Recovering From A Lockout - Cisco FirePOWER ASA 5500 series Configuration Manual
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
Chapter 40
Managing System Access
Table 40-1
Table 40-1
Field
Username
Current privilege level Level from 0 to 15. Unless you configure local command authorization and
Current Mode/s
Recovering from a Lockout
In some circumstances, when you turn on command authorization or CLI authentication, you can be
locked out of the security appliance CLI. You can usually recover access by restarting the security
appliance. However, if you already saved your configuration, you might be locked out.
the common lockout conditions and how you might recover from them.
Table 40-2
CLI Authentication and Command Authorization Lockout Scenarios
Feature
Lockout Condition Description
Local CLI
No users in the
authentication
local database
TACACS+
Server down or
command
unreachable and
authorization
you do not have
the fallback
TACACS+ CLI
method
authentication
configured
RADIUS CLI
authentication
OL-10088-01
describes the show curpriv command output.
show curpriv Display Description
Description
Username. If you are logged in as the default user, the name is enable_1 (user
EXEC) or enable_15 (privileged EXEC).
assign commands to intermediate privilege levels, levels 0 and 15 are the only
levels that are used.
Shows the access modes:
P_UNPR—User EXEC mode (levels 0 and 1)
•
P_PRIV—Privileged EXEC mode (levels 2 to 15)
•
•
P_CONF—Configuration mode
If you have no users in
the local database, you
cannot log in, and you
cannot add any users.
If the server is
unreachable, then you
cannot log in or enter
any commands.
Configuring AAA for System Administrators
Workaround: Single Mode
Log in and reset the
passwords and aaa
commands.
Log in and reset the
1.
passwords and AAA
commands.
2.
Configure the local
database as a fallback
method so you do not
get locked out when the
server is down.
Cisco Security Appliance Command Line Configuration Guide
Table 40-2
lists
Workaround: Multiple Mode
Session into the security
appliance from the switch.
From the system execution
space, you can change to the
context and add a user.
If the server is
1.
unreachable because the
network configuration
is incorrect on the
security appliance,
session into the security
appliance from the
switch. From the system
execution space, you
can change to the
context and reconfigure
your network settings.
Configure the local
2.
database as a fallback
method so you do not
get locked out when the
server is down.
40-15
Advertisement
Table of Contents
Troubleshooting
