Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 Configuring Authentication for CLI, ASDM, and enable command Access

40-20

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter40 Configuring Management Access

Configuring AAA for System Administrators

•clear pager

•quit

•show version

If you move any configure mode commands to a lower level than 15, be sure to move the configure

command to that level as well, otherwise, the user will not be able to enter configuration mode.

To view all privilege levels, see the “Viewing Local Command Privilege Levels” section on page40-23.

Configuring Authentication for CLI, ASDM, and enable command Access

To configure management authentication, perform the following steps:

Step1 To authenticate users who use the enable command, choose Configuration > Device Management >

Users/AAA > AAA Access > Authentication, and configure the following settings:

a. Check the Enable check box.

b. From the Server Group drop-down list, choose a server group name or the LOCAL database.

c. (Optional) If you chose a AAA server, you can configure the ASA to use the local database as a

fallback method if the AAA server is unavailable. Click the Use LOCAL when server group fails

check box. We recommend that you use the same username and password in the local database as

the AAA server, because the ASA prompt does not give any indication of which method is being

used.

Step2 To authenticate users who access the CLI or ASDM, choose Configuration > Device Management >

Users/AAA > AAA Access > Authentication, and configure the following settings:

a. Check one or more of the following check boxes:

–

HTTP/ASDM—Authenticates the ASDM client that accesses the ASA using HTTPS. HTTP

management authentication does not support the SDI protocol for a AAA server group.

–

Serial—Authenticates users who access the ASA using the console port.

–

SSH—Authenticates users who access the ASA using SSH.

–

Teln et—Authenticates users who access the ASA using Telnet.

b. For each service that you checked, from the Server Group drop-down list, choose a server group

name or the LOCAL database.

c. (Optional) If you chose a AAA server, you can configure the ASA to use the local database as a

fallback method if the AAA server is unavailable. Click the Use LOCAL when server group fails

check box. We recommend that you use the same username and password in the local database as

the AAA server because the ASA prompt does not give any indication of which method is being

used.

Step3 Click Apply.

Cisco Systems Configuring Authentication for CLI, ASDM, and enable command Access