SecurityGlobal Config

username [name] password [pw] privilege [15]

Creates a local user account with a specified password and privilege level for authentication and authorization on the Cisco ASA Firewall.

Overview

The 'username' command on Cisco ASA Firewall is used to create local user accounts stored in the device's local database. These accounts are essential for authenticating users who need to access the ASA for management purposes, such as via SSH, HTTPS (ASDM), or console. The command allows specifying a username, password, and privilege level (0-15). Privilege levels control the commands a user can execute: level 1 provides read-only access (show commands), level 15 provides full administrative access (all commands including configuration), and intermediate levels can be customized. This command is part of the local authentication mechanism, which is often used as a backup when external AAA servers (RADIUS/TACACS+) are unavailable. On ASA, the password is stored in encrypted form by default. The command is executed in global configuration mode and takes effect immediately. It is commonly used in small to medium deployments where external AAA is not required, or as a fallback for console access. Understanding privilege levels is crucial for implementing role-based access control (RBAC) and ensuring security compliance.

Syntax·Global Config
username <name> password <pw> privilege <0-15>

When to Use This Command

  • Creating administrative accounts for network engineers with privilege level 15 for full access.
  • Setting up read-only monitoring accounts with privilege level 1 for SNMP or logging access.
  • Configuring multi-level access for different teams (e.g., level 5 for NOC, level 15 for senior engineers).
  • Enabling local authentication fallback when RADIUS/TACACS+ servers are unreachable.

Parameters

ParameterSyntaxDescription
nameWORDThe username for the local account. It can be alphanumeric and may include special characters. Must be unique on the device.
passwordWORDThe password for the user. It must meet the configured password policy (e.g., minimum length, complexity). The password is stored in encrypted form.
privilege<0-15>The privilege level assigned to the user. Level 15 grants full access, level 1 grants read-only access. Intermediate levels can be customized using privilege command levels.

Command Examples

Create an admin user with full privileges

username admin password Cisco123 privilege 15
INFO: Security level for 'admin' set to 15

The command creates user 'admin' with password 'Cisco123' and privilege level 15 (full access). The output confirms the privilege level assignment.

Create a read-only user

username monitor password ReadOnly1 privilege 1
INFO: Security level for 'monitor' set to 1

Creates user 'monitor' with privilege level 1, allowing only basic show commands and no configuration changes.

Understanding the Output

The output of the 'username' command is minimal, typically just a confirmation message: 'INFO: Security level for <name> set to <privilege>'. This indicates the user account was created successfully and assigned the specified privilege level. To verify the configured users, use 'show run username' or 'show run | include username'. The output will list all local users with their privilege levels. A healthy configuration shows the desired users with correct privilege levels. A problem might be missing users or incorrect privilege levels, which can be checked by reviewing the running configuration.

Configuration Scenarios

Creating an Admin and a Read-Only User

A company needs two local accounts: one for the network administrator with full access, and one for a monitoring system with read-only access.

Topology

N/A (single ASA)

Steps

  1. 1.Enter global configuration mode: configure terminal
  2. 2.Create admin user: username admin password Str0ng!Pass privilege 15
  3. 3.Create monitor user: username monitor password M0nitor!1 privilege 1
  4. 4.Exit configuration mode: end
  5. 5.Verify with: show run | include username
Configuration
! Config snippet
username admin password Str0ng!Pass privilege 15
username monitor password M0nitor!1 privilege 1

Verify: Use 'show run username' to list all local users. Use 'show privilege' to check current privilege level after logging in.

Watch out: If you forget the privilege parameter, it defaults to 1, which may lock you out of configuration mode.

Troubleshooting with This Command

When troubleshooting local user authentication on Cisco ASA, the 'username' command is the foundation. First, verify that the user exists with 'show run | include username'. If a user cannot authenticate, check the password – ASA does not display passwords in clear text, so you may need to delete and recreate the user. Ensure the privilege level is appropriate for the desired access; a user with level 1 cannot enter configuration mode. If AAA is configured, local authentication may be skipped; check 'aaa authentication login' commands. Use 'debug aaa authentication' to see authentication attempts. Common issues include password complexity requirements (ASA may reject weak passwords) and case sensitivity. Also, ensure that the user is allowed for the access method (e.g., SSH) via 'ssh' or 'aaa authentication ssh console' commands. If the user is locked out, use the console with enable password to recover.

CCNA Exam Tips

1.

Remember that privilege level 15 is equivalent to enable mode (full access), while level 1 is read-only.

2.

On ASA, the 'username' command is used for local database authentication; it does not affect enable password.

3.

You can combine this command with 'aaa authentication login' to use local users for SSH or console access.

Common Mistakes

Forgetting to specify privilege level, which defaults to 1 (read-only) and may lock out administrators.

Using weak passwords that do not meet complexity requirements, causing the command to be rejected.

Confusing 'username' with 'enable password' – the username command creates local users, not the enable password.

Platform Notes

On Cisco ASA, the 'username' command is similar to IOS but with some differences. ASA does not support the 'secret' keyword; passwords are always encrypted. The privilege level system is identical to IOS (0-15). Unlike IOS, ASA does not have a 'username' command for enable secret; instead, use 'enable password' or 'enable secret'. ASA also supports 'username' with 'sshkey' for SSH key authentication. For AAA, ASA uses 'aaa authentication login' to reference local or server groups. In ASA version 9.x and later, password policies can be enforced via 'password-policy' commands. Compared to other vendors, ASA's local user management is straightforward but lacks advanced features like role-based access control (RBAC) found in some firewalls.

Related Commands

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions