Cisco FirePOWER ASA 5500 series Configuration Manual page 197

Chapter 13 Configuring AAA Servers and the Local Database
hostname(config-aaa-server-group)# max-failed-attempts number
The number can be between 1 and 5. The default is 3.
If you configured a fallback method using the local database (for management access only; see the
"Configuring AAA for System Administrators" section on page 40-4
TACACS+ Command Authorization" section on page 40-10
and all the servers in the group fail to respond, then the group is considered to be unresponsive, and
the fallback method is tried. The server group remains marked as unresponsive for a period of 10
minutes (by default) so that additional AAA requests within that period do not attempt to contact
the server group, and the fallback method is used immediately. To change the unresponsive period
from the default, see the reactivation-mode command in the following step.
If you do not have a fallback method, the security appliance continues to retry the servers in the
group.
If you want to specify the method (reactivation policy) by which failed servers in a group are
c.
reactivated, enter the following command:
hostname(config-aaa-server-group)# # reactivation-mode {depletion [deadtime minutes] |
timed}
Where the depletion keyword reactivates failed servers only after all of the servers in the group are
inactive.
The deadtime minutes argument specifies the amount of time in minutes, between 0 and 1440, that
elapses between the disabling of the last server in the group and the subsequent re-enabling of all
servers. The default is 10 minutes.
The timed keyword reactivates failed servers after 30 seconds of down time.
If you want to send accounting messages to all servers in the group (RADIUS or TACACS+ only),
d.
enter the following command:
hostname(config-aaa-server-group)# accounting-mode simultaneous
To restore the default of sending messages only to the active server, enter the accounting-mode
single command.
For each AAA server on your network, follow these steps:
Step 2
Identify the server, including the AAA server group it belongs to. To do so, enter the following
a.
command:
hostname(config)# aaa-server server_group (interface_name) host server_ip
When you enter a aaa-server host command, you enter host mode.
As needed, use host mode commands to further configure the AAA server.
b.
The commands in host mode do not apply to all AAA server types.
commands, the server types they apply to, and whether a new AAA server definition has a default
value for that command. Where a command is applicable to the server type you specified and no
default value is provided (indicated by "—"), use the command to specify the value. For more
information about these commands, see the Cisco Security Appliance Command Reference.
OL-10088-01
Identifying AAA Server Groups and Servers
to configure the fallback mechanism),
Cisco Security Appliance Command Line Configuration Guide
and the "Configuring
Table 13-2 lists the available
13-13