37-32
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter37 Configuring Management Access
Configuring AAA for System Administrators
Setting a Management Session Quota
An administrator can establish a maximum number of simultaneous management sessions. If the
maximum is reached, no additional sessions are allowed and a syslog message is generated. To prevent
a system lockout, the management session quota mechanism cannot block a console session.
To set a management session maximum, enter the following command:
TACACS+
command
authorization
You are logged in
as a user without
enough privileges
or as a user that
does not exist
You enable command
authorization, but then
find that the user
cannot enter any more
commands.
Fix the TACACS+ server
user account.
If you do not have access to
the TACACS+ server and
you need to configure the
ASA immediately, then log
into the maintenance
partition and reset the
passwords and aaa
commands.
Session into the ASA from
the switch. From the system
execution space, you can
change to the context and
complete the configuration
changes. You can also
disable command
authorization until you fix
the TACACS+
configuration.
Local command
authorization
You are logged in
as a user without
enough privileges
You enable command
authorization, but then
find that the user
cannot enter any more
commands.
Log in and reset the
passwords and aaa
commands.
Session into the ASA from
the switch. From the system
execution space, you can
change to the context and
change the user level.
Table37-2 CLI Authentication and Command Authorization Lockout Scenarios (continued)
Feature Lockout Condition Description Workaround: Single Mode Workaround: Multiple Mode
Command Purpose
quota management-session number
Example:
hostname(config)# quota management-session 1000
Sets the maximum number of simultaneous ASDM, SSH, and
Telnet sessions that are allowed on the ASA. The no form of
this command sets the quota value to 0, which means that
there is no session limit.