Filter
Top Products
14-19
Cisco ASDM User Guide
OL-16647-01
Chapter 14 Configuring AAA Servers and the Local Database
Adding a User Account
Note Although you can configure HTTP authentication using the local database, that functionality is
always enabled by default. You should only configure HTTP authentication if you want to use a
RADIUS or TACACS+ server for authentication.
• Console authentication
• Telnet and SSH authentication
• enable command authentication
This setting is for CLI-access only and does not affect the ASDM login.
• Command authorization
If you turn on command authorization using the local database, then the security appliance refers to
the user privilege level to determine what commands are available. Otherwise, the privilege level is
not generally used. By default, all commands are either privilege level 0 or level 15. ASDM allows
you to enable three predefined privilege levels, with commands assigned to level 15 (Admin), level
5 (Read Only), and level 3 (Monitor Only). If you use the predefined levels, then assign users to one
of these three privilege levels.
• Network access authentication
• VPN client authentication
You cannot use the local database for network access authorization.
For multiple context mode, you can configure usernames in the system execution space to provide
individual logins at the CLI using the login command; however, you cannot configure any AAA rules
that use the local database in the system execution space.
To add a user account to the security appliance local database, perform the following steps:
Step 1 From the Configuration > Device Management > Users/AAA > User Accounts pane, click Add.
The Add User Account—Identity dialog box appears.
Step 2 In the Username field, add a username between 4 to 64 characters long.
Step 3 In the Password field add a password between 3 and 32 characters. Entries are case-sensitive. The field
displays only asterisks. To protect security, we recommend a password length of at least 8 characters.
Step 4 In the Confirm Password field, add the password again.
For security purposes, only asterisks appear in the password fields.
Step 5 To enable MSCHAP authentication, check User authenticated using MSCHAP.
This option specifies that the password is converted to unicode and hashed using MD4 after you enter it.
Use this feature if users are authenticated using MSCHAPv1 or MSCHAPv2.
Step 6 To specify the VPN groups that the user belongs to, enter a group name in the Member of field, and click
Add.
To delete a VPN group, choose the group in the window, and click Delete.
Step 7 In the Access Restriction area, set the management access level for a user. You must first enable
management authorization using the Perform authorization for exec shell access option on the
Configuration > Device Management > Users/AAA > AAA Access > Authorization tab.
Choose one of the following options: