges
•Configuring Accounting Event Logging
•Configuring Console Authentication
Configuring the Accounting Server
You can configure up to two AAA accounting servers. Automatic failover functionality is provided if you have two accounting servers configured. In this case, if the first server is unreachable, the accounting information is sent the second server. If both accounting servers are unreachable, accounting records are cached until a server becomes available. If a server cannot be reached before the cache is full, the oldest accounting packets are dropped to make room for the new packets.
Because the configuration of the AAA accounting server is completely independent of the AAA authentication server, you can configure the AAA accounting server to be on the same or different machine from the AAA authentication server.
If you use a syslog server, it is not affected by the AAA configuration and continues to use the existing user interfaces. When the RADIUS server sends AAA accounting information to a syslog server, it is normalized into a single string before being recorded. If no syslog server is defined, the AAA accounting logs are recorded by the syslog server running locally on Cisco Unity Express.
For an accounting server, you can configure the following information used to log into the server:
•Server IP address or DNS name
•Port number used
•Cryptographic shared secret and security credentials
•Number of login retries
•Length of login timeout
Note Only RADIUS servers are supported.
Specifying AAA Accounting Settings
SUMMARY STEPS
1. config t
2. aaa accounting server remote
3. address address [port port] secret secret
4. address address [port port] credentials hidden cred
5. retries number
6. timeout seconds
7. end
8. show aaa accounting service
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
config t
Example:
se-10-0-0-0# config t
|
Enters configuration mode.
|
Step 2
|
aaa accounting server remote
Example:
se-10-0-0-0(config)# aaa accounting server remote
|
Enters aaa-authentication submode to enable you to configure the AAA authentication server.
|
Step 3
|
address address [port port] secret secret
Example:
se-10-0-0-0(config)# address 10.2.2.10 prt 1808
secret ezsecret
|
Defines the access parameters for the AAA accounting server.
|
Step 4
|
address address [port port] credentials hidden cred
Example:
se-10-0-0-0(config)# address 10.2.2.10 port 1808
credentials hidden "EugxIjn3MbL3WgUZUdUb90nfGW
TYHfmPSd8ZZNgd+Y9J3xlk2B35j0nfGWTYHfmPSd8ZZNgd+Y9J3x
lk2B35j0nfGWTYHfmPSd8ZZNgd+Y9J3xlk2B35j0nfGWTYHfmP"
|
Defines the access parameters for the AAA accounting server.
|
Step 5
|
retries number
Example:
se-10-0-0-0(config)# retries 6
|
Specifies the maximum number of times an AAA accounting request is retried before the accounting request fails.
|
Step 6
|
timeout seconds
Example:
se-10-0-0-0(config)# timeout 24
|
Specifies the amount of time to wait before an AAA accounting request is considered to be unanswered.
|
Step 7
|
end
Example:
se-10-0-0-0(config)# end
|
Exits to privileged EXEC mode.
|
Step 8
|
show aaa accounting service
Example:
se-10-0-0-0# show aaa accounting service
|
(Optional) Displays the settings for the AAA accounting server.
|
Examples
The following is sample output from the show aaa accounting service command:
se-10-0-0-0# show aaa accounting service
AAA Accounting Service Configuration
Address: 192.168.1.101 Port: 1813 Credentials:
EugxIjn3MbL3WgUZUdUb90nfGWTYHfmPSd8ZZNgd+Y9J3xlk2B35j0nfGWTYHfmPSd8ZZNgd+Y9J3xlk2B35j0nfGW
TYHfmPSd8ZZNgd+Y9J3xlk2B35j0nfGWTYHfmP
Address: 192.168.1.100 Port: 1813 Credentials:
EugxIjn3MbL3WgUZUdUb90nfGWTYHfmPSd8ZZNgd+Y9J3xlk2B35j0nfGWTYHfmPSd8ZZNgd+Y9J3xlk2B35j0nfGW
TYHfmPSd8ZZNgd+Y9J3xlk2B35j0nfGWTYHfmP
Configuring the Authentication Server
The two procedures for configuring AAA authentication consist of:
•Configuring connection parameters for the AAA authentication server
•Configuring whether the authentication servers or local authentication database will be queried first
This section covers only the first procedure. The second procedure is covered in the "Configuring the AAA Policy" section.
