Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 About Preserving User Credentials, Security Contexts and Command Authorization

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter40 Configuring Management Access

Configuring AAA for System Administrators

•TACACS+ server privilege levels—On the TACACS+ server, configure the commands that a user or

group can use after authenticating for CLI access. Every command that a user enters at the CLI is

validated with the TACACS+ server.

About Preserving User Credentials

When a user logs into the ASA, that user is required to provide a username and password for

authentication. The ASA retains these session credentials in case further authentication is needed later

in the session.

When the following configurations are in place, a user needs only to authenticate with the local server

for login. Subsequent serial authorization uses the saved credentials. The user is also prompted for the

privilege level 15 password. When exiting privileged mode, the user is authenticated again. User

credentials are not retained in privileged mode.

•The local server is configured to authenticate user access.

•Privilege level 15 command access is configured to require a password.

•The user account is configured for serial-only authorization (no access to console or ASDM).

•The user account is configured for privilege level 15 command access.

The following table shows how credentials are used in this case by the ASA.

Security Contexts and Command Authorization

The following are important points to consider when implementing command authorization with

multiple security contexts:

•AAA settings are discrete per context, not shared among contexts.

When configuring command authorization, you must configure each security context separately.

This configuration provides you the opportunity to enforce different command authorizations for

different security contexts.

When switching between security contexts, administrators should be aware that the commands

permitted for the username specified when they login may be different in the new context session or

that command authorization may not be configured at all in the new context. Failure to understand

that command authorizations may differ between security contexts could confuse an administrator.

This behavior is further complicated by the next point.

•New context sessions started with the changeto command always use the default enable_15

username as the administrator identity, regardless of which username was used in the previous

context session. This behavior can lead to confusion if command authorization is not configured for

the enable_15 user or if authorizations are different for the enable_15 user than for the user in the

previous context session.

Credentials required

Username and

Authentication

Authorization

Privileged Mode

Authorization

Authorization

UsernameYesNoNoYes

Password Yes No No Yes

Privileged Mode

No No Yes No

Contents

Cisco Systems About Preserving User Credentials, Security Contexts and Command Authorization

Models: ASA 5510 ASA 5512-X ASA 5515-X ASA 5520 ASA 5525-X ASA 5540 ASA 5545-X ASA 5550 ASA 5555-X ASA 5580 ASA 5585-X ASA 5505