Cisco ASA 5505 Configuration Manual page 665

Chapter 31 Configuring AAA Servers and the Local Database
Note
Console authentication
•
• Telnet and SSH authentication
• enable command authentication
This setting is for CLI-access only and does not affect the ASDM login.
Command authorization
•
If you turn on command authorization using the local database, then the adaptive security appliance
refers to the user privilege level to determine which commands are available. Otherwise, the
privilege level is not generally used. By default, all commands are either privilege level 0 or level
15. ASDM allows you to enable three predefined privilege levels, with commands assigned to level
15 (Admin), level 5 (Read Only), and level 3 (Monitor Only). If you use the predefined levels, then
assign users to one of these three privilege levels.
Network access authentication
•
VPN client authentication
•
You cannot use the local database for network access authorization.
For multiple context mode, you can configure usernames in the system execution space to provide
individual logins at the CLI using the login command; however, you cannot configure any AAA rules
that use the local database in the system execution space.
To add a user account to the adaptive security appliance local database, perform the following steps:
Choose Configuration > Device Management > Users/AAA > User Accounts, and then click Add.
Step 1
The Add User Account-Identity dialog box appears.
Step 2 In the Username field, add a username from 4 to 64 characters long.
Step 3 In the Password field, add a password between 3 and 32 characters. Entries are case-sensitive. The field
displays only asterisks. To protect security, we recommend a password length of at least 8 characters.
Step 4 In the Confirm Password field, add the password again.
For security purposes, only asterisks appear in the password fields.
To enable MSCHAP authentication, check User authenticated using MSCHAP.
Step 5
This option specifies that the password is converted to Unicode and hashed using MD4 after you enter
it. Use this feature if users are authenticated using MSCHAPv1 or MSCHAPv2.
To specify the VPN groups that the user belongs to, enter a group name in the Member of field, and click
Step 6
Add.
To delete a VPN group, choose the group in the window, and click Delete.
Step 7 In the Access Restriction area, set the management access level for a user. You must first enable
management authorization using the Perform authorization for exec shell access option on the
Configuration > Device Management > Users/AAA > AAA Access > Authorization tab.
Choose one of the following options:
OL-20339-01
Although you can configure HTTP authentication using the local database, that functionality is
always enabled by default. You should only configure HTTP authentication if you want to use a
RADIUS or TACACS+ server for authentication.
Cisco ASA 5500 Series Configuration Guide using ASDM
Adding a User Account
31-19