Cisco Catalyst 6500 Series Configuration Manual page 227

Chapter 12 Configuring AAA
The FWSM contacts the first server in the group. If that server is unavailable, the FWSM contacts the
next server in the group, if configured. If all servers in the group are unavailable, the FWSM tries the
local database if you configured it as a fallback method (management authentication and authorization
only). If you do not have a fallback method, the FWSM continues to try the AAA servers.
To add a server to a group, follow these steps:
To identify the server group name and the protocol, enter the following command:
Step 1
FWSM/contexta(config)# aaa-server server_group protocol {radius | tacacs+}
To identify the maximum number of requests to send to a AAA server in the group before trying the next
Step 2
server, enter the following command:
FWSM/contexta(config)# aaa-server server_group max-failed-attempts number
The number can be between 1 and 5 times. The default is 3.
If you configured a fallback method using the local database (for management access only; see the
"Configuring Authentication for CLI Access" section on page
Access Privileged Mode" section on page
Authorization" section on page 12-13
group fail to respond, then the group is considered to be unresponsive, and the fallback method is tried.
The server group remains marked as unresponsive for a period of 10 minutes (by default) so that
additional AAA requests within that period do not attempt to contact the server group, and the fallback
method is used immediately. To change the unresponsive period from the default, see the aaa-server
deadtime command below.
If you do not have a fallback method, the FWSM continues to retry the servers in the group.
Step 3 If you configured a fallback method, identify the amount of time the server group is marked as
unresponsive after all communications attempts fail by entering the following command:
FWSM/contexta(config)# aaa-server server_group deadtime minutes
Step 4 To add a server to the group, enter the following command:
FWSM/contexta(config)# aaa-server server_group ( interface_name ) host server_ip [ key ]
[timeout seconds ]
The key is a case-sensitive, alphanumeric keyword of up to 127 characters that is the same value as the
key on the server. Spaces are not permitted in the key, but other special characters are permitted. The key
is used between the FWSM and server for encrypting data between them.
For example, to add one TACACS+ group with one primary and one backup server, and one RADIUS
group with a single server, enter the following commands:
FWSM/contexta(config)# aaa-server AuthInbound protocol tacacs+
FWSM/contexta(config)# aaa-server AuthInbound max-failed-attempts 2
FWSM/contexta(config)# aaa-server AuthInbound deadtime 20
FWSM/contexta(config)# aaa-server AuthInbound (inside) host 10.1.1.1 TheUauthKey
FWSM/contexta(config)# aaa-server AuthInbound (inside) host 10.1.1.2 TheUauthKey2
FWSM/contexta(config)# aaa-server AuthOutbound protocol radius
FWSM/contexta(config)# aaa-server AuthOutbound (inside) host 10.1.1.3
OL-6392-01
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
12-8, the
12-8, and the "Configuring TACACS+ Command
to configure the fallback mechanism), and all the servers in the
Identifying a AAA Server
"Configuring Authentication to
12-7