Cisco ASA 5505 Configuration Manual page 653

Chapter 31 Configuring AAA Servers and the Local Database
LDAP Server Support
The adaptive security appliance supports LDAP. For detailed information, see the
Attribute Maps" section on page
HTTP Forms Authentication for Clientless SSL VPN
The adaptive security appliance can use the HTTP Form protocol for both authentication and single
sign-on (SSO) operations of Clientless SSL VPN user sessions only.
Local Database Support
The adaptive security appliance maintains a local database that you can populate with user profiles.
This section includes the following topics:
•
•
User Profiles
User profiles include, at a minimum, a username. Typically, a password is assigned to each username,
although passwords are optional.
Fallback Support
The local database can act as a fallback method for several functions. This behavior is designed to help
you prevent accidental lockout from the adaptive security appliance.
For users who need fallback support, we recommend that their usernames and passwords in the local
database match their usernames and passwords in the AAA servers. This practice provides transparent
fallback support. Because the user cannot determine whether a AAA server or the local database is
providing the service, using usernames and passwords on AAA servers that are different than the
usernames and passwords in the local database means that the user cannot be certain which username
and password should be given.
The local database supports the following fallback functions:
•
•
•
OL-20339-01
User Profiles, page 31-7
Fallback Support, page 31-7
Console and enable password authentication—When you use the aaa authentication console
command, you can add the LOCAL keyword after the AAA server group tag. If the servers in the
group are all unavailable, the adaptive security appliance uses the local database to authenticate
administrative access, which can also include enable password authentication.
Command authorization—When you use the aaa authorization command, you can add the LOCAL
keyword after the AAA server group tag. If the TACACS+ servers in the group are all unavailable,
the local database is used to authorize commands based on privilege levels.
VPN authentication and authorization—VPN authentication and authorization are supported to
enable remote access to the adaptive security appliance if AAA servers that normally support these
VPN services are unavailable. The authentication-server-group command, available in
tunnel-group general attributes mode, lets you specify the LOCAL keyword when you are
configuring attributes of a tunnel group. When a VPN client of an administrator specifies a tunnel
31-22.
Cisco ASA 5500 Series Configuration Guide using ASDM
AAA Server and Local Database Support
"Configuring LDAP
31-7