Cisco FirePOWER ASA 5500 series Configuration Manual page 195

Chapter 13 Configuring AAA Servers and the Local Database
mode (and all commands) at the CLI using their own password if their privilege level is 2 or greater (2 is
the default). Alternatively, you can use RADIUS or TACACS+ authentication so that the user cannot use
the login command, or you can set all local users to level 1 so you can control who can use the system
enable password to access privileged mode.
To define a user account in the local database, perform the following steps:
Create the user account. To do so, enter the following command:
Step 1
hostname(config)# username name {nopassword | password password [mschap]} [privilege
priv_level]
where the options are as follows:
username—A string from 4 to 64 characters long.
•
password password—A string from 3 to 16 characters long.
•
mschap—Specifies that the password will be converted to unicode and hashed using MD4 after you
•
enter it. Use this keyword if users are authenticated using MSCHAPv1 or MSCHAPv2.
privilege level—The privilege level that you want to assign to the new user account (from 0 to 15).
•
The default is 2. This privilege level is used with command authorization.
nopassword—Creates a user account with no password.
•
The encrypted and nt-encrypted keywords are typically for display only. When you define a password
in the username command, the security appliance encrypts it when it saves it to the configuration for
security purposes. When you enter the show running-config command, the username command does
not show the actual password; it shows the encrypted password followed by the encrypted or
nt-encrypted keyword (when you specify mschap). For example, if you enter the password "test," the
show running-config display would appear to be something like the following:
username pat password DLaUiAX3l78qgoB5c7iVNw== nt-encrypted
The only time you would actually enter the encrypted or nt-encrypted keyword at the CLI is if you are
cutting and pasting a configuration to another security appliance and you are using the same password.
To configure a local user account with VPN attributes, follow these steps:
Step 2
Enter the following command:
a.
hostname(config)# username username attributes
When you enter a username attributes command, you enter username mode. The commands
available in this mode are as follows:
•
•
•
•
•
•
•
•
•
•
OL-10088-01
group-lock
password-storage
vpn-access-hours
vpn-filter
vpn-framed-ip-address
vpn-group-policy
vpn-idle-timeout
vpn-session-timeout
vpn-simultaneous-logins
vpn-tunnel-protocol
Cisco Security Appliance Command Line Configuration Guide
Configuring the Local Database
13-11