Chapter 12 Configuring AAA Servers and User Accounts

Configuring the Local Database

User Profiles

User profiles contain, at a minimum, a username. Typically, a password is assigned to each username, although passwords are optional. You can add other information to a specific user profile. The information you can add includes VPN-related attributes, such as a VPN session timeout value.

Fallback Support

The local database can act as a fallback method for several functions. This behavior is designed to help you prevent accidental lockout from the security appliance.

For users who need fallback support, we recommend that their usernames and passwords in the local database match their usernames and passwords in the AAA servers. This provides transparent fallback support. Because the user cannot determine whether a AAA server or the local database is providing the service, using usernames and passwords on AAA servers that are different than the usernames and passwords in the local database means that the user cannot be certain which username and password should be given.

The local database supports the following fallback functions:

Console and enable password authentication—If the servers in the group all are unavailable, the security appliance uses the local database to authenticate administrative access. This can include enable password authentication, too.

Command authorization—If the TACACS+ servers in the group all are unavailable, the local database is used to authorize commands based on privilege levels.

VPN authentication and authorization—VPN authentication and authorization are supported to enable remote access to the security appliance if AAA servers that normally support these VPN services are unavailable. When VPN client of an administrator specifies a tunnel group configured to fallback to the local database, the VPN tunnel can be established even if the AAA server group is unavailable, provided that the local database is configured with the necessary attributes.

Configuring the Local Database

This section describes how to manage users in the local database. You can use the local database for CLI access authentication, privileged mode authentication, command authorization, network access authentication, and VPN authentication and authorization. You cannot use the local database for network access authorization. The local database does not support accounting.

For multiple context mode, you can configure usernames in the system execution space to provide individual logins using the login command; however, you cannot configure any aaa commands in the system execution space.

This section includes the following topics:

User Accounts, page 12-7

Add/Edit User Account > Identity, page 12-9

Add/Edit User Account > VPN Policy, page 12-10

Identifying AAA Server Groups and Servers, page 12-12

 

 

ASDM User Guide

 

 

 

 

 

 

OL-12180-01

 

 

12-7

 

 

 

 

 

Page 7
Image 7
Cisco Systems OL-12180-01 manual Configuring the Local Database, User Profiles, Fallback Support, 12-7