Authenticating Users Using The Login Command; Limiting User Cli And Asdm Access With Management Authorization - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Chapter 40
Managing System Access
If you use a AAA server group for authentication, you can configure the security appliance to use the
local database as a fallback method if the AAA server is unavailable. Specify the server group name
followed by LOCAL (LOCAL is case sensitive). We recommend that you use the same username and
password in the local database as the AAA server because the security appliance prompt does not give
any indication which method is being used.
You can alternatively use the local database as your main method of authentication (with no fallback) by
entering LOCAL alone.
Authenticating Users Using the Login Command
From user EXEC mode, you can log in as any username in the local database using the login command.
This feature allows users to log in with their own username and password to access privileged EXEC
mode, so you do not have to give out the system enable password to everyone. To allow users to access
privileged EXEC mode (and all commands) when they log in, set the user privilege level to 2 (the default)
through 15. If you configure local command authorization, then the user can only enter commands
assigned to that privilege level or lower. See the
on page 40-10
Caution
If you add users to the local database who can gain access to the CLI and whom you do not want to enter
privileged EXEC mode, you should configure command authorization. Without command authorization,
users can access privileged EXEC mode (and all commands) at the CLI using their own password if their
privilege level is 2 or greater (2 is the default). Alternatively, you can use a AAA server for
authentication, or you can set all local users to level 1 so you can control who can use the system enable
password to access privileged EXEC mode.
To log in as a user from the local database, enter the following command:
hostname> login
The security appliance prompts for your username and password. After you enter your password, the
security appliance places you in the privilege level that the local database specifies.
Limiting User CLI and ASDM Access with Management Authorization
If you configure CLI or enable authentication, you can limit a local user, RADIUS, TACACS+, or LDAP
user (if you map LDAP attributes to RADIUS attributes) from accessing the CLI, ASDM, or the enable
command.
Serial access is not included in management authorization, so if you configure aaa authentication serial
Note
console, then any user who authenticates can access the console port.
To configure management authorization, perform the following steps:
Step 1
To enable management authorization, enter the following command:
hostname(config)# aaa authorization exec authentication-server
OL-12172-03
for more information.
Configuring AAA for System Administrators
"Configuring Local Command Authorization" section
Cisco Security Appliance Command Line Configuration Guide
40-7
Advertisement
Table of Contents
Troubleshooting
