but you cannot use AAA

Lewis Quin · ‎02-25-2015

Seeing as you cannot use AAA commands within the system exec space (when running an ASA in multi-context mode) how can you secure console access? I realize you can set the enable, but are there any other options to force login to console?.

Also do all contexts have to run the same OS version as the system exec?

Collin Clark · ‎02-25-2015

You can force AAA or local login on the console-

aaa authentication serial console LOCAL

Yes all the contexts must run the same version.

Lewis Quin · ‎02-25-2015

but you cannot use AAA commands from within the system exec space? only the contexts, so how to you secure console access to system

Collin Clark · ‎02-25-2015

The system execution space does not support any AAA commands, but you can configure its own enable password, as well as usernames in the local database to provide individual logins.

Lewis Quin · ‎02-25-2015

okay, so I have found that you can secure the appliance console access by using AAA from the admin context, however if you do this it uses the local userames stored within admin and not those created in sys exec space.

Collin Clark · ‎02-25-2015

You can create local username/password in the system execution space as well.

Lewis Quin · ‎02-25-2015

yes you can but the problem is this:

To require a username and password for the serial interface (console) of the ASA you have to issue the 'aaa authentication serial console LOCAL' command in the admin context (as it doesnt not exist in the sys exec space), and if you do this the serial connection looks to the admin context local user database to authenticate the serial connections (and not the system exec user database.)

so while you are correct in that you can create local users in the system exec space, they are not used to authenticate the local console connection, as it appears to use the admin context local user database.

securing console in multicontext mode (ASA)