For an AAA authentication server, you can configure the following information used to log into the server:
•Server IP address or DNS name
•Port number used
•Cryptographic shared secret and security credentials
•Number of login retries
•Length of login timeout
Note To help protect the cryptographic information of the RADIUS server, you must view the running configuration to see this information.
Specifying AAA Authentication Settings
SUMMARY STEPS
1. config t
2. aaa authentication server remote
3. address address [port port] secret secret
4. address address [port port] credentials hidden cred
5. retries number
6. timeout seconds
7. end
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
config t
Example:
se-10-0-0-0# config t
|
Enters configuration mode.
|
Step 2
|
aaa authentication server remote
Example:
se-10-0-0-0(config)# aaa authentication server
remote
|
Enters aaa-authentication submode to enable you to configure the AAA authentication server.
|
Step 3
|
address address [port port] secret secret
Example:
se-10-0-0-0(config)# address 10.2.2.10 port 1808
secret ezsecret
|
Defines the access parameters for the AAA authentication server.
|
Step 4
|
address address [port port] credentials hidden cred
Example:
se-10-0-0-0(config)# address 10.2.2.10 port 1808
credentials hidden "EugxIjn3MbL3WgUZUdUb90nfGW
TYHfmPSd8ZZNgd+Y9J3xlk2B35j0nfGWTYHfmPSd8ZZNgd+Y9J3x
lk2B35j0nfGWTYHfmPSd8ZZNgd+Y9J3xlk2B35j0nfGWTYHfmP"
|
Defines the access parameters for the AAA authentication server.
|
Step 5
|
retries number
Example:
se-10-0-0-0(config)# retries 6
|
Specifies maximum number of times an AAA authentication request is retried before the authentication request fails.
|
Step 6
|
timeout seconds
Example:
se-10-0-0-0(config)# timeout 24
|
Specifies the amount of time to wait before an AAA authentication request is considered unanswered.
|
Step 7
|
end
Example:
se-10-0-0-0(config)# end
|
Exits to privileged EXEC mode.
|
Configuring the AAA Policy
The AAA policy specifies the failover functionality that you can optionally configure for the authentication server. You can choose from two types of failover functionality:
•Authentication failover
•Unreachable failover
You can also use a combination of both failover methods.
Authentication Failover
The authentication failover feature enables you to optionally use a remote RADIUS server for user login authentication in addition to the local database. The procedure in this section configures the order in which authentication is resolved. You can configure authentication to use:
•Only the local database
•Only the remote server
•The local database first, then the remote server
•The remote server first, then the local database
When using both local and remote authentication, you can also configure whether you want the user attributes that are retrieved from a remote RADIUS AAA server to be merged with the attributes found in the local user database for the same username.
Note The authentication failover feature has the following limitations:
•Authentication with a RADIUS server is available only when accessing the GUI or CLI interface and requires only a user ID and password. Authentication for the TUI, VVE, AvT, and IMAP interfaces can use only the local database. Therefore, users of the TUI, VVE, AvT, and IMAP interfaces must be configured locally in order to gain access. The auto-attendant interface does not require authentication because it is user independent.
•Login information is not synchronized between the local system and the remote server. Any security features such, as password expiration, must be configured separately for Cisco Unity Express and the RADIUS server. Also, Cisco Unity Express users are not prompted when security events, such as password expiration or account lockout, occur on the RADIUS server, and vis versa.
Unreachable Failover
The unreachable failover is used only with RADIUS servers. This feature enables you to configure up to two addresses that can be used to access RADIUS servers.
As Cisco Unity Express attempts to authenticate a user with the RADIUS servers, messages are sent to users to notify them when a RADIUS server:
•Cannot be reached
•Fails to authenticate the user
Example
In this example, authentication is performed by the remote server first, then by the local database. Also, two addresses are configured for the remote RADIUS server.
This is a sequence of events that could occur during authentication for this example:
1. Cisco Unity Express tries to contact the first remote RADIUS server.
2. If the first RADIUS server does not respond or does not accept the authentication credentials of the user, Cisco Unity Express tries to contact the second remote RADIUS server.
3. If the second RADIUS server does not respond or does not accept the authentication credentials of the user, the user receives the appropriate error message and Cisco Unity Express tries to contact the local database.
