40-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-01
Chapter 40 Managing System Access
Configuring AAA for System Administrators
Configuring Authentication for CLI Access
If you enable CLI authentication, the security appliance prompts you for your username and password
to log in. After you enter your information, you have access to user EXEC mode.
To enter privileged EXEC mode, enter the enable command or the login command (if you are using the
local database only).
If you configure enable authentication (see the “Configuring Authentication for the Enable Command”
section on page 40-6), the security appliance prompts you for your username and password. If you do
not configure enable authentication, enter the system enable password when you enter the enable
command (set by the enable password command). However, if you do not use enable authentication,
after you enter the enable command, you are no longer logged in as a particular user. To maintain your
username, use enable authentication.
For authentication using the local database, you can use the login command, which maintains the
username but requires no configuration to turn on authentication.
Note Before the security appliance can authenticate a Telnet, SSH, or HTTP user, you must first configure
access to the security appliance using the telnet, ssh, and http commands. These commands identify the
IP addresses that are allowed to communicate with the security appliance.
To authenticate users who access the CLI, enter the following command:
hostname(config)# aaa authentication {telnet | ssh | http | serial} console {LOCAL |
server_group [LOCAL]}
The http keyword authenticates the ASDM client that accesses the security appliance using HTTPS. You
only need to configure HTTP authentication if you want to use a AAA server. By default, ASDM uses
the local database for authentication even if you do not configure this command. HTTP management
authentication does not support the SDI protocol for a AAA server group.
If you use a AAA server group for authentication, you can configure the security appliance to use the
local database as a fallback method if the AAA server is unavailable. Specify the server group name
followed by LOCAL (LOCAL is case sensitive). We recommend that you use the same username and
password in the local database as the AAA server because the security appliance prompt does not give
any indication which method is being used.
You can alternatively use the local database as your main method of authentication (with no fallback) by
entering LOCAL alone.
Configuring Authentication To Access Privileged EXEC Mode
You can configure the security appliance to authenticate users with a AAA server or the local database
when they enter the enable command. Alternatively, users are automatically authenticated with the local
database when they enter the login command, which also accesses privileged EXEC mode depending on
the user level in the local database.
This section includes the following topics:
• Configuring Authentication for the Enable Command, page 40-6
• Authenticating Users Using the Login Command, page 40-6
To Next Page
Loading...
Need help?
General