Cisco ASA Series Cli Configuration Manual page 875
Software version 9.0 for the services module
Hide thumbs
Also See for ASA Series:
- Configuration manual (429 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Chapter 1
Configuring AAA Servers and the Local Database
Configuring VPN Policy Attributes for a User
Prerequisites
This procedure describes how to edit an existing user.For more information see
to the Local Database" section on page
Detailed Steps
Authenticating Users with a Public Key for SSH
Users can authenticate with a public key for SSH. The public key can be hashed or not hashed.
To authenticate with a public key for SSH, enter the following command:
Command
username {user} attributes ssh authentication
publickey key [hashed]
Example:
hostname(config)# username anyuser ssh authentication
publickey key [hashed]
Differentiating User Roles Using AAA
The ASA enables you to distinguish between administrative and remote-access users when they
authenticate using RADIUS, LDAP, TACACS+, or the local user database. User role differentiation can
prevent remote access VPN and network access users from establishing an administrative connection to
the ASA.
To differentiate user roles, use the service-type attribute in username configuration mode. For RADIUS
and LDAP (with the ldap-attribute-map command), you can use a Cisco Vendor-Specific Attribute
(VSA), Cisco-Priv-Level, to assign a privilege level to an authenticated user.
This section includes the following topics:
•
•
Using Local Authentication, page 1-30
Using RADIUS Authentication, page 1-30
1-22.
Purpose
Enables public key authentication on a per-user basis. The
value of the key argument can be one of the following:
•
When the key argument is supplied and the hashed tag is
not specified, the value of the key must be a Base 64
encoded public key that is generated by SSH key
generation software that can generate SSH-RSA raw keys
(that is, with no certificates). After you submit the Base
64 encoded public key, that key is then hashed via
SHA-256 and the corresponding 32-byte hash is used for
all further comparisons.
•
When the key argument is supplied and the hashed tag is
specified, the value of the key must have been previously
hashed with SHA-256 and be 32 bytes long, with each
byte separated by a colon (for parsing purposes).
When you save the configuration, the hashed key value is
saved to the configuration and used when the ASA is
rebooted.
Cisco ASA Series CLI Configuration Guide
Configuring AAA
"Adding a User Account
1-29
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
