37-19
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter37 Configuring Management Access
Configuring AAA for System Administrators
Configuring Authentication for CLI and ASDM Access
To configure management authentication, enter the following command:
Configuring Authentication to Access Privileged EXEC Mode (the enable Command)
You can configure the ASA to authenticate users with a AAA server or the local database when they enter
the enable command. Alternatively, users are automatically authenticated with the local database when
they enter the login command, which also accesses privileged EXEC mode depending on the user level
in the local database.
This section includes the following topics:
Configuring Authentication for the enable Command, page37-20
Authenticating Users with the login Command, page37-20
Command Purpose
aaa authentication {telnet |ssh | http |
serial} console {LOCAL |
server_group [LOCAL]}
Example:
hostname(config)# aaa authentication
telnet console LOCAL
Authenticates users for management access. The telnet keyword controls
Telnet access.
The ssh keyword controls SSH access. The SSH default usernames asa and
pix are no longer supported.
The http keyword controls ASDM access.
The serial keyword controls console port access.
HTTP management authentication does not support the SDI protocol for a
AAA server group.
If you use a AAA server group for authentication, you can configure the
ASA to use the local database as a fallback method if the AAA server is
unavailable. Specify the server group name followed by LOCAL (LOCAL
is case sensitive). We recommend that you use the same username and
password in the local database as the AAA server, because the ASA prompt
does not give any indication which method is being used.
You can alternatively use the local database as your primary method of
authentication (with no fallback) by entering LOCAL alone.