Defining an Authentication Server

Before configuring an authentication server on Cisco ASA, you must specify AAA server groups with the aaa-server command. The syntax of the aaa-server command to specify a new AAA server group and the respective protocol is as follows:

 aaa-server server-tag protocol server-protocol

server-tag is the server group name that is referenced by the other AAA command, and server-protocol is the name of the supported AAA protocol. Example 7-1 shows the different authentication protocols that can be defined within a AAA server group.

Example 7-1. AAA Server Group Authentication Protocols

Chicago(config)# aaa-server mygroup protocol ?

 kerberos Protocol Kerberos

 ldap Protocol LDAP

 nt Protocol NT

 radius Protocol RADIUS

 sdi Protocol SDI

 tacacs+ Protocol TACACS+

In Example 7-1, the AAA server group tag is named mygroup. After defining the AAA server group with the respective authentication protocol, you are shown the (config-aaa-server) prompt, which has several subcommands and options that are shown in Example 7-2.

Example 7-2. AAA Server Group Configuration Options

Chicago(config)# aaa-server mygroup protocol radius

Chicago(config-aaa-server)# ?

aaa-server group configuration commands:

 accounting-mode Enter this keyword to specify accounting mode

 max-failed-attempts Specify the maximum number of failures that will be allowed

 for any server in the group before that server is deactivated

 no Remove an item from aaa-server group configuration

 reactivation-mode Specify the method by which failed servers are reactivated

In Example 7-2, the AAA server group mygroup was configured for RADIUS authentication. You can specify the accounting mode using the accounting-mode subcommand with one of these options:

  • simultaneous Indicates that accounting messages are sent to all servers in the group
  • single Indicates that accounting messages are sent to a single server

Note

Accounting mode options are available only if you are configuring a AAA server group for RADIUS or TACACS+.

The max-failed-attempts subcommand specifies the maximum allowed number of communication failures for any server in the AAA server group before that server is disabled or deactivated. The maximum number of failures can be configured in a range from 1 to 5.

Cisco ASA supports two different AAA server reactivation policies or modes:

  • Timed mode The failed or deactivated servers are reactivated after 30 seconds of downtime. Example 7-3 includes the subcommand to enable server reactivation in timed mode.
  • Depletion mode The failed or deactivated servers remain inactive until all other servers within the configured group are inactive. Example 7-4 shows the Cisco ASA configured with a server group called mygroup, a maximum allowed number of communication failures set to 4, and server reactivation in depletion mode.

Example 7-3. AAA Server Reactivation in Timed Mode

Chicago(config-aaa-server)# reactivation-mode timed

 

Example 7-4. AAA Server Reactivation in Depletion Mode

Chicago# configure terminal

Chicago(config)# aaa-server mygroup protocol radius

Chicago(config-aaa-server)# max-failed-attempts 4

Chicago(config-aaa-server)# reactivation-mode depletion deadtime 5

Chicago(config-aaa-server)# exit

Chicago(config)# exit

The deadtime keyword stipulates the amount of time that will elapse between the disabling of the last server in the group and the subsequent re-enabling of all servers. The deadtime value in this example is set to 5 minutes.

To specify the AAA servers that will belong to specific groups, use the following command:

 aaa-server server-tag host ip_address

Example 7-5 shows all the AAA server host configuration options.

Example 7-5. AAA Server Host Available Configuration Options

Chicago(config-aaa-server)# ?

aaa-server host configuration commands:

 accounting-port Specify the port number to be used for accounting

 authentication-port Specify the port number to be used for authentication

 key Specify the secret used to authenticate the NAS to the AAA

 server

 no Remove an item from aaa-server host configuration

 radius-common-pw Specify a common password for all RADIUS authorization

 transactions

 retry-interval Specify the amount of time between retry attempts

 timeout Specify the maximum time to wait for response from configured

 server

Example 7-6 shows the Cisco ASA configured with two AAA servers under the server group called mygroup.

