32-14
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 32 Configuring Management Access
Configuring AAA for System Administrators
Supported Command Authorization Methods
You can use one of two command authorization methods:
• Local privilege levels—Configure the command privilege levels on the adaptive security appliance.
When a local, RADIUS, or LDAP (if you map LDAP attributes to RADIUS attributes) user
authenticates for CLI access, the adaptive security appliance places that user in the privilege level
that is defined by the local database, RADIUS, or LDAP server. The user can access commands at
the user’s privilege level and below. Note that all users access user EXEC mode when they first log
in (commands at level 0 or 1). The user needs to authenticate again with the enable command to
access privileged EXEC mode (commands at level 2 or higher), or they can log in with the login
command (local database only).
Note You can use local command authorization without any users in the local database and without
CLI or enable authentication. Instead, when you enter the enable command, you enter the
system enable password, and the adaptive security appliance places you in level 15. You can then
create enable passwords for every level, so that when you enter enable n (2 to 15), the adaptive
security appliance places you in level n. These levels are not used unless you turn on local
command authorization (see “Configuring Local Command Authorization”). (See the Cisco ASA
5500 Series Command Reference for more information about the enable command.)
• TACACS+ server privilege levels—On the TACACS+ server, configure the commands that a user or
group can use after they authenticate for CLI access. Every command that a user enters at the CLI
is checked with the TACACS+ server.
About Preserving User Credentials
When a user logs into the adaptive security appliance, they are required to provide a username and
password for authentication. The adaptive security appliance retains these session credentials in case
further authentication is needed later in the session.
When the following configurations are in place, a user needs only to authenticate with the local server
upon login. Subsequent serial authorization uses the saved credentials. The user is also prompted for the
privilege level 15 password. When exiting privileged mode, the user is authenticated again. User
credentials are not retained in privileged mode.
• Local server is configured to authenticate user access.
• Privilege level 15 command access is configured to require a password.
• User’s account is configured for serial only authorization (no access to console or ASDM).
• User’s account is configured for privilege level 15 command access.
The following table shows how credentials are used in this case by the adaptive security appliance.
Credentials required
Username and
Password
Authentication
Serial
Authorization
Privileged Mode
Command
Authorization
Privileged
Mode Exit
Authorization
UsernameYesNoNoYes
Password Yes No No Yes
Privileged Mode
Password
No No Yes No
To Next Page
Loading...
Need help?
General
