Configuring The Local Database - Cisco 7604 Configuration Manual

Chapter 11 Configuring AAA Servers and the Local Database
For users who need fallback support, we recommend that their usernames and passwords in the local
database match their usernames and passwords in the AAA servers. This provides transparent fallback
support. Because the user cannot determine whether a AAA server or the local database is providing the
service, using usernames and passwords on AAA servers that are different than the usernames and
passwords in the local database means that the user cannot be certain which username and password
should be given.
The local database supports the following fallback functions:
•
•
•

Configuring the Local Database

This section describes how to manage users in the local database. You can use the local database for
CLI access authentication, privileged mode authentication, command authorization, network access
authentication, and VPN authentication and authorization. You cannot use the local database for network
access authorization. The local database does not support accounting.
You cannot enter the username command in the system execution space. However, when you use the
login command in system, or use Telnet authentication when you session to the FWSM from the switch,
the FWSM uses the admin context username database (Telnet authentication for the system execution
space is also configured in the admin context).
If you add to the local database users who can gain access to the CLI but who should not be allowed to
Caution
enter privileged mode, enable command authorization. (See the
Authorization" section on page
mode (and all commands) at the CLI using their own password if their privilege level is 2 or greater (2 is
the default). Alternatively, you can use RADIUS or TACACS+ authentication so that the user will not
be able to use the login command, or you can set all local users to level 1 so you can control who can
use the system enable password to access privileged mode.
To define a user account in the local database, perform the following steps:
Step 1 Create the user account. To do so, enter the following command:
hostname(config)# username username {nopassword | password password} [privilege level]
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
Console and enable password authentication—When you use the aaa authentication console
command, you can add the LOCAL keyword after the AAA server group tag. If the servers in the
group all are unavailable, the FWSM uses the local database to authenticate administrative access.
This can include enable password authentication, too.
Command authorization—When you use the aaa authorization command command, you can
add the LOCAL keyword after the AAA server group tag. If the TACACS+ servers in the group all
are unavailable, the local database is used to authorize commands based on privilege levels.
VPN authentication and authorization—VPN authentication and authorization are supported to
enable remote access to the FWSM if AAA servers that normally support these VPN services are
unavailable. The authentication-server-group command, available in tunnel-group general
attributes mode, lets you specify the LOCAL keyword when you are configuring attributes of a
tunnel group. When VPN client of an administrator specifies a tunnel group configured to fallback
to the local database, the VPN tunnel can be established even if the AAA server group is unavailable,
provided that the local database is configured with the necessary attributes.
23-15.) Without command authorization, users can access privileged
Configuring the Local Database
"Configuring Local Command
11-7