32-12
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 32 Configuring Management Access
Configuring AAA for System Administrators
• Serial—Authenticates users who access the adaptive security appliance using the console port.
• SSH—Authenticates users who access the adaptive security appliance using SSH.
• Tel ne t—Authenticates users who access the adaptive security appliance using Telnet.
b. For each service that you checked, from the Server Group drop-down list, choose a server group
name or the LOCAL database.
c. (Optional) If you chose a AAA server, you can configure the adaptive security appliance to use the
local database as a fallback method if the AAA server is unavailable. Click the Use LOCAL when
server group fails check box. We recommend that you use the same username and password in the
local database as the AAA server because the adaptive security appliance prompt does not give any
indication which method is being used.
Step 3 Click Apply.
Detailed Steps
Limiting User CLI and ASDM Access with Management Authorization
If you configure CLI or enable authentication, you can limit a local user, RADIUS, TACACS+, or LDAP
user (if you map LDAP attributes to RADIUS attributes) from accessing the CLI, ASDM, or the enable
command.
Note Serial access is not included in management authorization, so if you enable the Authentication > Serial
option, then any user who authenticates can access the console port.
Detailed Steps
To configure management authorization, perform the following steps:
Step 1 To enable management authorization, go to Configuration > Device Management > Users/AAA > AAA
Access > Authorization, and check the Perform authorization for exec shell access > Enable check
box.
This option also enables support of administrative user privilege levels from RADIUS, which can be
used in conjunction with local command privilege levels for command authorization. See the
“Configuring Local Command Authorization” section on page 32-15 for more information.
Step 2 To configure the user for management authorization, see the following requirements for each AAA
server type or local user:
• RADIUS or LDAP (mapped) users—Configure the Service-Type attribute for one of the following
values.
• RADIUS or LDAP (mapped) users—Use the IETF RADIUS numeric Service-Type attribute which
maps to one of the following values.
–
Service-Type 6 (Administrative)—Allows full access to any services specified by the
Authentication tab options
To Next Page
Loading...
