Specifications

ManualsBrandsCisco ManualsHome building and DecorPIX 525

491

492

493

494

495

496

497

498

499

500

30-15

Cisco Security Appliance Command Line Configuration Guide

OL-6721-01

Chapter 30 Managing System Access

Authenticating and Authorizing System Administrators

Recovering from a Lockout

In some circumstances, when you turn on command authorization or CLI authentication, you can be

locked out of the security appliance CLI. You can usually recover access by restarting the security

appliance. However, if you already saved your configuration, you might be locked out. Table 30-2 lists

the common lockout conditions and how you might recover from them.

Table 30-2 CLI Authentication and Command Authorization Lockout Scenarios

Feature Lockout Condition Description Workaround: Single Mode Workaround: Multiple Mode

Local CLI

authentication

No users in the

local database

If you have no users in

the local database, you

cannot log in, and you

cannot add any users.

passwords and aaa

commands.

Session into the security

appliance from the switch.

From the system execution

space, you can change to the

context and add a user.

TACACS+

command

authorization

TACACS+ CLI

authentication

RADIUS CLI

authentication

Server down or

unreachable and

you do not have

the fallback

method

configured

If the server is

unreachable, then you

cannot log in or enter

any commands.

1. Log in and reset the

passwords and AAA

commands.

2. Configure the local

database as a fallback

method so you do not

get locked out when the

server is down.

1. If the server is

unreachable because the

network configuration

is incorrect on the

security appliance,

session into the security

appliance from the

switch. From the system

execution space, you

can change to the

context and reconfigure

your network settings.

2. Configure the local

database as a fallback

method so you do not

get locked out when the

server is down.

TACACS+

command

authorization

You are logged in

as a user without

enough privileges

or as a user that

does not exist

You enable command

authorization, but then

find that the user

cannot enter any more

commands.

Fix the TACACS+ server

user account.

If you do not have access to

the TACACS+ server and

you need to configure the

security appliance

immediately, then log into

the maintenance partition

and reset the passwords and

aaa commands.

Session into the security

appliance from the switch.

From the system execution

space, you can change to the

context and complete the

configuration changes. You

can also disable command

authorization until you fix

the TACACS+

configuration.

Local command

authorization

You are logged in

as a user without

enough privileges

You enable command

authorization, but then

find that the user

cannot enter any more

commands.

passwords and aaa

commands.

Session into the security

appliance from the switch.

From the system execution

space, you can change to the

context and change the user

level.