Cisco ASA 5505 Configuration Manual page 654

Configuring AAA Server Groups
Configuring AAA Server Groups
If you want to use an external AAA server for authentication, authorization, or accounting, you must first
create at least one AAA server group per AAA protocol and add one or more servers to each group. You
identify AAA server groups by name. Each server group is specific to one type of server: Kerberos,
LDAP, NT, RADIUS, SDI, or TACACS+.
You can have up to 100 server groups in single mode or 4 server groups per context in multiple mode.
Each group can have up to 16 servers in single mode or 4 servers in multiple mode. When a user logs in,
the servers are accessed one at a time starting with the first server that you specify in the configuration,
until a server responds. If all servers in the group are unavailable, the adaptive security appliance tries
the local database if you configured it as a fallback method (management authentication and
authorization only). If you do not have a fallback method, the adaptive security appliance continues to
try the AAA servers.
How Fallback Works with Multiple Servers in a Group
If you configure multiple servers in a server group and you enable fallback to the local database for the
server group, fallback occurs when no server in the group responds to the authentication request from
the adaptive security appliance. To illustrate this further, consider this scenario:
You configure an LDAP server group with two Active Directory servers, server 1 and server 2, in that
order. When the remote user logs in, the adaptive security appliance attempts to authenticate to server 1.
If server 1 responds with an authentication failure (such as user not found), the adaptive security
appliance does not attempt to authenticate to server 2.
If server 1 does not respond within the timeout period (or the number of authentication attempts exceeds
the configured maximum), the adaptive security appliance tries server 2.
If both servers in the group do not respond, and the adaptive security appliance is configured to fallback
to the local database, the adaptive security appliance attempts to authenticate to the local database.
This section includes the following topics:
•
•
•
Adding a Server Group
To add a server group, perform the following steps:
Choose Configuration > Device Management > Users/AAA > AAA Server Groups.
Step 1
In the AAA Server Groups area, click Add.
Step 2
Cisco ASA 5500 Series Configuration Guide using ASDM
31-8
group configured to fallback to the local database, the VPN tunnel can be established even if the
AAA server group is unavailable, provided that the local database is configured with the necessary
attributes.
Adding a Server Group, page 31-8
Adding a Server to a Group, page 31-10
AAA Server Parameters, page 31-10
Chapter 31 Configuring AAA Servers and the Local Database
OL-20339-01