35-28
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter35 Configuring AAA Servers and the Local Database
Configuring AAA
Authenticating Users with a Public Key for SSH
Users can authenticate with a public key for SSH. The public key can be hashed or not hashed.
To authenticate with a public key for SSH, enter the following command:
Differentiating User Roles Using AAA
The ASA enables you to distinguish between administrative and remote-access users when they
authenticate using RADIUS, LDAP, TACACS+, or the local user database. User role differentiation can
prevent remote access VPN and network access users from establishing an administrative connection to
the ASA.
To differentiate user roles, use the service-type attribute in username configuration mode. For RADIUS
and LDAP (with the ldap-attribute-map command), you can use a Cisco Vendor-Specific Attribute
(VSA), Cisco-Priv-Level, to assign a privilege level to an authenticated user.
This section includes the following topics:
Using Local Authentication, page 35-28
Using RADIUS Authentication, page 35-29
Using LDAP Authentication, page 35-29
Using TACACS+ Authentication, page35-30

Using Local Authentication

Before you configure the service-type attribute and privilege level when using local authentication, you
must create a user, assign a password, and assign a privilege level.
To do so, enter the following command:
hostname(config)# username admin password mysecret123 privilege 15
Command Purpose
username {user} attributes ssh authentication
publickey key [hashed]
Example:
hostname(config)# username anyuser ssh authentication
publickey key [hashed]
Enables public key authentication on a per-user basis. The
value of the key argument can be one of the following:
When the key argument is supplied and the hashed tag is
not specified, the value of the key must be a Base 64
encoded public key that is generated by SSH key
generation software that can generate SSH-RSA raw keys
(that is, with no certificates). After you submit the Base
64 encoded public key, that key is then hashed via
SHA-256 and the corresponding 32-byte hash is used for
all further comparisons.
When the key argument is supplied and the hashed tag is
specified, the value of the key must have been previously
hashed with SHA-256 and be 32 bytes long, with each
byte separated by a colon (for parsing purposes).
When you save the configuration, the hashed key value is
saved to the configuration and used when the ASA is
rebooted.