40-6
Cisco Security Appliance Command Line Configuration Guide
OL-10088-01
Chapter 40 Managing System Access
Configuring AAA for System Administrators
Configuring Authentication for the Enable Command
You can configure the security appliance to authenticate users when they enter the enable command. If
you do not authenticate the enable command, when you enter enable, the security appliance prompts for
the system enable password (set by the enable password command), and you are no longer logged in as
a particular user. Applying authentication to the enable command maintains the username. This feature
is particularly useful when you perform command authorization, where usernames are important to
determine the commands a user can enter.
To authenticate users who enter the enable command, enter the following command:
hostname(config)# aaa authentication enable console {LOCAL | server_group [LOCAL]}
The user is prompted for the username and password.
If you use a AAA server group for authentication, you can configure the security appliance to use the
local database as a fallback method if the AAA server is unavailable. Specify the server group name
followed by LOCAL (LOCAL is case sensitive). We recommend that you use the same username and
password in the local database as the AAA server because the security appliance prompt does not give
any indication which method is being used.
You can alternatively use the local database as your main method of authentication (with no fallback) by
entering LOCAL alone.
Authenticating Users Using the Login Command
From user EXEC mode, you can log in as any username in the local database using the login command.
This feature allows users to log in with their own username and password to access privileged EXEC
mode, so you do not have to give out the system enable password to everyone. To allow users to access
privileged EXEC mode (and all commands) when they log in, set the user privilege level to 2 (the default)
through 15. If you configure local command authorization, then the user can only enter commands
assigned to that privilege level or lower. See the “Configuring Local Command Authorization” section
on page 40-7 for more information.
Caution If you add users to the local database who can gain access to the CLI and whom you do not want to enter
privileged EXEC mode, you should configure command authorization. Without command authorization,
users can access privileged EXEC mode (and all commands) at the CLI using their own password if their
privilege level is 2 or greater (2 is the default). Alternatively, you can use a AAA server for
authentication, or you can set all local users to level 1 so you can control who can use the system enable
password to access privileged EXEC mode.
To log in as a user from the local database, enter the following command:
hostname> login
The security appliance prompts for your username and password. After you enter your password, the
security appliance places you in the privilege level that the local database specifies.
To Next Page
Loading...
Need help?
General