Cisco ASA Series Cli Configuration Manual page 1015

Chapter 1 Configuring Management Access
Configuring Authentication for the enable Command
You can configure the ASA to authenticate users when they enter the enable command. See the
"Comparing CLI Access with and without Authentication" section on page 1-15
To authenticate users who enter the enable command, enter the following command.
Command
aaa authentication enable console {LOCAL |
server_group [LOCAL]}
Example:
hostname(config)# aaa authentication
enable console LOCAL
Authenticating Users with the login Command
From user EXEC mode, you can log in as any username in the local database using the login command.
This feature allows users to log in with their own username and password to access privileged EXEC
mode, so you do not have to provide the system enable password to everyone. To allow users to access
privileged EXEC mode (and all commands) when they log in, set the user privilege level to 2 (the default)
through 15. If you configure local command authorization, then the user can only enter commands
assigned to that privilege level or lower. See the
on page 1-24
Caution
If you add users to the local database who can gain access to the CLI and whom you do not want to enter
privileged EXEC mode, you should configure command authorization. Without command authorization,
users can access privileged EXEC mode (and all commands) at the CLI using their own password if their
privilege level is 2 or greater (2 is the default). Alternatively, you can use a AAA server for
authentication, or you can set all local users to level 1 so you can control who can use the system enable
password to access privileged EXEC mode.
To log in as a user from the local database, enter the following command:
Command
login
Example:
hostname# login
Purpose
Authenticates users who enter the enable command. The user is prompted
for the username and password.
If you use a AAA server group for authentication, you can configure the
ASA to use the local database as a fallback method if the AAA server is
unavailable. Specify the server group name followed by LOCAL (LOCAL
is case sensitive). We recommend that you use the same username and
password in the local database as the AAA server, because the ASA prompt
does not give any indication of which method is being used.
You can alternatively use the local database as your primary method of
authentication (with no fallback) by entering LOCAL alone.
for more information.
Purpose
Logs in as a user from the local database. The ASA prompts for your
username and password. After you enter your password, the ASA places
you in the privilege level that the local database specifies.
Configuring AAA for System Administrators
"Configuring Local Command Authorization" section
Cisco ASA Series CLI Configuration Guide
for more information.
1-21