35-23
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter35 Configuring AAA Servers and the Local Database
Configuring AAA
Command Purpose
Step1 username username {nopassword | password
password [mschap]} [privilege priv_level]
Example:
hostname(config)# username exampleuser1
privilege 1
Creates the user account. The username username keyword is a
string from 4 to 64 characters long.
Note The ASA does not prohibit the creation of usernames that
only differ by case with previously configured usernames.
We do not recommend this practice if VPN users are
authenticated using the local user database. Usernames
such as “User1” and “user1” are still distinct for
authentication purposes, but if a maximum simultaneous
login limit has been configured, these users share the same
session count. This makes it possible for “user1” to log off
“User1” by establishing a tunnel that exceeds the
simultaneous login limit.
The password password argument is a string from 3 to 32
characters long. The mschap keyword specifies that the password
is converted to Unicode and hashed using MD4 after you enter it.
Use this keyword if users are authenticated using MS-CHAPv1 or
MS-CHAPv2. The privilege level argument sets the privilege
level, which ranges from 0 to 15. The default is 2. This privilege
level is used with command authorization.
Caution If you do not use command authorization (the aaa
authorization console LOCAL command), then the
default level 2 allows management access to privileged
EXEC mode.To limit access to privileged EXEC mode,
either set the privilege level to 0 or 1, or use the
service-type command (see Step 5).
The nopassword keyword creates a user account with no
password.
The encrypted and nt-encrypted keywords are typically for
display only. When you define a password in the username
command, the ASA encrypts it when it saves it to the
configuration for security purposes. When you enter the show
running-config command, the username command does not
show the actual password; it shows the encrypted password
followed by the encrypted or nt-encrypted keyword (when you
specify mschap). For example, if you enter the password “test,”
the show running-config output would appear as something
similar to the following:
username user1 password DLaUiAX3l78qgoB5c7iVNw==
nt-encrypted
The only time you would actually enter the encrypted or
nt-encrypted keyword at the CLI is if you are cutting and pasting
a configuration file for use in another ASA, and you are using the
same password.