4. If the local database does not accept the authentication credentials of the user, the user receives an error message.
Specifying the Policy that Controls the Behavior of Authentication and Authorization
SUMMARY STEPS
1. config t
2. aaa policy system
3. authentication-order {remote [local] | local [remote]}
4. authorization merge-attributes
5. end
6. show aaa policy
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
config t
Example:
se-10-0-0-0# config t
|
Enters configuration mode.
|
Step 2
|
aaa policy system
Example:
se-10-0-0-0(config)# aaa policy system
|
Enters aaa-authentication submode to enable you to specify the policy that controls the behavior of authentication and authorization.
|
Step 3
|
authentication-order {remote [local]|local [remote]}
Example:
se-10-0-0-0(config)# authentication-order remote
local
|
Specifies the order in which to query the authentication servers and local authentication database.
|
Step 4
|
authorization merge-attributes
Example:
se-10-0-0-0(config)# authorization merge-attributes
|
Specifies whether the user attributes that are retrieved from a remote RADIUS AAA server are merged with attributes for the same username found in the local user database.
|
Step 5
|
end
Example:
se-10-0-0-0(config)# end
|
Exits to privileged EXEC mode.
|
Step 6
|
show aaa accounting policy
Example:
se-10-0-0-0# show aaa policy
|
(Optional) Displays the AAA policy settings.
|
Examples
The following is sample output from the show aaa policy command:
se-10-0-0-0# show aaa policy
authentication-order local
Configuring Privileges
Cisco Unity Express software provides several predefined privileges that you can assign to groups. Starting with 7.0, you can also create your own privileges and modify the predefined privileges.
When you assign a privilege to a group, any member of the group is granted the privilege rights. An administrator group is created automatically by the software initialization process from the imported subscribers designated as administrators.
When you create or modify privileges, you add or delete the operations allowed by that privilege. Operations define the CLI commands and GUI functions that are allowed. In addition to adding operations to a privilege, you can also configure a privilege to have another privilege nested inside of it. A privilege configured with a nested privilege includes all operations configured for the nested privilege.
As part of the planning process, you should decide:
•How many categories of user privileges you want to create for your company.
•Which functions each privilege will allow your users to perform.
After you decide which privileges you want your users to have:
1. Review the predefined privileges to determine whether any of them are similar to the permissions that you want to give to each of your categories of users.
2. Configure a separate privilege for each category by specifying which operations each category of users will be allowed to preform, optionally including predefined privileges (see "Creating and Customizing Privileges").
3. Create a group for each category of user privilege and assign the appropriate privilege to each group of users (see "Adding and Modifying a Group").
4. Add your users to the appropriate group.
Tip For an example of the commands used for these steps, see the "Configuration Example" section.
Note You cannot modify the superuser privilege.
Table 10 describes the predefined privileges provided with the Cisco Unity Express software and the operations associated with them. Table 11 describes all available operations that you can add to privileges.
Note Two new permissions were added in 7.0: manage-users and manage-passwords.
To display a list of privileges, use the show privileges command in Cisco Unity Express EXEC mode. To display detailed information about a specific privilege, use the show privilege detail command.
Note Users do not need privileges to access their own data. The user's data is primarily associated with the voice mail application and includes the user's:
•Language (configured for the user's voice mailbox)
•Password
•PIN
•Membership to groups owned by the user
•Ownership of groups owned by the user
•Notification profile
•Cascade settings
•Personal voice mail zero out number
•Voice mail greeting type
•Voice mail play tutorial flag
•Public distribution lists owned by the user
•Private distribution lists
Table 10 Privileges
Privilege
|
Description
|
Operations
|
Superuser
|
Grants unrestricted system access.
|
all
|
Manageprompts
|
Allows subscriber access to the AvT prompt management but not to any other administrative functions.
|
prompt.modify, system.debug
|
Broadcast
|
Allows subscribers to send broadcast messages across the network.
|
broadcast.local, broadcast.remote, system.debug
|
Local-broadcast
|
Allows subscribers to send broadcast messages only to subscribers on the local network.
|
broadcast.local, system.debug
|
ManagePublicList
|
Allows subscribers to create and modify public distribution lists.
