47-5
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter47 Configuring Device Administration Policies on Firewall Devices
About AAA on Security Devices
Configuring AAA - Authentication Tab
The AAA page presents three tabbed panels; the Authentication panel is presented when you navigate
to the AAA page. Use these options to control privileged access to the device console, to restrict access
by connection type, and to define access messages.
Use the Authorization Tab, page47-6 to control the services and commands available to authenticated
users.
Use the Accounting Tab, page47-7 to activate tracking of console traffic, providing a record of user
activity.
Navigation Path
(Device view) Select Platform > Device Admin > AAA from the Device Policy selector.
(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > AAA from the Policy Type
selector. Select an existing policy from the Shared Policy selector, or create a new one.
Related Topics
About AAA on Security Devices, page 47-1
Configuring User Accounts, page 50-6
Using the Authentication Tab
Use the Authentication tab to enable authentication for administrator access to the security appliance.
The Authentication tab also lets you configure the prompts and messages a user sees when authenticated
by an AAA server.
The device will prompt for a user name and password before you can enter commands. If the
authentication server is offline, wait until the console login request times out. You can then access the
console with the firewall username and the enable password.
Field Reference
Table47-2 Authentication Tab
Element Description
Require AAA Authentication to allow use of privileged commands
Enable Requires authentication from an AAA server to allow a user to access
EXEC mode on the firewall. This option allows up to three attempts to
access the firewall console. If this number is exceeded, an “access
denied” message is displayed.
When checked, the Server Group field is enabled.
Server Group Enter or Select the name of an AAA server to contact for user
authentication.
Use LOCAL when server
group fails
Check this box to use the LOCAL database as back-up if the selected
server fails. (This option is not enabled until you provide a Server
Group.)