Task flow for configuring aaa, Configuring aaa server groups – Cisco ASA 5505 User Manual

Page 691

Advertising
background image

35-11

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 35 Configuring AAA Servers and the Local Database

Configuring AAA

Managing User Passwords, page 35-25

.Changing User Passwords, page 35-27

Authenticating Users with a Public Key for SSH, page 35-28

Differentiating User Roles Using AAA, page 35-28

Task Flow for Configuring AAA

Step 1

Do one or both of the following:

Add a AAA server group. See the

“Configuring AAA Server Groups” section on page 35-11

.

Add a user to the local database. See the

“Adding a User Account to the Local Database” section on

page 35-20

.

Step 2

(Optional) Configure authorization from an LDAP server that is separate and distinct from the
authentication mechanism. See the

“Configuring Authorization with LDAP for VPN” section on

page 35-16

.

Step 3

For an LDAP server, configure LDAP attribute maps. See the

“Configuring LDAP Attribute Maps”

section on page 35-18

.

Step 4

For an administrator, specify the password policy attributes for users. See the

“Managing User

Passwords” section on page 35-25

.

Step 5

(Optional) Users can change their own passwords. See the

“.Changing User Passwords” section on

page 35-27

.

Step 6

(Optional) Users can authenticate with a public key. See the

“Authenticating Users with a Public Key for

SSH” section on page 35-28

.

Step 7

(Optional) Distinguish between administrative and remote-access users when they authenticate. See the

“Differentiating User Roles Using AAA” section on page 35-28

.

Configuring AAA Server Groups

If you want to use an external AAA server for authentication, authorization, or accounting, you must first
create at least one AAA server group per AAA protocol and add one or more servers to each group. You
identify AAA server groups by name. Each server group is specific to one type of server: Kerberos,
LDAP, NT, RADIUS, SDI, or TACACS+.

Guidelines

You can have up to 100 server groups in single mode or 4 server groups per context in multiple mode.

Each group can have up to 16 servers in single mode or 4 servers in multiple mode.

When a user logs in, the servers are accessed one at a time, starting with the first server you specify
in the configuration, until a server responds. If all servers in the group are unavailable, the ASA tries
the local database if you configured it as a fallback method (management authentication and
authorization only). If you do not have a fallback method, the ASA continues to try the AAA servers.

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals