38-24
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter38 Configuring AAA Servers and the Local Database
Configuring AAA
use SSH, Telnet, and the console port. The user cannot use ASDM for configuration (if you
configure HTTP authentication). ASDM monitoring is allowed. If you also configure enable
authentication, then the user cannot access global configuration mode.
No ASDM, SSH, Telnet, or console access—If you configure authentication for management
access using the local database (see the “Configuring Authentication for CLI, ASDM, and enable
command Access” section on page40-20), then this option disallows the user from accessing any
management access method for which you configured authentication (excluding the Serial option;
serial access is allowed).
Step8 If you want to configure VPN policy attributes for this user, see the “Configuring VPN Policy Attributes
for a User” section on page 38-24.
Step9 Click Apply.
The user is added to the local ASA database, and the changes are saved to the running configuration.
Tip You can search for specific text in each column of the Configuration > Device Management >
Users/AAA > User Accounts pane. Enter the specific text that you want to locate in the Find box,
then click the Up or Down arrow. You can also use the asterisk (“*”) and question mark (“?”) as
wild card characters in the text search.
Configuring VPN Policy Attributes for a User
By default, each user inherits the settings set in the VPN policy.
To override the settings, you can customize VPN attributes by performing the following steps:
Detailed Steps
Step1 If you have not already added a user according to the “Adding a User” section on page38-23, from the
Configuration > Device Management > Users/AAA > User Accounts pane, click Add.
The Add User Account-Identity dialog box appears.
Step2 In the left-hand pane, click VPN Policy.
By default, the Inherit check box is checked for each option, which means the user account inherits the
settings from the VPN policy. To override each setting, uncheck the Inherit check box, and enter a new
value:
a. Choose a group policy from the list.
b. Specify which tunneling protocols are available for use, or whether the value is inherited from the
group policy. Check the desired Tunneling Protocols check boxes to choose the VPN tunneling
protocols that are available for use. Only the selected protocols are available for use. The choices
are as follows:
IPsec provides the most complete architecture for VPN tunnels, and it is perceived as the most
secure protocol. Both LAN-to-LAN (peer-to-peer) connections and client-to-LAN connections
can use IPsec.