37-14
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter37 Configuring Management Access
Configuring AAA for System Administrators
Information About AAA for System Administrators
This section describes AAA for system administrators and includes the following topics:
Information About Management Authentication, page37-14
Information About Command Authorization, page37-14

Information About Management Authentication

This section describes authentication for management access and includes the following topics:
Comparing CLI Access with and without Authentication, page37-14
Comparing ASDM Access with and without Authentication, page 37-14

Comparing CLI Access with and without Authentication

How you log into the ASA depends on whether or not you enable authentication:
If you do not enable any authentication for Telnet, you do not enter a username; you enter the login
password (set with the password command). For SSH, you enter the username and the login
password. You access user EXEC mode.
If you enable Telnet or SSH authentication according to this section, you enter the username and
password as defined on the AAA server or local user database. You access user EXEC mode.
To enter privileged EXEC mode after logging in, enter the enable command. How enable works depends
on whether you enable authentication:
If you do not configure enable authentication, enter the system enable password when you enter the
enable command (set by the enable password command). However, if you do not use enable
authentication, after you enter the enable command, you are no longer logged in as a particular user.
To maintain your username, use enable authentication.
If you configure enable authentication (see the Configuring Authentication to Access Privileged
EXEC Mode (the enable Command), page37-19), the ASA prompts you for your username and
password again. This feature is particularly useful when you perform command authorization, in
which usernames are important in determining the commands that a user can enter.
For enable authentication using the local database, you can use the login command instead of the enable
command. login maintains the username but requires no configuration to turn on authentication. See the
“Authenticating Users with the login Command” section on page 37-20 for more information.

Comparing ASDM Access with and without Authentication

By default, you can log into ASDM with a blank username and the enable password set by the enable
password command. Note that if you enter a username and password at the login screen (instead of
leaving the username blank), ASDM checks the local database for a match.
If you configure HTTP authentication, you can no longer use ASDM with a blank username and the
enable password.

Information About Command Authorization

This section describes command authorization and includes the following topics:
Supported Command Authorization Methods, page37-15