topic yes you can but the problem in Network Security

securing console in multicontext mode (ASA)

Lewis Quin — Tue, 12 Mar 2019 05:33:18 GMT

Seeing as you cannot use AAA commands within the system exec space (when running an ASA in multi-context mode) how can you secure console access? I realize you can set the enable, but are there any other options to force login to console?.

Also do all contexts have to run the same OS version as the system exec?

You can force AAA or local

Collin Clark — Wed, 25 Feb 2015 14:33:51 GMT

You can force AAA or local login on the console-

aaa authentication serial console LOCAL

Yes all the contexts must run the same version.

but you cannot use AAA

Lewis Quin — Wed, 25 Feb 2015 14:35:47 GMT

but you cannot use AAA commands from within the system exec space? only the contexts, so how to you secure console access to system

The system execution space

Collin Clark — Wed, 25 Feb 2015 14:39:25 GMT

The system execution space does not support any AAA commands, but you can configure its own enable password, as well as usernames in the local database to provide individual logins.

okay, so I have found that

Lewis Quin — Wed, 25 Feb 2015 14:53:37 GMT

okay, so I have found that you can secure the appliance console access by using AAA from the admin context, however if you do this it uses the local userames stored within admin and not those created in sys exec space.

You can create local username

Collin Clark — Wed, 25 Feb 2015 14:57:49 GMT

You can create local username/password in the system execution space as well.

yes you can but the problem

Lewis Quin — Wed, 25 Feb 2015 15:06:09 GMT

yes you can but the problem is this:

To require a username and password for the serial interface (console) of the ASA you have to issue the 'aaa authentication serial console LOCAL' command in the admin context (as it doesnt not exist in the sys exec space), and if you do this the serial connection looks to the admin context local user database to authenticate the serial connections (and not the system exec user database.)

so while you are correct in that you can create local users in the system exec space, they are not used to authenticate the local console connection, as it appears to use the admin context local user database.