Configuring Authentication To Access Privileged Exec Mode; Configuring Authentication For The Enable Command; Authenticating Users Using The Login Command - Cisco 7604 Configuration Manual
Catalyst 6500 series switch and cisco 7600 series router firewall services module configuration guide using the cli
Hide thumbs
Also See for 7604:
- Configuration manual (1011 pages) ,
- Installation manual (324 pages) ,
- User manual (98 pages)
Table of Contents
Advertisement
Chapter 23
Configuring Management Access
Configuring Authentication to Access Privileged EXEC Mode
You can configure the FWSM to authenticate users with a AAA server or the local database when they
enter the enable command. Alternatively, users are automatically authenticated with the local database
when they enter the login command, which also accesses privileged EXEC mode depending on the user
level in the local database.
This section includes the following topics:
•
•
Configuring Authentication for the Enable Command
You can configure the FWSM to authenticate users when they enter the enable command. If you do not
authenticate the enable command, when you enter enable, the FWSM prompts for the enable password
(set by the enable password command), and you are no longer logged in as a particular user. Applying
authentication to the enable command maintains the username. This feature is particularly useful when
you perform command authorization, where usernames are important to determine the commands a user
can enter.
To authenticate users who enter the enable command, enter the following command:
hostname(config)# aaa authentication enable console {LOCAL | server_group [LOCAL]}
The user is prompted for the username and password.
If you use a TACACS+ or RADIUS server group for authentication, you can configure the FWSM to use
the local database as a fallback method if the AAA server is unavailable. Specify the server group name
followed by LOCAL (LOCAL is case sensitive). We recommend that you use the same username and
password in the local database as the AAA server because the FWSM prompt does not give any
indication which method is being used.
You can alternatively use the local database as your main method of authentication (with no fallback) by
entering LOCAL alone.
Authenticating Users Using the Login Command
From user EXEC mode, you can log in as any username in the local database using the login command.
Unlike enable authentication, this method is available in the system execution space in multiple context
mode. The system execution space uses the admin context local user database when you enter the login
command; the system configuration does not contain a local user database (you cannot enter the
username command).
The login feature allows users to log in with their own username and password to access privileged
EXEC mode, so you do not have to give out the system enable password to everyone. To allow users to
access privileged EXEC mode (and all commands) when they log in, set the user privilege level to 2 (the
default) through 15. If you configure local command authorization, then the user can only enter
commands assigned to that privilege level or lower. See the
Authorization" section on page 23-15
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
Configuring Authentication for the Enable Command, page 23-13
Authenticating Users Using the Login Command, page 23-13
"Configuring Local Command
for more information.
AAA for System Administrators
23-13
- Quick Links:
- C H a P T E...
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
