12-8
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
OL-6392-01
Chapter 12 Configuring AAA
Configuring Authentication for CLI Access
Configuring Authentication for CLI Access
If you enable CLI authentication, the FWSM prompts you for your username and password to log in.
After you enter your information, you have access to unprivileged mode.
To enter privileged mode, enter the enable command or the login command (if you are using the local
database only).
If you configure enable authentication (see the “Configuring Authentication to Access Privileged Mode”
section on page 12-8), the FWSM prompts you for your username and password. If you do not configure
enable authentication, enter the system enable password when you enter the enable command (set by the
enable password command). However, if you do not use enable authentication, after you enter the
enable command, you are no longer logged in as a particular user. To maintain your username, use
enable authentication.
For authentication using the local database, you can use the login command, which maintains the
username but requires no configuration to turn on authentication.
Note Before the FWSM can authenticate a Telnet, SSH, or HTTP user, you must first configure access to the
FWSM using the telnet, ssh, and http commands. These commands identify the IP addresses that are
allowed to communicate with the FWSM. See Chapter 11, “Allowing Remote Management.” The only
exception is when you session from the switch to the FWSM; this Telnet session is always allowed.
However, you cannot authenticate the system session because the system configuration does not contain
any aaa commands.
To authenticate users who access the CLI, enter the following command:
FWSM/contexta(config)# aaa authentication {telnet | ssh | http} console {LOCAL |
server_group
[LOCAL]}
The http keyword authenticates the PDM client that accesses the FWSM using HTTPS.
If you use a TACACS+ or RADIUS server group for authentication, you can configure the FWSM to use
the local database as a fallback method if the AAA server is unavailable. Specify the server group name
followed by LOCAL (LOCAL is case sensitive). We recommend that you use the same username and
password in the local database as the AAA server because the FWSM prompt does not give any
indication which method is being used.
You can alternatively use the local database as your main method of authentication (with no fallback) by
entering LOCAL alone.
Configuring Authentication to Access Privileged Mode
You can configure the FWSM to authenticate users with a AAA server or the local database when they
enter the enable command. Alternatively, users are automatically authenticated with the local database
when they enter the login command, which also accesses privileged mode depending on the user level
in the local database. See the following sections for information about these methods:
• Configuring Authentication for the enable Command, page 12-9
• Authenticating Users Using the login Command, page 12-9
To Next Page
Loading...
Need help?
General