Cisco Systems OL-12180-01 User Accounts

12-8

ASDM User Guide

OL-12180-01

Chapter12 Configuring AAA Servers and User Accounts

Configuring the Local Database

User Accounts

The User Accounts pane lets you manage the local user database. The local database is used for the

following features:

•ASDM per-user access

By default, you can log into ASDM with a blank username and the enable password (seeDevice

Name/Password, page 10-12). However, if you enter a username and password at the login screen

(instead of leaving the username blank), ASDM checks the local database for a match.

Note Although you can configureHTTP authentication using the local database, that functionality is

alwaysenabled by default. You should only configure HTTP authentication if you want to use a

RADIUS or TACACS+ server for authentication.

•Console authentication

•Telnet and SSH authentication

•enable command authentication

This setting is for CLI-access only and does not affect the ASDM login.

•Command authorization

Ifyou turn on command authorization using the local database, then the security appliance refers to

theuser privilege level to determine what commands are available. Otherwise, the privilege level is

not generally used. By default,all commands are either privilege level 0 or level 15. ASDM allows

youto enable three predefined privilege levels, with commands assigned to level 15 (Admin), level

5(Read Only), and level 3 (Monitor Only). If you use the predefined levels, then assign users to one

of these three privilege levels.

•Network access authentication

•VPN client authentication

You cannot use the local database for network access authorization.

For multiple context mode, you can configure usernames in the system execution space to provide

individual logins at the CLI using thelogin command; however, you cannot configure any aaa

commands that use the local database in the system execution space.

Note VPN functions are not supported in multiple context mode.

To configure the enable password from this pane (instead of inDevice Name/Password, page 10-12),

change the password for the enable_15 user. The enable_15 user is always present in this pane, and

represents the default username. This method of configuring the enable password is the only method

available in ASDM for the system configuration. If you configured other enable level passwords at the

CLI (enable password 10, for example), then those users are listed as enable_10, etc.

Fields

•User Name—Specifies the user name to which these parameters apply.

•Privilege(Level)—Specifies the privilegelevel assigned to that user. The privilege level is used with

local command authorization.

•VPN Group Policy—Specifies the name of the VPN group policy for this user. Not available in

multimode.