Cisco Systems OL-12180-01 Configuring the Local Database

12-7

ASDM User Guide

OL-12180-01

Chapter12 Configuring AAA Servers and User Accounts Configuring the Local Database

User profiles contain, at a minimum, a username. Typically, a password is assigned to each username,

although passwords are optional. You can add other information to a specific user profile. The

information you can add includes VPN-related attributes, such as a VPN session timeout value.

The local database can act as a fallbackmethod for several functions. This behavior is designed to help

you prevent accidental lockout from the security appliance.

For users who need fallback support, we recommend that their usernames and passwords in the local

database match their usernames and passwords in the AAA servers. This provides transparent fallback

support.Because the user cannot determine whether a AAA server or the local database is providing the

service, using usernames and passwords on AAA servers that are different than the usernames and

passwords in the local database means that the user cannot be certain which username and password

should be given.

The local database supports the following fallback functions:

•Console and enable password authentication—If the servers in the group all are unavailable, the

security appliance uses the local database to authenticate administrative access. This can include

enable password authentication, too.

•Command authorization—If the TACACS+ servers in the group all are unavailable, the local

database is used to authorize commands based on privilege levels.

•VPN authentication and authorization—VPN authentication and authorization are supported to

enable remote access to the security appliance if AAA servers that normally support these VPN

services are unavailable.When VPN client of an administrator specifies a tunnel group configured

to fallback to the local database, the VPN tunnel can be established even if the AAA server group

is unavailable, provided that the local database is configured with the necessary attributes.

Configuring the Local Database

This section describes how to manage users in the local database. You can use the local database for

CLI access authentication, privileged mode authentication, command authorization, network access

authentication,and VPN authentication and authorization. You cannot use the local database for network

access authorization. The local database does not support accounting.

For multiple context mode, you can configure usernames in the system execution space to provide

individual logins using thelogin command; however, you cannot configure any aaa commands in the

system execution space.

This section includes the following topics:

•User Accounts, page 12-7

•Add/Edit User Account > Identity, page 12-9

•Add/Edit User Account > VPN Policy, page 12-10

•Identifying AAA Server Groups and Servers, page 12-12