1-11
Cisco ASA Series CLI Configuration Guide
Chapter 1 Configuring AAA Servers and the Local Database
Configuring AAA
Task Flow for Configuring AAA
Step 1 Do one or both of the following:
• Add a AAA server group. See the “Configuring AAA Server Groups” section on page 1-11.
• Add a user to the local database. See the “Adding a User Account to the Local Database” section on
page 1-22.
Step 2 (Optional) Configure authorization from an LDAP server that is separate and distinct from the
authentication mechanism. See the “Configuring Authorization with LDAP for VPN” section on
page 1-18.
Step 3 For an LDAP server, configure LDAP attribute maps. See the “Configuring LDAP Attribute Maps”
section on page 1-20.
Step 4 (Optional) Distinguish between administrative and remote-access users when they authenticate. See the
“Differentiating User Roles Using AAA” section on page 1-29.
Configuring AAA Server Groups
If you want to use an external AAA server for authentication, authorization, or accounting, you must first
create at least one AAA server group per AAA protocol and add one or more servers to each group. You
identify AAA server groups by name. Each server group is specific to one type of server: Kerberos,
LDAP, NT, RADIUS, SDI, or TACACS+.
Guidelines
• You can have up to 100 server groups in single mode or 4 server groups per context in multiple mode.
• Each group can have up to 16 servers in single mode or 4 servers in multiple mode.
• When a user logs in, the servers are accessed one at a time, starting with the first server you specify
in the configuration, until a server responds. If all servers in the group are unavailable, the ASA tries
the local database if you configured it as a fallback method (management authentication and
authorization only). If you do not have a fallback method, the ASA continues to try the AAA servers.
To Next Page
Loading...
Need help?
General
