Chapter 13
Configuring AAA Servers and the Local Database
mode (and all commands) at the CLI using their own password if their privilege level is 2 or greater (2 is
the default). Alternatively, you can use RADIUS or TACACS+ authentication so that the user cannot use
the login command, or you can set all local users to level 1 so you can control who can use the system
enable password to access privileged mode.
To define a user account in the local database, perform the following steps:
Create the user account. To do so, enter the following command:
Step 1
hostname(config)# username name {nopassword | password password [mschap]} [privilege
priv_level]
where the options are as follows:
username—A string from 4 to 64 characters long.
•
password password—A string from 3 to 16 characters long.
•
mschap—Specifies that the password will be converted to unicode and hashed using MD4 after you
•
enter it. Use this keyword if users are authenticated using MSCHAPv1 or MSCHAPv2.
privilege level—The privilege level that you want to assign to the new user account (from 0 to 15).
•
The default is 2. This privilege level is used with command authorization.
nopassword—Creates a user account with no password.
•
The encrypted and nt-encrypted keywords are typically for display only. When you define a password
in the username command, the security appliance encrypts it when it saves it to the configuration for
security purposes. When you enter the show running-config command, the username command does
not show the actual password; it shows the encrypted password followed by the encrypted or
nt-encrypted keyword (when you specify mschap). For example, if you enter the password "test," the
show running-config display would appear to be something like the following:
username pat password DLaUiAX3l78qgoB5c7iVNw== nt-encrypted
The only time you would actually enter the encrypted or nt-encrypted keyword at the CLI is if you are
cutting and pasting a configuration to another security appliance and you are using the same password.
To configure a local user account with VPN attributes, follow these steps:
Step 2
Enter the following command:
a.
hostname(config)# username username attributes
When you enter a username attributes command, you enter username mode. The commands
available in this mode are as follows:
•
•
•
•
•
•
•
•
•
•
OL-10088-01
group-lock
password-storage
vpn-access-hours
vpn-filter
vpn-framed-ip-address
vpn-group-policy
vpn-idle-timeout
vpn-session-timeout
vpn-simultaneous-logins
vpn-tunnel-protocol
Cisco Security Appliance Command Line Configuration Guide
Configuring the Local Database
13-11