|
voicemail.lists. public, system.debug
|
ViewPrivateList
|
Allows subscribers to view another subscriber's private distribution lists. The subscriber cannot modify or delete the private lists.
|
voicemail.lists.private.view
|
vm-imap
|
Allows subscribers to access the IMAP feature.
|
voicemail.imap.user
|
ViewHistorical
Reports
|
Allows subscribers to view historical reports.
|
report.historical
|
ViewRealTime
Reports
|
Allows subscribers to view real-time reports
|
report.realtime
|
manage-users
|
Allows subscribers to create, modify, and delete users
|
user.configuration, user.pin, user.password, user.mailbox, user.notification, user.remote, group.configuration, system.debug
|
manage-passwords
|
Allows subscribes to create, modify, and delete user passwords and PINs
|
user.pin, user.password, system. debug
|
Table 11 Operations
Operation
|
Description
|
broadcast.local
|
Create and send broadcast messages to local locations. Delete or reschedule broadcast messages.
|
broadcast.remote
|
Create and send broadcast messages to remote and local locations.
|
call.control
|
Configure settings for Cisco Unified CME (SIP) and Cisco Unified Communications Manager (JTAPI).
|
group.configuration
|
Create, modify, and delete groups.
|
network.location
|
Create, modify, and delete network locations, network location caching, and NDR/DDR configuration.
|
prompt.modify
|
Create, modify, and delete system prompts for AA scripts. Also includes upload/download of prompts on the CLI.
|
report.historical.manage
|
Configure and generate historical reports. Collect data from Cisco Unity Express using the copy command.
|
report.historical.view
|
View historical reports
|
report.realtime
|
Run and view real-time reports.
|
report.voicemail
|
Run and view voice mail reports.
|
restriction.tables
|
Create, modify, and delete restriction tables.
|
script.modify
|
Create, modify, and delete system AA scripts. Also include upload and download of scripts on the CLI and Editor Express.
|
security.aaa
|
Configure and view AAA service settings.
|
security.access
|
Configure system level security regarding encryption of data, including defining crypto keys.
Note Also includes permission to reload the system.
|
security.configuration
|
Configure settings for the system password/PIN and policy, such as:
•Expiry
•Lockout (temporary and permanent)
•History
•Length
|
services.configuration
|
Configure system services: DNS, NTP/clock, SMTP, SNMP, Fax Gateway, Cisco UMG, hostname, domain, interfaces (counters) and system default language.
Note Also includes permission to reload the system.
|
services.manage
|
System level services commands not related to configuration like clearing DNS cache and ping
|
site.configuration
|
Create, modify, or delete sites for use with Cisco UMG.
|
software.install
|
Install, upgrade, or inspect system software or addons such as languages and licenses.
Note Also includes permission to reload the system.
|
spokenname.modify
|
Create, modify, and delete spoken names for remote locations, remote users, and public distribution lists. Copy spoken names.
|
system.application
|
Configure system applications, such as voice mail, auto-attendent, PromptManagement, and so on.
|
system.backup
|
Configure backup.
|
system.calendar
|
Create, modify, and delete system schedules and holidays.
|
system.debug
|
Collect and configure trace and debug data. Includes copying data like core and log files.
|
system.documents
|
Manage tiff, general, and template documents.
|
system.numbers
|
Create, modify, and delete call-in numbers for voice mail, AA, AvT, and IVR. This includes SIP, JTAPI, and HTTP triggers.
|
system.sessions
|
Terminate others voice mail sessions (VVE, SIP, or JTAPI). Unlock locked mailboxes.
|
system.view
|
View system settings and configuration.
|
user.configuration
|
Create, modify, and delete users and groups, including the configuration of:
•First and Last Name
•Nickname
•Display Name
•Language
|
user.mailbox
|
Create, modify, and delete a user or group voice mailbox.
|
user.notification
|
Set or change others notification/cascade profiles.
|
user.password
|
Create, set, or remove others passwords.
|
user.pin
|
Create, set, or remove others pins.
|
user.remote
|
Create, modify, and delete remote users.
|
voicemail.configuration
|
Configure system-level voice-mail features:
•Mailboxes
•Fax
•Notification/cascade
•Non-subscriber options
•Broadcast
•TUI config
•Live-record
•Live-reply
•IMAP
•VVE
|
voicemail.imap.user
|
Manage personal voice mail via IMAP client.
