Cisco 7609-S Configuration Guide - Page 535
Configuring Authentication to Access Privileged EXEC Mode
View all Cisco 7609-S manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 535 highlights
Chapter 23 Configuring Management Access AAA for System Administrators Configuring Authentication to Access Privileged EXEC Mode You can configure the FWSM to authenticate users with a AAA server or the local database when they enter the enable command. Alternatively, users are automatically authenticated with the local database when they enter the login command, which also accesses privileged EXEC mode depending on the user level in the local database. This section includes the following topics: • Configuring Authentication for the Enable Command, page 23-13 • Authenticating Users Using the Login Command, page 23-13 Configuring Authentication for the Enable Command You can configure the FWSM to authenticate users when they enter the enable command. If you do not authenticate the enable command, when you enter enable, the FWSM prompts for the enable password (set by the enable password command), and you are no longer logged in as a particular user. Applying authentication to the enable command maintains the username. This feature is particularly useful when you perform command authorization, where usernames are important to determine the commands a user can enter. To authenticate users who enter the enable command, enter the following command: hostname(config)# aaa authentication enable console {LOCAL | server_group [LOCAL]} The user is prompted for the username and password. If you use a TACACS+ or RADIUS server group for authentication, you can configure the FWSM to use the local database as a fallback method if the AAA server is unavailable. Specify the server group name followed by LOCAL (LOCAL is case sensitive). We recommend that you use the same username and password in the local database as the AAA server because the FWSM prompt does not give any indication which method is being used. You can alternatively use the local database as your main method of authentication (with no fallback) by entering LOCAL alone. Authenticating Users Using the Login Command From user EXEC mode, you can log in as any username in the local database using the login command. Unlike enable authentication, this method is available in the system execution space in multiple context mode. The system execution space uses the admin context local user database when you enter the login command; the system configuration does not contain a local user database (you cannot enter the username command). The login feature allows users to log in with their own username and password to access privileged EXEC mode, so you do not have to give out the system enable password to everyone. To allow users to access privileged EXEC mode (and all commands) when they log in, set the user privilege level to 2 (the default) through 15. If you configure local command authorization, then the user can only enter commands assigned to that privilege level or lower. See the "Configuring Local Command Authorization" section on page 23-15 for more information. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 23-13