Which statement about command authorization and security contexts is true?
A.
If command authorization is configured, it must be enabled on all contexts
B.
The changeto command invokes a new context session with the credentials of the currently logged-in user
C.
AAA settings are applied on a per-context basis
D.
The enable_15 user and admins with changeto permissions have different command authorization levels
per context
Explanation:
BD
The capture packet function works on an individual context basis. The ACE traces only the packets that belong
to the context where you execute the capture command. You can use the context ID, which is passed with the
packet, to isolate packets that belong to a specific context. To trace the packets for a single specific context,
use the changeto command and enter the capture command for the new context.
To move from one context on the ACE to another context, use the changeto command
Only users authorized in the admin context or configured with the changeto feature can use the changeto
command to navigate between the various contexts. Context administrators without the changeto feature, who
have access to multiple contexts, must explicitly log in to the other contexts to which they have access.
Source: http://www.cisco.com/c/en/us/td/docs/interfaces_modules/services_modules/ace/vA5_1_0/command/
reference/ACE_cr/execmds.html
I think the correct answer is c
Based on this link
http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-config/admin-management.html#ID-2111-00000366
The following are important points to consider when implementing command authorization with multiple security contexts:
AAA settings are discrete per context, not shared among contexts.
When configuring command authorization, you must configure each security context separately. This configuration provides you the opportunity to enforce different command authorizations for different security contexts.
When switching between security contexts, administrators should be aware that the commands permitted for the username specified when they login may be different in the new context session or that command authorization may not be configured at all in the new context. Failure to understand that command authorizations may differ between security contexts could confuse an administrator. This behavior is further complicated by the next point.
New context sessions started with the changeto command always use the default enable_15 username as the administrator identity, regardless of which username was used in the previous context session. This behavior can lead to confusion if command authorization is not configured for the enable_15 user or if authorizations are different for the enable_15 user than for the user in the previous context session.
This behavior also affects command accounting, which is useful only if you can accurately associate each command that is issued with a particular administrator. Because all administrators with permission to use the changeto command can use the enable_15 username in other contexts, command accounting records may not readily identify who was logged in as the enable_15 username. If you use different accounting servers for each context, tracking who was using the enable_15 username requires correlating the data from several servers.
When configuring command authorization, consider the following:
An administrator with permission to use the changeto command effectively has permission to use all commands permitted to the enable_15 user in each of the other contexts.
If you intend to authorize commands differently per context, ensure that in each context the enable_15 username is denied use of commands that are also denied to administrators who are permitted use of the changeto command.
When switching between security contexts, administrators can exit privileged EXEC mode and enter the enable command again to use the username that they need.
1
0