|
voicemail.mwi
|
Reset/Refresh phone message waiting indicators. Configure SIP MWI delivery.
|
voicemail.lists.private
|
Create, modify, and delete others private voice mail lists.
|
voicemail.lists.public
|
Create, modify, and delete public voice mail distribution lists.
|
voicemail.lists.private.view
|
(GUI Only) View others private voice mail lists.
|
webapp.modify
|
Deploy web applications on Cisco Unity Express.
|
webapp.control
|
Start, stop, or restart web applications.
|
Configuration Example
In this example, a company wants a security structure with two levels of security administration. The two levels allow the following actions to be taken by the administrator:
•The first level enables the security administrator to reset the passwords and PINs for users that have locked themselves out of the system, whether they forgot their password or their account is locked because of too many failed login attempts. This level will be called PASSWORD RESET.
•The second level enables the security administrator to act as a system guardian by:
–Ensuring that the proper security policies are implemented for issues such as password aging, account lockout, encryption, authentication, authorization, and accounting
–Ensuring that voicemail messages and other data remain safe from attackers without over burdening end users with security related details and tasks
–Monitoring the system to ensure that only legitimate users have access
–Troubleshooting any problems that legitimate users have with accessing the system
–Resetting passwords and PINs for users that have locked themselves out of the system, whether they forgot their password or their account is locked because of too many failed login attempts
This level will be called SYSTEM GUARDIAN
When you use the general planning and configuration steps as described in the "Configuring Privileges" section, to set up the security administration levels for this example, these are the results:
•You have already decided:
–How many levels or categories of user privileges you want to create for your company
–Which functions each privilege will allow your users to perform
There will be two levels, called PASSWORD RESET and SYSTEM GUARDIAN, as described above.
•After reviewing the predefined privileges to determine whether any of them are similar to the permissions that you want to give each of your security levels, you find that:
–The predefined privilege called manage-passwords can be used for the security level named PASSWORD RESET because it has all of the permissions needed to help users that have locked themselves out of the system.
–The manage-passwords privilege also has a subset of the permissions needed the security level named SYSTEM GUARDIAN and is the predefined privilege closest to your requirements. However, to act as system guardian, the following additional operations will have to included: security.access, security.aaa, security.password, security.pin, system.debug, and system.view. See Table 11 for more information.
•Use the following commands to configure a privilege for the SYSTEM GUARDIAN security level by including the predefined privilege manage-password and adding the operations listed in the previous bullet:
se-10-0-0-0(config)# privilege guardian-privilege create
se-10-0-0-0(config)# privilege guardian-privilege member manage-passwords
se-10-0-0-0(config)# privilege guardian-privilege operation security.access
se-10-0-0-0(config)# privilege guardian-privilege operation security.aaa
se-10-0-0-0(config)# privilege guardian-privilege operation security.password
se-10-0-0-0(config)# privilege guardian-privilege operation security.pin
se-10-0-0-0(config)# privilege guardian-privilege operation system.debug
se-10-0-0-0(config)# privilege guardian-privilege operation system.view
Note You do not have to configure a privilege for the PASSWORD RESET security level because you can use the predefined privilege manage-passwords.
•Use the following commands to create a new group called password-reset and assign the privilege called manage-passwords to it:
se-10-0-0-0(config)# groupname password-reset create
se-10-0-0-0(config)# groupname password-reset privilege manage-passwords
•Use the following commands to create a new group called system-guardian and assign the privilege called guardian-privilege:
se-10-0-0-0(config)# groupname system-guardian create
se-10-0-0-0(config)# groupname system-guardian privilege guardian-privilege
•Assign the appropriate users to the new groups, associating them with their roles. For example, if you want Bob and Ned to have the privileges of the PASSWORD RESET security administration level and Ann to have the privileges of the SYSTEM GUARDIAN security administration level, use the following commands:
se-10-0-0-0(config)# groupname password-reset member bob
se-10-0-0-0(config)# groupname password-reset member ned
se-10-0-0-0(config)# groupname system-guardian member ann
•The configuration of this example is now complete. You can verify your configuration using the following commands.
