Cisco ASA 5505 User Manual
Page 692
 
35-12
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 35 Configuring AAA Servers and the Local Database
Configuring AAA
Detailed Steps
Command
Purpose
Step 1
aaa-server
server_tag protocol {kerberos | ldap |
nt
| radius | sdi | tacacs+}
Example:
hostname(config)# aaa-server servergroup1
protocol ldap
hostname(config-aaa-server-group)#
hostname(config)# aaa-server servergroup1
protocol radius
hostname(config-aaa-server-group)#
interim-accounting-update
hostname(config)# aaa-server servergroup1
protocol radius
hostname(config-aaa-server-group)# ad-agent-mode
Identifies the server group name and the protocol. For 
example, to use RADIUS to authenticate network access 
and TACACS+ to authenticate CLI access, you need to 
create at least two server groups, one for RADIUS 
servers and one for TACACS+ servers.
You can have up to 100 server groups in single mode or 
4 server groups per context in multiple mode. Each group 
can have up to 15 servers in single mode or 4 servers in 
multiple mode. 
When you enter the aaa-server protocol command, you 
enter aaa-server group configuration mode.
The interim-accounting-update option enables 
multi-session accounting for clientless SSL and 
AnyConnect sessions. If you choose this option, interim 
accounting records are sent to the RADIUS server in 
addition to the start and stop records.
Tip
Choose this option if users have trouble 
completing a VPN connection using clean access 
SSO, which might occur when making clientless 
or AnyConnect connections directly to the ASA.
The ad-agent-mode option specifies the shared secret 
between the ASA and the AD agent, and indicates that a 
RADIUS server group includes AD agents that are not 
full-function RADIUS servers. Only a RADIUS server 
group that has been configured using the ad-agent-mode 
option can be associated with user identity. As a result, 
the test aaa-server {authentication | authorization} 
aaa-server-group command is not available when a 
RADIUS server group that is not configured using the 
ad-agent-mode option is specified.