40-16
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 40 Configuring Management Access
Configuring AAA for System Administrators
• If you enable Telnet or SSH authentication according to this section, you enter the username and
password as defined on the AAA server or local user database. You access user EXEC mode.
To enter privileged EXEC mode after logging in, enter the enable command. How enable works depends
on whether you enable authentication:
• If you do not configure enable authentication, enter the system enable password when you enter the
enable command. However, if you do not use enable authentication, after you enter the enable
command, you are no longer logged in as a particular user. To maintain your username, use enable
authentication.
• If you configure enable authentication, the ASA prompts you for your username and password
again. This feature is particularly useful when you perform command authorization, in which
usernames are important in determining the commands that a user can enter.
For enable authentication using the local database, you can use the login command instead of the enable
command. login maintains the username but requires no configuration to turn on authentication.
Comparing ASDM Access with and without Authentication
By default, you can log into ASDM with a blank username and the enable password. Note that if you
enter a username and password at the login screen (instead of leaving the username blank), ASDM
checks the local database for a match.
If you configure HTTP authentication, you can no longer use ASDM with a blank username and the
enable password.
Information About Command Authorization
This section describes command authorization and includes the following topics:
• Supported Command Authorization Methods, page 40-16
• About Preserving User Credentials, page 40-17
• Security Contexts and Command Authorization, page 40-17
Supported Command Authorization Methods
You can use one of two command authorization methods:
• Local privilege levels—Configure the command privilege levels on the ASA. When a local,
RADIUS, or LDAP (if you map LDAP attributes to RADIUS attributes) user authenticates for CLI
access, the ASA places that user in the privilege level that is defined by the local database, RADIUS,
or LDAP server. The user can access commands at the assigned privilege level and below. Note that
all users access user EXEC mode when they first log in (commands at level 0 or 1). The user needs
to authenticate again with the enable command to access privileged EXEC mode (commands at level
2 or higher), or they can log in with the login command (local database only).
Note You can use local command authorization without any users in the local database and without
CLI or enable authentication. Instead, when you enter the enable command, you enter the
system enable password, and the ASA places you in level 15. You can then create enable
passwords for every level, so that when you enter enable n (2 to 15), the ASA places you in level
n. These levels are not used unless you enable local command authorization (see the
“Configuring Local Command Authorization” section on page 40-22). (See the command
reference for more information about the enable command.)