The following is sample output from the show group detail groupname password-reset expanded command:
se-10-0-0-0# show group detail groupname password-reset expanded
Groupname: password-reset
Full Name: password-reset
Privileges: manage-passwords
The following is sample output from the show group detail groupname system-guardian expanded command:
se-10-0-0-0# show group detail groupname system-guardian expanded
Groupname: system-guardian
Full Name: system-guardian
Privileges: guardian-privilege
The following is sample output from the show privilege detail manage-passwords expanded command:
se-10-0-0-0# show privilege detail manage-passwords expanded
Privilege: manage-passwords
Description: Privilege to reset user passwords
Privilege Members: <none>
Operations: system.debug user.password user.pin
The following is sample output from the show privilege detail guardian-privilege expanded command:
se-10-0-0-0# show privilege detail guardian-privilege expanded
Privilege: guardian-privilege
Privilege Members: manage-passwords
Operations: security.aaa security.access security.password security.pin
manage-passwords:system.debug user.password user.pin
Creating and Customizing Privileges
SUMMARY STEP
1. config t
2. privilege privilege-name create
3. privilege privilege-name description string
4. privilege privilege-name operation operation-name
5. privilege privilege-name member privilege-name2
6. end
7. show operations
8. show operation detail operation-name
9. show privileges
10. show privilege detail privilege-name
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
config t
Example:
se-10-0-0-0# config t
|
Enters configuration mode.
|
Step 2
|
privilege privilege-name create
Example:
se-10-0-0-0(config)# privilege security-privilege
create
|
Creates a new privilege.
•privilege-name—Label used to identify and configure a new or existing privilege.
|
Step 3
|
privilege privilege-name [description string]
Example:
se-10-0-0-0(config)# privilege security-privilege
description administer of system security
|
(Optional) Assigns a description to the privilege.
•string—Description to add to the privilege.
|
Step 4
|
privilege privilege-name operation operation-name
Example:
se-10-0-0-0(config)# privilege security-privilege
operation security.configuration
|
(Optional) Assigns an operation to the privilege:
•operation-name—Operation to associate with the privilege.
|
Step 5
|
privilege privilege-name member privilege-name2
Example:
se-10-0-0-0(config)# privilege security-privilege
include manage-users
|
(Optional) Includes or nests another privilege into this privilege:
•privilege-name2—Privilege to include or nest into this privilege.
|
Step 6
|
end
Example:
se-10-0-0-0(config)# end
|
Exits to privileged EXEC mode.
|
Step 7
|
show operations
Example:
se-10-0-0-0# show operations
|
(Optional) Displays information about all operations.
|
Step 8
|
show operation detail operation-name
Example:
se-10-0-0-0# show operation detail
security.configuration
|
(Optional) Displays information about the specified operation:
•operation-name—Label used to identify and configure a new or existing operation.
|
Step 9
|
show privileges
Example:
se-10-0-0-0# show privilege
|
(Optional) Displays information about all privileges.
|
Step 10
|
show privilege detail privilege-name
Example:
se-10-0-0-0# show privilege detail sales_vp
|
(Optional) Displays information about the specified privilege:
•privilege-name—Label used to identify and configure a new or existing privilege.
|
Examples
The following is sample output from the show operations command:
se-10-0-0-0# show operations
voicemail.lists.private.view
The following is sample output from the show operation detail command:
se-10-0-0-0# show operation detail user.password
Description: Set and reset passwords for other users
exec-copy-running-config-startup-config
The following is sample output from the show privileges command:
se-10-0-0-0# show privileges
The following is sample output from the show privilege detail command:
se-10-0-0-0# show privilege detail ManagePrompt
Description: Privilege to create, modify, or delete system prompts
Privilege Members: user1, user2
Operations: prompt.modify system.debug
Configuring Accounting Event Logging
AAA accounting logs contain information that enables you to easily:
•Audit configuration changes
•Maintain security
•Accurately allocate resources
•Determine who should be billed for the use of resources
You can configure AAA accounting to log the following types of events:
•Logins—All forms of system access except IMAP, including access to the CLI, GUI, TUI, and VVE, when a login is required.
•Logouts—All forms of system access except IMAP, including access to the CLI, GUI, TUI, and VVE, when a login is required before logout.