Example 7-6. AAA Server Host Configuration

Chicago# configure terminal

Chicago(config)# aaa-server mygroup host 172.18.124.11

Chicago(config-aaa-server)# retry-interval 3

Chicago(config-aaa-server)# timeout 30

Chicago(config-aaa-server)# key cisco123

Chicago(config-aaa-server)# exit

Chicago(config)# aaa-server mygroup host 172.18.124.12

Chicago(config-aaa-server)# retry-interval 3

Chicago(config-aaa-server)# timeout 30

Chicago(config-aaa-server)# key cisco123

Chicago(config-aaa-server)# exit

Chicago(config)# exit

To view statistics about all AAA servers defined for a specific protocol, use the following command:

 show aaa-server protocol server-protocol

Example 7-7 includes the output of this command for the RADIUS protocol.

Example 7-7. Output of the show aaa-server protocol Command

Chicago# show aaa-server protocol radius

Server Group: mygroup

Server Protocol: radius

Server Address: 172.18.124.11

Server port: 1645(authentication), 1646(accounting)

Server status: ACTIVE, Last transaction at unknown

Number of pending requests 0

Average round trip time 0ms

Number of authentication requests 55

Number of authorization requests 13

Number of accounting requests 45

Number of retransmissions 0

Number of accepts 54

Number of rejects 1

Number of challenges 54

Number of malformed responses 0

Number of bad authenticators 0

Number of timeouts 0

Number of unrecognized responses 0

Server Group: mygroup

Server Protocol: radius

Server Address: 172.18.124.12

Server port: 1645(authentication), 1646(accounting)

Server status: ACTIVE, Last transaction at unknown

Number of pending requests 0

Average round trip time 0ms

Number of authentication requests 0

Number of authorization requests 0

Number of accounting requests 0

Number of retransmissions 0

Number of accepts 0

Number of rejects 0

Number of challenges 0

Number of malformed responses 0

Number of bad authenticators 0

Number of timeouts 0

Number of unrecognized responses 0

Chicago#

To show the configuration of a specific AAA server, use the following command:

 show running-config aaa-server [server-group [(if_name) host ip_address]]

To show statistics about a specific AAA server, use the following command:

 show aaa-server [server-tag [host hostname]]

Example 7-8 includes the output of this command for server 172.18.124.11.

Example 7-8. Output of the show aaa-server Command for a Specific Host

Chicago# show aaa-server mygroup host 172.18.124.11

Server Group: mygroup

Server Protocol: radius

Server Address: 172.18.124.11

Server port: 1645(authentication), 1646(accounting)

Server status: ACTIVE, Last transaction at unknown

Number of pending requests 0

Average round trip time 0ms

Number of authentication requests 55

Number of authorization requests 13

Number of accounting requests 45

Number of retransmissions 0

Number of accepts 54

Number of rejects 1

Number of challenges 54

Number of malformed responses 0

Number of bad authenticators 0

Number of timeouts 0

Number of unrecognized responses 0

To clear the AAA server statistics for a specific server, use this command:

 clear aaa-server statistics [tag [host hostname]]

To clear the AAA server statistics for all servers providing services for a specific protocol, use this command:

 clear aaa-server statistics protocol server-protocol

To clear a specific AAA server group, use this command:

 clear configure aaa-server [server-tag]


Part I: Product Overview

Introduction to Network Security

Product History

Hardware Overview

Part II: Firewall Solution

Initial Setup and System Maintenance

Network Access Control

IP Routing

Authentication, Authorization, and Accounting (AAA)

Application Inspection

Security Contexts

Transparent Firewalls

Failover and Redundancy

Quality of Service

Part III: Intrusion Prevention System (IPS) Solution

Intrusion Prevention System Integration

Configuring and Troubleshooting Cisco IPS Software via CLI

Part IV: Virtual Private Network (VPN) Solution

Site-to-Site IPSec VPNs

Remote Access VPN

Public Key Infrastructure (PKI)

Part V: Adaptive Security Device Manager

Introduction to ASDM

Firewall Management Using ASDM

IPS Management Using ASDM

VPN Management Using ASDM

Case Studies



Cisco Asa(c) All-in-one Firewall, IPS, And VPN Adaptive Security Appliance
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
ISBN: 1587052091
EAN: 2147483647
Year: 2006
Pages: 231

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net