Cisco ASA Series Cli Configuration Manual page 857

Chapter 1 Configuring AAA Servers and the Local Database
Task Flow for Configuring AAA
Step 1
Do one or both of the following:
•
•
Step 2
(Optional) Configure authorization from an LDAP server that is separate and distinct from the
authentication mechanism. See the
page
Step 3
For an LDAP server, configure LDAP attribute maps. See the
section on page
Step 4
(Optional) Distinguish between administrative and remote-access users when they authenticate. See the
"Differentiating User Roles Using AAA" section on page
Configuring AAA Server Groups
If you want to use an external AAA server for authentication, authorization, or accounting, you must first
create at least one AAA server group per AAA protocol and add one or more servers to each group. You
identify AAA server groups by name. Each server group is specific to one type of server: Kerberos,
LDAP, NT, RADIUS, SDI, or TACACS+.
Guidelines
•
•
•
Add a AAA server group. See the
Add a user to the local database. See the
page 1-22.
1-18.
1-20.
You can have up to 100 server groups in single mode or 4 server groups per context in multiple mode.
Each group can have up to 16 servers in single mode or 4 servers in multiple mode.
When a user logs in, the servers are accessed one at a time, starting with the first server you specify
in the configuration, until a server responds. If all servers in the group are unavailable, the ASA tries
the local database if you configured it as a fallback method (management authentication and
authorization only). If you do not have a fallback method, the ASA continues to try the AAA servers.
"Configuring AAA Server Groups" section on page
"Adding a User Account to the Local Database" section on
"Configuring Authorization with LDAP for VPN" section on
1-29.
Cisco ASA Series CLI Configuration Guide
Configuring AAA
"Configuring LDAP Attribute Maps"
1-11.
1-11