cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

How to recover from Authentication and Command Authorization Lockouts on ASA

2842
Views
0
Helpful
0
Comments

 

 

Lockout Scenarios and workarounds

 

In some circumstances, when you turn on command  authorization or CLI authentication, you can be locked out of the  security appliance CLI. You can usually recover access by restarting the  security appliance. However, if you already saved your configuration,  you might be locked out.

 

 

 

Feature

 

Lockout Condition

 

Description

 

Workaround: Single Mode

 

Workaround: Multiple Mode

Local CLI authentication


No users in the local database


If you have no users in the local database, you cannot log in, and you cannot add any users.


Log in and reset the passwords and aaa commands.


Session into the security appliance from the switch. From the system  execution space, you can change to the context and add a user.


TACACS+ command authorization


TACACS+ CLI authentication


RADIUS CLI authentication


Server down or unreachable and you do not have the fallback method configured


If the server is unreachable, then you cannot log in or enter any commands.


1. Log in and reset the passwords and AAA commands.


2. Configure the local database as a fallback method so you do not get locked out when the server is down.


1. If  the server is unreachable because the network configuration is  incorrect on the security appliance, session into the security appliance  from the switch. From the system execution space, you can change to the  context and reconfigure your network settings.


2. Configure the local database as a fallback method so you do not get locked out when the server is down.


TACACS+ command authorization


You are logged in as a user without enough privileges or as a user that does not exist


You enable command authorization, but then find that the user cannot enter any more commands.


Fix the TACACS+ server user account.


If you do not have access to the TACACS+ server and you need to  configure the security appliance immediately, then log into the  maintenance partition and reset the passwords and aaa commands.


Session into the security appliance from the switch. From the system  execution space, you can change to the context and complete the  configuration changes. You can also disable command authorization until  you fix the TACACS+ configuration.


Local command authorization


You are logged in as a user without enough privileges


You enable command authorization, but then find that the user cannot enter any more commands.


Log in and reset the passwords and aaa commands.


Session into the security appliance from the switch. From the system  execution space, you can change to the context and change the user  level.

 

 

Viewing the Logged-In User

 

To view the current logged-in user, enter the following command:

 

hostname# show curpriv

 

See the following sample show curpriv command output. A description of each field follows.

 

hostname# show curpriv

 

Username : admin
Current privilege level : 15
Current Mode/s : P_PRIV

 

Field

 

Description

Username


Username. If you are logged in as the default user, the name is enable_1 (user EXEC) or enable_15 (privileged EXEC).


Current privilege level


Level from 0 to 15. Unless you configure local command authorization and  assign commands to intermediate privilege levels, levels 0 and 15 are  the only levels that are used.


Current Mode/s


Shows the access modes:


P_UNPR—User EXEC mode (levels 0 and 1)


P_PRIV—Privileged EXEC mode (levels 2 to 15)


P_CONF—Configuration mode