1-32
Cisco ASA Series CLI Configuration Guide
Chapter 1 Configuring Management Access
Configuring AAA for System Administrators
Recovering from a Lockout
In some circumstances, when you turn on command authorization or CLI authentication, you can be
locked out of the ASA CLI. You can usually recover access by restarting the ASA. However, if you
already saved your configuration, you might be locked out. Table 1-2 lists the common lockout
conditions and how you might recover from them.
Table 1-2 CLI Authentication and Command Authorization Lockout Scenarios
Feature
Lockout
Condition Description Workaround: Single Mode
Workaround: Multiple
Mode
Local CLI
authentication
No users in the
local database
If you have no users in
the local database, you
cannot log in, and you
cannot add any users.
Log in and reset the
passwords and aaa
commands.
Session into the ASA from
the switch. From the system
execution space, you can
change to the context and
add a user.
TACACS+
command
authorization
TACACS+ CLI
authentication
RADIUS CLI
authentication
Server down or
unreachable and
you do not have
the fallback
method
configured
If the server is
unreachable, then you
cannot log in or enter
any commands.
1. Log in and reset the
passwords and AAA
commands.
2. Configure the local
database as a fallback
method so you do not
get locked out when the
server is down.
1. If the server is
unreachable because the
network configuration
is incorrect on the ASA,
session into the ASA
from the switch. From
the system execution
space, you can change
to the context and
reconfigure your
network settings.
2. Configure the local
database as a fallback
method so you do not
get locked out when the
server is down.
TACACS+
command
authorization
You are logged in
as a user without
enough privileges
or as a user that
does not exist
You enable command
authorization, but then
find that the user
cannot enter any more
commands.
Fix the TACACS+ server
user account.
If you do not have access to
the TACACS+ server and
you need to configure the
ASA immediately, then log
into the maintenance
partition and reset the
passwords and aaa
commands.
Session into the ASA from
the switch. From the system
execution space, you can
change to the context and
complete the configuration
changes. You can also
disable command
authorization until you fix
the TACACS+
configuration.
Local command
authorization
You are logged in
as a user without
enough privileges
You enable command
authorization, but then
find that the user
cannot enter any more
commands.
Log in and reset the
passwords and aaa
commands.
Session into the ASA from
the switch. From the system
execution space, you can
change to the context and
change the user level.
To Next Page
Loading...
Need help?
General
