Task flow for configuring aaa, Configuring aaa server groups – Cisco ASA 5505 User Manual
Page 691
 
35-11
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 35 Configuring AAA Servers and the Local Database
Configuring AAA
•
Managing User Passwords, page 35-25
•
.Changing User Passwords, page 35-27
•
Authenticating Users with a Public Key for SSH, page 35-28
•
Differentiating User Roles Using AAA, page 35-28
Task Flow for Configuring AAA
Step 1
Do one or both of the following:
•
Add a AAA server group. See the
“Configuring AAA Server Groups” section on page 35-11
•
Add a user to the local database. See the
“Adding a User Account to the Local Database” section on
.
Step 2
(Optional) Configure authorization from an LDAP server that is separate and distinct from the 
authentication mechanism. See the 
“Configuring Authorization with LDAP for VPN” section on
.
Step 3
For an LDAP server, configure LDAP attribute maps. See the
“Configuring LDAP Attribute Maps”
.
Step 4
For an administrator, specify the password policy attributes for users. See the
Passwords” section on page 35-25
Step 5
(Optional) Users can change their own passwords. See the
“.Changing User Passwords” section on
.
Step 6
(Optional) Users can authenticate with a public key. See the
“Authenticating Users with a Public Key for
.
Step 7
(Optional) Distinguish between administrative and remote-access users when they authenticate. See the
“Differentiating User Roles Using AAA” section on page 35-28
Configuring AAA Server Groups
If you want to use an external AAA server for authentication, authorization, or accounting, you must first 
create at least one AAA server group per AAA protocol and add one or more servers to each group. You 
identify AAA server groups by name. Each server group is specific to one type of server: Kerberos, 
LDAP, NT, RADIUS, SDI, or TACACS+.
Guidelines
•
You can have up to 100 server groups in single mode or 4 server groups per context in multiple mode.
•
Each group can have up to 16 servers in single mode or 4 servers in multiple mode.
•
When a user logs in, the servers are accessed one at a time, starting with the first server you specify 
in the configuration, until a server responds. If all servers in the group are unavailable, the ASA tries 
the local database if you configured it as a fallback method (management authentication and 
authorization only). If you do not have a fallback method, the ASA continues to try the AAA servers.