Cisco Systems ASA5515K9, ASA 5500 Supported Command Authorization Methods, About Preserving User Credentials

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter37 Configuring Management Access

Configuring AAA for System Administrators

•About Preserving User Credentials, page 37-15

•Security Contexts and Command Authorization, page37-16

Supported Command Authorization Methods

You can use one of two command authorization methods:

•Local privilege levels—Configure the command privilege levels on the ASA. When a local,

RADIUS, or LDAP (if you map LDAP attributes to RADIUS attributes) user authenticates for CLI

access, the ASA places that user in the privilege level that is defined by the local database, RADIUS,

or LDAP server. The user can access commands at the assigned privilege level and below. Note that

all users access user EXEC mode when they first log in (commands at level 0 or 1). The user needs

to authenticate again with the enable command to access privileged EXEC mode (commands at level

2 or higher), or they can log in with the login command (local database only).

Note You can use local command authorization without any users in the local database and without

CLI or enable authentication. Instead, when you enter the enable command, you enter the

system enable password, and the ASA places you in level 15. You can then create enable

passwords for every level, so that when you enter enable n (2 to 15), the ASA places you in level

n. These levels are not used unless you enable local command authorization (see the

“Configuring Local Command Authorization” section on page 37-23). (See the command

reference for more information about the enable command.)

•TACACS+ server privilege levels—On the TACACS+ server, configure the commands that a user or

group can use after authenticating for CLI access. Every command that a user enters at the CLI is

validated with the TACACS+ server.

About Preserving User Credentials

When a user logs into the ASA, that user is required to provide a username and password for

authentication. The ASA retains these session credentials in case further authentication is needed later

in the session.

When the following configurations are in place, a user needs only to authenticate with the local server

for login. Subsequent serial authorization uses the saved credentials. The user is also prompted for the

privilege level 15 password. When exiting privileged mode, the user is authenticated again. User

credentials are not retained in privileged mode.

•The local server is configured to authenticate user access.

•Privilege level 15 command access is configured to require a password.

•The user account is configured for serial-only authorization (no access to console or ASDM).

•The user account is configured for privilege level 15 command access.

The following table shows how credentials are used in this case by the ASA.

Credentials required

Username and

Authentication

Authorization

Privileged Mode

Authorization

Authorization

UsernameYesNoNoYes

Contents