AAA

Cisco ASA can use an external authentication server such as RADIUS or TACACS to offload the authentication process. To set up an external authentication server for SecureMe, for example, follow these three simple steps:

Step 1.

Select an authentication protocol.

SecureMe wants to use an external RADIUS server for the Telnet and SSH connections to the security Cisco ASA. Navigate to Configuration > Features > Properties > AAA Setup > AAA Server Groups and click Add to specify the protocol used on Cisco ASA, as shown in Figure 19-15. The server group name is Rad and the selected protocol is RADIUS.
 

Figure 19-15. Specifying an Authentication Protocol

 

Step 2.

Define an authentication server.

To specify an authentication server, navigate to Configuration > Features > Properties > AAA Setup > AAA Servers and click Add to open the Add AAA Server window, shown in Figure 19-16. Select the server group name that is defined in the previous step. Because the AAA server resides toward the inside interface, select the inside interface from the drop-down menu. The IP address of the RADIUS server is 192.168.10.105 while the shared secret key between the server and the security Cisco ASA is cisco123 (which is displayed as asterisks).
 

Figure 19-16. Defining an Authentication Server

 

Step 3.

Map the configured authentication server.

Navigate to Configuration > Features > Device Administration > Administration > AAA Access > Authentication to map the configured RADIUS server to the appropriate login processes. As shown in Figure 19-17, select the server group Rad under Enable, SSH, and Telnet connections. In case the RADIUS server is not available, the security Cisco ASA is being set up to use the local user database for authentication. Click Apply to send the configuration commands to the security Cisco ASA.
 

Figure 19-17. Mapping the Authentication Server

 

Example 19-7 shows the complete AAA configuration generated by ASDM.

Example 19-7. AAA Configuration Generated by ASDM

aaa-server Rad protocol radius

aaa-server Rad host 192.168.10.105

 key cisco123

aaa authentication enable console Rad LOCAL

aaa authentication ssh console Rad LOCAL

aaa authentication telnet console Rad LOCAL






Cisco Asa(c) All-in-one Firewall, IPS, And VPN Adaptive Security Appliance
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
ISBN: 1587052091
EAN: 2147483647
Year: 2006
Pages: 231
Simiral book on Amazon

Flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net