An administrator can configure a local database in the PIX Security
Appliance. The local database can be the primary means for authenticating
console access or as a fallback database when the AAA server is no longer
accessible. Use the username command to create user
accounts in the local user database. A password can be crated for the user or
the nopassword keyword can be used to create a user account
with no password. Use the encrypted keyword if the password
is already encrypted, and use the privilege keyword to
assign a privilege level to the user. In the example in Figure
, the
administrator defines a user admin with a password of
cisco123 in the PIX local database. When Telnet access to
the PIX is attempted, the user is authenticated using the PIX local internal
database.
To delete an existing user account, use the no
username command. To remove all the entries from the user database,
enter the clear config username command.
The syntax
for the username command is shown in Figure
.
The aaa local authentication attempts max-fail
fail-attempts command enables the administrator to set a
limit on the number of retries for serial and Telnet access users. In the
example in Figure
, the admin1 user
attempts to gain console access to the PIX Security Appliance. After three
failed attempts, the admin1 user is locked out. The administrator can use the
show aaa local user command to view the local user
lock-time, failed-attempts, and locked status. To clear the failed-attempts
counter or lockout status by user or for all users, the administrator can use
the clear aaa local user {fail-attempts | lockout} {all | username
name} command.
The administrator can view the
statistics associated with the local users and the local server. With the
show local user command, the administrator can view the
lock-time, failed-attempts and locked status of each user in the local
database. With the show aaa-server local command, the
administrator can view the status of the local server.