Setting a management session quota – Cisco ASA 5505 User Manual

Page 772

Advertising
background image

37-32

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 37 Configuring Management Access

Configuring AAA for System Administrators

Setting a Management Session Quota

An administrator can establish a maximum number of simultaneous management sessions. If the
maximum is reached, no additional sessions are allowed and a syslog message is generated. To prevent
a system lockout, the management session quota mechanism cannot block a console session.

To set a management session maximum, enter the following command:

TACACS+
command
authorization

You are logged in
as a user without
enough privileges
or as a user that
does not exist

You enable command
authorization, but then
find that the user
cannot enter any more
commands.

Fix the TACACS+ server
user account.

If you do not have access to
the TACACS+ server and
you need to configure the
ASA immediately, then log
into the maintenance
partition and reset the
passwords and aaa
commands.

Session into the ASA from
the switch. From the system
execution space, you can
change to the context and
complete the configuration
changes. You can also
disable command
authorization until you fix
the TACACS+
configuration.

Local command
authorization

You are logged in
as a user without
enough privileges

You enable command
authorization, but then
find that the user
cannot enter any more
commands.

Log in and reset the
passwords and aaa
commands.

Session into the ASA from
the switch. From the system
execution space, you can
change to the context and
change the user level.

Table 37-2

CLI Authentication and Command Authorization Lockout Scenarios (continued)

Feature

Lockout Condition Description

Workaround: Single Mode

Workaround: Multiple Mode

Command

Purpose

quota management-session

number

Example:

hostname(config)# quota management-session 1000

Sets the maximum number of simultaneous ASDM, SSH, and
Telnet sessions that are allowed on the ASA. The no form of
this command sets the quota value to 0, which means that
there is no session limit.

Advertising