Chapter 12 Configuring AAA Servers and User Accounts

Configuring the Local Database

User Accounts

The User Accounts pane lets you manage the local user database. The local database is used for the following features:

ASDM per-user access

By default, you can log into ASDM with a blank username and the enable password (see Device Name/Password, page 10-12). However, if you enter a username and password at the login screen (instead of leaving the username blank), ASDM checks the local database for a match.

Note Although you can configure HTTP authentication using the local database, that functionality is always enabled by default. You should only configure HTTP authentication if you want to use a RADIUS or TACACS+ server for authentication.

Console authentication

Telnet and SSH authentication

enable command authentication

This setting is for CLI-access only and does not affect the ASDM login.

Command authorization

If you turn on command authorization using the local database, then the security appliance refers to the user privilege level to determine what commands are available. Otherwise, the privilege level is not generally used. By default, all commands are either privilege level 0 or level 15. ASDM allows you to enable three predefined privilege levels, with commands assigned to level 15 (Admin), level 5 (Read Only), and level 3 (Monitor Only). If you use the predefined levels, then assign users to one of these three privilege levels.

Network access authentication

VPN client authentication

You cannot use the local database for network access authorization.

For multiple context mode, you can configure usernames in the system execution space to provide individual logins at the CLI using the login command; however, you cannot configure any aaa commands that use the local database in the system execution space.

Note VPN functions are not supported in multiple context mode.

To configure the enable password from this pane (instead of in Device Name/Password, page 10-12), change the password for the enable_15 user. The enable_15 user is always present in this pane, and represents the default username. This method of configuring the enable password is the only method available in ASDM for the system configuration. If you configured other enable level passwords at the CLI (enable password 10, for example), then those users are listed as enable_10, etc.

Fields

User Name—Specifies the user name to which these parameters apply.

Privilege (Level)—Specifies the privilege level assigned to that user. The privilege level is used with local command authorization.

VPN Group Policy—Specifies the name of the VPN group policy for this user. Not available in multimode.

 

ASDM User Guide

12-8

OL-12180-01

Page 8
Image 8
Cisco Systems OL-12180-01 manual User Accounts, 12-8