1-20
Cisco ASA Series CLI Configuration Guide
Chapter 1 Configuring Management Access
Configuring AAA for System Administrators
Configuring Authentication for CLI and ASDM Access
To configure management authentication, enter the following command:
Detailed Steps
Configuring Authentication to Access Privileged EXEC Mode (the enable
Command)
You can configure the ASA to authenticate users with a AAA server or the local database when they enter
the enable command. Alternatively, users are automatically authenticated with the local database when
they enter the login command, which also accesses privileged EXEC mode depending on the user level
in the local database.
This section includes the following topics:
• Configuring Authentication for the enable Command, page 1-21
• Authenticating Users with the login Command, page 1-21
Command Purpose
aaa authentication {telnet | ssh | http |
serial} console {LOCAL |
server_group [LOCAL]}
Example:
hostname(config)# aaa authentication
telnet console LOCAL
Authenticates users for management access. The telnet keyword controls
Telnet access. For the ASASM, this keyword also affects the session from
the switch using the session command. For multiple mode access, see the
“Authenticating Sessions from the Switch to the ASA Services Module”
section on page 1-15.
The ssh keyword controls SSH access. The SSH default usernames asa and
pix are no longer supported.
The http keyword controls ASDM access.
The serial keyword controls console port access. For the ASASM, this
keyword affects the virtual console accessed from the switch using the
service-module session command. For multiple mode access, see the
“Authenticating Sessions from the Switch to the ASA Services Module”
section on page 1-15.
HTTP management authentication does not support the SDI protocol for a
AAA server group.
If you use a AAA server group for authentication, you can configure the
ASA to use the local database as a fallback method if the AAA server is
unavailable. Specify the server group name followed by LOCAL (LOCAL
is case sensitive). We recommend that you use the same username and
password in the local database as the AAA server, because the ASA prompt
does not give any indication which method is being used.
You can alternatively use the local database as your primary method of
authentication (with no fallback) by entering LOCAL alone.
To Next Page
Loading...
Need help?
General
