Console Access Authentication
The final type of AAA authentication is for direct connections to the Cisco Security
Appliance. It is very important to restrict access to the firewall as much as possible. One way
to increase your firewall’s security is to require all access to the firewall to be authenticated
by an AAA server. Console access is traditionally password protected; however, the aaa
authentication console command prompts the user to authenticate differently, depending on
the method used to access the Security Appliance:
■ serial—Causes the user to be prompted before the first command of the command-line
prompt when connecting directly to the firewall via a serial cable. Users are continually
prompted until they successfully log in.
■ telnet—Causes the user to be prompted before the first command-line prompt when
attempting a Telnet session to the CLI. Users are continually prompted until they
successfully log in.
■ ssh—Causes the user to be prompted before the first command-line prompt when
attempting a Secure Shell (SSH) session to the CLI. If users are unable to successfully
authenticate within three attempts, they are disconnected and receive the message
“Rejected by Server.”
■ http—This option is selected when you use the Adaptive Security Device Manager
(ASDM) to manage your Security Appliance. ASDM users see a pop-up window in their
browser (PIX Device Manager). Users are continually prompted until they successfully
log in.
■ enable—With this option, the Security Appliance requires AAA server authentication to
enter privileged mode. The enable option prompts the user for a username and password
before entering privileged mode for serial, Telnet, and SSH connections. If users are
unable to successfully authenticate after three attempts, they see the “Access Denied”
message.
NOTE By default, the ASDM can access the Security Appliance with no username and
the enable password unless the aaa authentication http console group-tag command is set.