Cisco ASA Series Cli Configuration Manual page 1026

Configuring AAA for System Administrators
Recovering from a Lockout
In some circumstances, when you turn on command authorization or CLI authentication, you can be
locked out of the ASA CLI. You can usually recover access by restarting the ASA. However, if you
already saved your configuration, you might be locked out.
conditions and how you might recover from them.
Table 1-2 CLI Authentication and Command Authorization Lockout Scenarios
Lockout
Feature Condition
Local CLI No users in the
authentication local database
TACACS+ Server down or
command unreachable and
authorization you do not have
the fallback
TACACS+ CLI
method
authentication
configured
RADIUS CLI
authentication
TACACS+ You are logged in
command as a user without
authorization enough privileges
or as a user that
does not exist
Local command You are logged in
authorization as a user without
enough privileges
Cisco ASA Series CLI Configuration Guide
1-32
Description Workaround: Single Mode
If you have no users in Log in and reset the
the local database, you passwords and aaa
cannot log in, and you commands.
cannot add any users.
1.
If the server is
unreachable, then you
cannot log in or enter
any commands.
2.
You enable command Fix the TACACS+ server
authorization, but then user account.
find that the user
If you do not have access to
cannot enter any more
the TACACS+ server and
commands.
you need to configure the
ASA immediately, then log
into the maintenance
partition and reset the
passwords and aaa
commands.
You enable command Log in and reset the
authorization, but then passwords and aaa
find that the user commands.
cannot enter any more
commands.
Chapter 1
Table 1-2 lists the common lockout
Log in and reset the
passwords and AAA
commands.
Configure the local
database as a fallback
method so you do not
get locked out when the
server is down.
Configuring Management Access
Workaround: Multiple
Mode
Session into the ASA from
the switch. From the system
execution space, you can
change to the context and
add a user.
1.
If the server is
unreachable because the
network configuration
is incorrect on the ASA,
session into the ASA
from the switch. From
the system execution
space, you can change
to the context and
reconfigure your
network settings.
2.
Configure the local
database as a fallback
method so you do not
get locked out when the
server is down.
Session into the ASA from
the switch. From the system
execution space, you can
change to the context and
complete the configuration
changes. You can also
disable command
authorization until you fix
the TACACS+
configuration.
Session into the ASA from
the switch. From the system
execution space, you can
change to the context and
change the user level.