Information about accounting, Summary of server support – Cisco ASA 5505 User Manual

35-3

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 35 Configuring AAA Servers and the Local Database

Information About AAA

Information About Accounting

Accounting tracks traffic that passes through the ASA, enabling you to have a record of user activity. If
you enable authentication for that traffic, you can account for traffic per user. If you do not authenticate
the traffic, you can account for traffic per IP address. Accounting information includes session start and
stop times, username, the number of bytes that pass through the ASA for the session, the service used,
and the duration of each session.

Summary of Server Support

Table 35-1

summarizes the support for each AAA service by each AAA server type, including the local

database. For more information about support for a specific AAA server type, see the topics following
the table.

Note

In addition to the native protocol authentication listed in

Table 35-1

, the ASA supports proxying

authentication. For example, the ASA can proxy to an RSA/SDI and/or LDAP server via a RADIUS
server. Authentication via digital certificates and/or digital certificates with the AAA combinations
listed in the table are also supported.

Table 35-1

Summary of AAA Support

AAA Service

Database Type

Local RADIUS

TACACS+

SDI (RSA) NT

Kerberos

LDAP

HTTP Form

Authentication of...

VPN users

1

1.

For SSL VPN connections, either PAP or MS-CHAPv2 can be used.

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

2

2.

HTTP Form protocol supports both authentication and single sign-on operations for clientless SSL VPN users sessions only.

Firewall sessions

Yes

Yes

Yes

Yes

Yes

Yes

Yes

No

Administrators

Yes

Yes

Yes

Yes

3

3.

RSA/SDI is supported for ASDM HTTP administrative access with ASA 5500 software version 8.2(1) or later.

Yes

Yes

Yes

No

Authorization of...

VPN users

Yes

Yes

No

No

No

No

Yes

No

Firewall sessions

No

Yes

4

4.

For firewall sessions, RADIUS authorization is supported with user-specific access lists only, which are received or specified
in a RADIUS authentication response.

Yes

No

No

No

No

No

Administrators

Yes

5

5.

Local command authorization is supported by privilege level only.

No

Yes

No

No

No

No

No

Accounting of...

VPN connections

No

Yes

Yes

No

No

No

No

No

Firewall sessions

No

Yes

Yes

No

No

No

No

No

Administrators

No

Yes

6

6.

Command accounting is available for TACACS+ only.

Yes

No

No

No

No

No