Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 Licensing Requirements for AAA for System Administrators, Prerequisites

40-18

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter40 Configuring Management Access

Configuring AAA for System Administrators

This behavior also affects command accounting, which is useful only if you can accurately associate

each command that is issued with a particular administrator. Because all administrators with

permission to use the changeto command can use the enable_15 username in other contexts,

command accounting records may not readily identify who was logged in as the enable_15

username. If you use different accounting servers for each context, tracking who was using the

enable_15 username requires correlating the data from several servers.

When configuring command authorization, consider the following:

•An administrator with permission to use the changeto command effectively has permission to

use all commands permitted to the enable_15 user in each of the other contexts.

•If you intend to authorize commands differently per context, ensure that in each context the

enable_15 username is denied use of commands that are also denied to administrators who are

permitted use of the changeto command.

When switching between security contexts, administrators can exit privileged EXEC mode and enter

the enable command again to use the username that they need.

Note The system execution space does not support AAA commands; therefore, command authorization is not

available in the system execution space.

Licensing Requirements for AAA for System Administrators

The following table shows the licensing requirements for this feature:

Prerequisites

Depending on the feature, you can use the following:

•AAA server—See the “Configuring AAA Server Groups” section on page38-11.

•Local Database—See the “Adding a User Account to the Local Database” section on page38-22.

Prerequisites for Management Authentication

Before the ASA can authenticate a Telnet, SSH, or HTTP user, you must identify the IP addresses that

are allowed to communicate with the ASA. For more information, see the “Configuring ASA Access for

ASDM, Telnet, or SSH” section on page40-1.

Prerequisites for Local Command Authorization

•Configure enable authentication. (See the “Configuring Authentication for CLI, ASDM, and enable

command Access” section on page40-20.) enable authentication is essential for maintaining the

username after the user accesses the enable command.

Alternatively, you can use the login command (which is the same as the enable command with

authentication; for the local database only), which requires no configuration. We do not recommend

this option because it is not as secure as enable authentication.

Model License Requirement

All models Base License.

Cisco Systems Licensing Requirements for AAA for System Administrators, Prerequisites