Cisco ASA Series Cli Configuration Manual page 876

Configuring AAA
•
•
Using Local Authentication
Before you configure the service-type attribute and privilege level when using local authentication, you
must create a user, assign a password, and assign a privilege level. To do so, enter the following
command:
hostname(config)# username admin password mysecret123 privilege 15
Where mysecret123 is the stored password and 15 is the assigned privilege level, which indicates an
admin user.
The available configuration options for the service-type attribute include the following:
•
•
•
The following example designates a service-type of admin for a user named admin:
hostname(config)# username admin attributes
hostname(config-username)# service-type admin
The following example designates a service-type of remote-access for a user named ra-user:
hostname(config)# username ra-user attributes
hostname(config-username)# service-type remote-access
Using RADIUS Authentication
The RADIUS IETF service-type attribute, when sent in an access-accept message as the result of a
RADIUS authentication and authorization request, is used to designate which type of service is granted
to the authenticated user. The supported attribute values are the following: administrative(6),
nas-prompt(7), Framed(2), and Login(1). For a list of supported RADIUS IETF VSAs used for
authentication and authorization, see
For more information about using RADIUS authentication, see
Server" section on page
Secure ACS, see the Cisco Secure ACS documentation on Cisco.com.
The RADIUS Cisco VSA privilege-level attribute (Vendor ID 3076, sub-ID 220), when sent in an
access-accept message, is used to designate the level of privilege for the user. For a list of supported
RADIUS VSAs used for authorization, see
Using LDAP Authentication
When users are authenticated through LDAP, the native LDAP attributes and their values can be mapped
to Cisco ASA attributes to provide specific authorization features. For the supported list of LDAP VSAs
used for authorization, see
You can use the LDAP attribute mapping feature for LDAP authorization. For examples of this feature,
see the
Cisco ASA Series CLI Configuration Guide
1-30
Using LDAP Authentication, page 1-30
Using TACACS+ Authentication, page 1-31
admin, in which users are allowed access to the configuration mode. This option also allows a user
to connect via remote access.
nas-prompt, in which users are allowed access to the EXEC mode.
remote-access, in which users are allowed access to the network.
1-25. For more information about configuring RADIUS authentication for Cisco
Table 1-2 on page
"Understanding Policy Enforcement of Permissions and Attributes" section on page
Chapter 1 Configuring AAA Servers and the Local Database
Table 1-8 on page 1-36.
Table 1-7 on page 1-27.
1-5.
"Configuring an External RADIUS
1-1.