Cisco ASA 5505 Configuration Manual page 686
Asa 5500 series
Hide thumbs
Also See for ASA 5505:
- Getting started manual (168 pages) ,
- Administrator's manual (118 pages) ,
- Hardware installation manual (82 pages)
Table of Contents
Advertisement
Configuring AAA for System Administrators
Supported Command Authorization Methods
You can use one of two command authorization methods:
•
Note
•
About Preserving User Credentials
When a user logs into the adaptive security appliance, they are required to provide a username and
password for authentication. The adaptive security appliance retains these session credentials in case
further authentication is needed later in the session.
When the following configurations are in place, a user needs only to authenticate with the local server
upon login. Subsequent serial authorization uses the saved credentials. The user is also prompted for the
privilege level 15 password. When exiting privileged mode, the user is authenticated again. User
credentials are not retained in privileged mode.
•
•
•
•
The following table shows how credentials are used in this case by the adaptive security appliance.
Credentials required
Username
Password
Privileged Mode
Password
Cisco ASA 5500 Series Configuration Guide using ASDM
32-14
Local privilege levels—Configure the command privilege levels on the adaptive security appliance.
When a local, RADIUS, or LDAP (if you map LDAP attributes to RADIUS attributes) user
authenticates for CLI access, the adaptive security appliance places that user in the privilege level
that is defined by the local database, RADIUS, or LDAP server. The user can access commands at
the user's privilege level and below. Note that all users access user EXEC mode when they first log
in (commands at level 0 or 1). The user needs to authenticate again with the enable command to
access privileged EXEC mode (commands at level 2 or higher), or they can log in with the login
command (local database only).
You can use local command authorization without any users in the local database and without
CLI or enable authentication. Instead, when you enter the enable command, you enter the
system enable password, and the adaptive security appliance places you in level 15. You can then
create enable passwords for every level, so that when you enter enable n (2 to 15), the adaptive
security appliance places you in level n. These levels are not used unless you turn on local
command authorization (see
5500 Series Command Reference for more information about the enable command.)
TACACS+ server privilege levels—On the TACACS+ server, configure the commands that a user or
group can use after they authenticate for CLI access. Every command that a user enters at the CLI
is checked with the TACACS+ server.
Local server is configured to authenticate user access.
Privilege level 15 command access is configured to require a password.
User's account is configured for serial only authorization (no access to console or ASDM).
User's account is configured for privilege level 15 command access.
Username and
Password
Authentication
Yes
Yes
No
"Configuring Local Command
Privileged Mode
Serial
Command
Authorization
Authorization
No
No
No
No
No
Yes
Chapter 32
Configuring Management Access
Authorization"). (See the Cisco ASA
Privileged
Mode Exit
Authorization
Yes
Yes
No
OL-20339-01
- Quick Links:
- Starting Asdm
- Downloading the Asdm Launcher
Hide quick links:
Advertisement
Chapters
Table of Contents
