Chapter 23
Configuring Management Access
•
•
CLI Access Overview
Before the FWSM can authenticate a Telnet or SSH user, you must first configure access to the FWSM
using the telnet or ssh commands (see the
SSH Access" section on page
communicate with the FWSM. The exception is for access to the system in multiple context mode; a
session from the switch to the FWSM is a Telnet session, but the telnet command is not required.
After you connect to the FWSM, you log in and access user EXEC mode.
•
•
To enter privileged EXEC mode, enter the enable command or the login command (if you are using the
local database only).
•
•
For authentication using the local database, you can use the login command, which maintains the
username but requires no configuration to turn on authentication.
ASDM Access Overview
By default, you can log into ASDM with a blank username and the enable password set by the enable
password command. However, if you enter a username and password at the login screen (instead of
leaving the username blank), ASDM checks the local database for a match.
Although you can configure HTTP authentication according to this section and specify the local
database, that functionality is always enabled by default. You should only configure HTTP
authentication if you want to use a RADIUS or TACACS+ server for authentication.
Authenticating Sessions from the Switch to the FWSM
In multiple context mode, you cannot configure any AAA commands in the system configuration.
However, if you configure Telnet authentication in the admin context, then authentication also applies
to sessions from the switch to the FWSM (which enters the system execution space). The admin context
AAA server or local user database are used in this instance.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
Authenticating Sessions from the Switch to the FWSM, page 23-11
Enabling CLI or ASDM Authentication, page 23-12
23-2). These commands identify the IP addresses that are allowed to
If you do not enable any authentication for Telnet, you do not enter a username; you enter the login
password (set with the password command). For SSH, you enter "pix" as the username, and enter
the login password.
If you enable Telnet or SSH authentication according to this section, you enter the username and
password as defined on the AAA server or local user database.
If you do not configure enable authentication, enter the system enable password when you enter the
enable command (set by the enable password command). However, if you do not use enable
authentication, after you enter the enable command, you are no longer logged in as a particular user.
To maintain your username, use enable authentication.
If you configure enable authentication (see the
Command" section on page
"Allowing Telnet Access" section on page 23-1
"Configuring Authentication for the Enable
23-13), the FWSM prompts you for your username and password.
AAA for System Administrators
and
"Allowing
23-11