Configure AAA on the PIX Security Appliance
The local user database

An administrator can configure a local database in the PIX Security Appliance. The local database can be the primary means for authenticating console access or as a fallback database when the AAA server is no longer accessible. Use the username command to create user accounts in the local user database. A password can be crated for the user or the nopassword keyword can be used to create a user account with no password. Use the encrypted keyword if the password is already encrypted, and use the privilege keyword to assign a privilege level to the user. In the example in Figure , the administrator defines a user admin with a password of cisco123 in the PIX local database. When Telnet access to the PIX is attempted, the user is authenticated using the PIX local internal database.

To delete an existing user account, use the no username command. To remove all the entries from the user database, enter the clear config username command.

The syntax for the username command is shown in Figure .

The aaa local authentication attempts max-fail fail-attempts command enables the administrator to set a limit on the number of retries for serial and Telnet access users. In the example in Figure , the admin1 user attempts to gain console access to the PIX Security Appliance. After three failed attempts, the admin1 user is locked out. The administrator can use the show aaa local user command to view the local user lock-time, failed-attempts, and locked status. To clear the failed-attempts counter or lockout status by user or for all users, the administrator can use the clear aaa local user {fail-attempts | lockout} {all | username name} command.

The administrator can view the statistics associated with the local users and the local server. With the show local user command, the administrator can view the lock-time, failed-attempts and locked status of each user in the local database. With the show aaa-server local command, the administrator can view the status of the local server.