•Failed logins—Failed login attempts for all forms of system access except IMAP, including access to the CLI, GUI, TUI, and VVE, when a login is required.
•Configuration mode commands—Any changes made to the Cisco Unity Express configuration using any interface except IMAP (CLI, GUI, TUI, and VVE).
•EXEC mode commands—Any commands entered in Cisco Unity Express EXEC mode using any interface except IMAP (CLI, GUI, TUI, and VVE).
•System startups—System startups, which include information about the system's software version, installed licenses, installed packages, installed languages, and so on.
•System Shutdowns—System shutdowns, which include information about the system's software version, installed licenses, installed packages, installed languages, and so on.
•IMAP—Access to the IMAP system.
In addition to information specific to the type of action performed, the accounting logs also indicate:
•User that authored the action
•Time when the action was executed
•Time when the accounting record was sent to the server
The detailed content of the log entries is explained in the "Examples" section.
Note Account logging is not performed during the system power-up playback of the startup configuration. When the system boots up, the startup-config commands are not recorded.
Configuring Accounting Event Logging
SUMMARY STEPS
1. config t
2. aaa accounting enable
3. aaa accounting event
4. login
5. logout
6. login-fail
7. config-commands
8. exec-commands
9. system-startup
10. system-shutdown
11. end
12. show aaa accounting event
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
config t
Example:
se-10-0-0-0# config t
|
Enters configuration mode.
|
Step 2
|
Example:
se-10-0-0-0(config)# aaa accounting enable
|
Enables the recording of AAA account events.
|
Step 3
|
Example:
se-10-0-0-0(config)# aaa accounting event
|
Enters aaa-accounting submode to enable you to configure event filtering for accounting packets.
|
Step 4
|
Example:
se-10-0-0-0(config)# login
|
Enables the logging of logins.
|
Step 5
|
Example:
se-10-0-0-0(config)# logout
|
Enables the logging of logouts
|
Step 6
|
Example:
se-10-0-0-0(config)# login-fail
|
Enables the logging of failed logins.
|
Step 7
|
Example:
se-10-0-0-0(config)# config-commands
|
Enables the logging of configuration mode commands.
|
Step 8
|
Example:
se-10-0-0-0(config)# exec-commands
|
Enables the logging of configuration mode commands.
|
Step 9
|
Example:
se-10-0-0-0(config)# system-startup
|
Enables the logging of system startups.
|
Step 10
|
Example:
se-10-0-0-0(config)# system-shutdown
|
Enables the logging of system shutdowns.
|
Step 11
|
end
Example:
se-10-0-0-0(config)# end
|
Exits to privileged EXEC mode.
|
Step 12
|
show aaa accounting event
se-10-0-0-0# show aaa accounting
|
(Optional) Displays the AAA accounting events that are designated to be logged.
|
Examples
The following is sample output from the show aaa accounting event command:
se-10-0-0-0# show aaa accounting event
login Enabled Log accounting events for successful login
logout Enabled Log accounting events for user logout
login-fail Enabled Log accounting events for failed login attempts
config-commands Enabled Log accounting events for any chanes to configuration
exec-commands Enabled Log accounting events for execution of commands
system-startup Enabled Log accounting events for system startup
system-shutdown Enabled Log accounting events for system shutdown
imap Enabled Log accounting events for all imap events
Configuring Console Authentication
By default, console authentication is disabled, allowing any user logging into the system through the console to have superuser privileges and to log in without providing a username or password.
Therefore, to protect your console from unauthorized access, you must enter the login command in config-line mode, as described below.
Note To see whether authentication is enabled for the console, you must view the running configuration.
Specifying Whether the Console Connection is Subject to Authentication
SUMMARY STEPS
1. config t
2. line console
3. login
4. end
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
config t
Example:
se-10-0-0-0# config t
|
Enters configuration mode.
|
Step 2
|
Example:
se-10-0-0-0(config)# line console
|
Enters config-line mode to enable you to specify whether the console connection is subject to authentication.
|
Step 3
|
Example:
se-10-0-0-0(config-line)# line console
|
Requires that any user logging in through the console connection is subject to authentication. The no or default form of this command disables authentication for the console.
|
Step 4
|
end
Example:
se-10-0-0-0(config)# end
|
Exits to privileged EXEC mode.
|
Feedback
