Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
574
Views
5
Helpful
1
Replies

ASA Multiple Context AAA local user account

johnlloyd_13
Level 9
Level 9

‎09-28-2021 07:05 PM - edited ‎09-28-2021 07:14 PM

hi,

i will 'break' an ASA multiple mode in active/standby setup.

will bring first the secondary ASA to the new DC and leave the primary-active ASA in the old DC.

the secondary ASA would still use the old MGMT IP and will be accessed by an OOB server/console.

the MGMT IP for ASA active-standby cluster will be changed once both units are in the new DC.

my question is, could i still manage the secondary ASA in the new DC using AAA fallback 'local' user and access all the context via OOB server console?

do i need the local user and enable PW configured in 'system' context to avoid being locked out?

or are these configured just in 'admin' context?

0 Helpful
1 Reply 1

Milos_Jovanovic
VIP Alumni
VIP Alumni

‎09-28-2021 10:59 PM

Hi @johnlloyd_13,

If I understand correctly, you will have 2 deployments - one with primary and active in existing DC, and another you are moving to secondary DC. If this is the case, then two devices are behaving as two independent devices, and you'll need to have AAA settings on secondary device too. Depending on your configuration (using aaa-server or not), yes, you can still use local user account.

Regarding access to OOB address, this can be a bit tricky. Assuming that it is routable network even in another DC, if you plan to keep same addresses used currently, when new cluster comes up, and it figures out that it doesn't detect active mate (since no HA link is active), secondary device too will become active, meaning that it will take active mgmt IP (leaving you with 2 devices using same IP). Same would go for all interfaces (data plane), unless you control this (like shutdown neighbouring ports).I would think about this approach bit more before deciding to do it this way.

Admin context provides you possibility for remote management, so if you plan to use SSH or ASDM access, yes, you'll need to create user under admin context. Once in admin context remotelly, you can shift between contexts, so you don't really need another user (unless you want other contexts to be directly accessible). However, if on console, you are going to system execution space, and there you need to authenticate too. I can't really remember from the top of my head, but I believe enable password is enough here.

BR,

Milos

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card