Configuring Authentication For The Enable Command; Authenticating Users Using The Login Command - Cisco Catalyst 6500 Series Configuration Manual
Catalyst 6500 series switch and
cisco 7600 series router firewall services
Hide thumbs
Also See for Catalyst 6500 Series:
- Software configuration manual (570 pages) ,
- Configuration note (212 pages) ,
- Installation manual (194 pages)
Table of Contents
Advertisement
Chapter 12
Configuring AAA
Configuring Authentication for the enable Command
You can configure the FWSM to authenticate users when they enter the enable command. If you do not
authenticate the enable command, when you enter enable, the FWSM prompts for the system enable
password (set by the enable password command), and you are no longer logged in as a particular user.
Enable authentication maintains the username. This feature is particularly useful when you perform
command authorization, where usernames are important to determine the commands a user can enter.
To authenticate users who enter the enable command, enter the following command:
FWSM/contexta(config)# aaa authentication enable console {LOCAL | server_group [LOCAL]}
The user is prompted for the username and password.
If you use a TACACS+ or RADIUS server group for authentication, you can configure the FWSM to use
the local database as a fallback method if the AAA server is unavailable. Specify the server group name
followed by LOCAL (LOCAL is case sensitive). We recommend that you use the same username and
password in the local database as the AAA server because the FWSM prompt does not give any
indication which method is being used.
You can alternatively use the local database as your main method of authentication (with no fallback) by
entering LOCAL alone.
Authenticating Users Using the login Command
From unprivileged mode, you can log in as any username in the local database using the login command.
Unlike enable authentication, this method is available in the system execution space in multiple context
mode.
This feature allows users to log in with their own username and password to access privileged mode, so
you do not have to give out the system enable password to everyone. To allow users to access privileged
mode (and all commands) when they log in, set the user privilege level to 2 (the default) through 15. If
you configure local command authorization, then the user can only enter commands assigned to that
privilege level or lower. See the
for more information.
Caution
If you add users to the local database who can gain access to the CLI and whom you do not want to enter
privileged mode, you should configure command authorization. Without command authorization, users
can access privileged mode (and all commands) at the CLI using their own password if their privilege
level is 2 or greater (2 is the default). Alternatively, you can use RADIUS or TACACS+ authentication,
or you can set all local users to level 1 so you can control who can use the system enable password to
access privileged mode.
To log in as a user from the local database, enter the following command:
FWSM> login
The FWSM prompts for your username and password. After you enter your password, the FWSM places
you in the privilege level that the local database specifies.
OL-6392-01
"Configuring Local Command Authorization" section on page 12-10
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
Configuring Authentication to Access Privileged Mode
12-9
Advertisement
Table of Contents
Troubleshooting
