35-25
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter35 Configuring AAA Servers and the Local Database
Configuring AAA
Examples
The following example assigns a privilege level of 15 to the admin user account:
hostname(config)# username admin password password privilege 15
The following example creates a user account with no password:
hostname(config)# username user34 nopassword
The following example enables management authorization, creates a user account with a password,
enters username attributes configuration mode, and specifies the service-type attribute:
hostname(config)# aaa authorization exec authentication-server
hostname(config)# username user1 password gOgeOus
hostname(config)# username user1 attributes
hostname(config-username)# service-type nas-prompt
Managing User Passwords
The ASA enables administrators with the necessary privileges to modify password policy for users in
the current context.
User passwords have the following guidelines:
A maximum lifetime of 0 to 65536 days.
A minimum length of 3 to 64 characters.
A minimum number of changed characters for updates of 0 to 64 characters.
They may include lower case characters.
Step4 service-type {admin | nas-prompt |
remote-access}
Example:
hostname(config-username)# service-type
admin
(Optional) Configures the user level if you configured
management authorization in Step 2. The admin keyword allows
full access to any services specified by the aaa authentication
console LOCAL commands. The admin keyword is the default.
The nas-prompt keyword allows access to the CLI when you
configure the aaa authentication {telnet | ssh | serial} console
LOCAL command, but denies ASDM configuration access if you
configure the aaa authentication http console LOCAL
command. ASDM monitoring access is allowed. If you enable
authentication with the aaa authentication enable console
LOCAL command, the user cannot access privileged EXEC mode
using the enable command (or the login command).
The remote-access keyword denies management access. The user
cannot use any services specified by the aaa authentication
console LOCAL commands (excluding the serial keyword; serial
access is allowed).
(Optional) If you are using this username for VPN authentication,
you can configure many VPN attributes for the user. For more
information, see the “Configuring Attributes for Specific Users”
section on page67-79.
Command Purpose