Identifying Aaa Server Groups And Servers - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Chapter 13
Configuring AAA Servers and the Local Database
The nas-prompt keyword allows access to the CLI when you configure the aaa authentication {telnet
| ssh | serial} console LOCAL command, but denies ASDM configuration access if you configure the
aaa authentication http console LOCAL command. ASDM monitoring access is allowed. If you
configure enable authentication with the aaa authentication enable console LOCAL command, the
user cannot access privileged EXEC mode using the enable command (or by using the login command).
The remote-access keyword denies management access. The user cannot use any services specified by
the aaa authentication console LOCAL commands (excluding the serial keyword; serial access is
allowed).
(Optional) If you are using this username for VPN authentication, you can configure many VPN
Step 5
attributes for the user. See the
For example, the following command assigns a privilege level of 15 to the admin user account:
hostname(config)# username admin password passw0rd privilege 15
The following command creates a user account with no password:
hostname(config)# username bcham34 nopassword
The following commands enable management authorization, creates a user account with a password,
enters username attributes configuration mode, and specifies the service-type attribute:
hostname(config)# aaa authorization exec authentication-server
hostname(config)# username rwilliams password gOgeOus
hostname(config)# username rwilliams attributes
hostname(config-username)# service-type nas-prompt
Identifying AAA Server Groups and Servers
If you want to use an external AAA server for authentication, authorization, or accounting, you must first
create at least one AAA server group per AAA protocol and add one or more servers to each group. You
identify AAA server groups by name. Each server group is specific to one type of server: Kerberos,
LDAP, NT, RADIUS, SDI, or TACACS+.
The security appliance contacts the first server in the group. If that server is unavailable, the security
appliance contacts the next server in the group, if configured. If all servers in the group are unavailable,
the security appliance tries the local database if you configured it as a fallback method (management
authentication and authorization only). If you do not have a fallback method, the security appliance
continues to try the AAA servers.
To create a server group and add AAA servers to it, follow these steps:
For each AAA server group you need to create, follow these steps:
Step 1
a.
OL-12172-03
Identify the server group name and the protocol. To do so, enter the following command:
hostname(config)# aaa-server server_group protocol {kerberos | ldap | nt | radius |
sdi | tacacs+}
For example, to use RADIUS to authenticate network access and TACACS+ to authenticate CLI
access, you need to create at least two server groups, one for RADIUS servers and one for TACACS+
servers.
"Configuring User Attributes" section on page
Cisco Security Appliance Command Line Configuration Guide
Identifying AAA Server Groups and Servers
30-73.
13-9
Advertisement
Table of Contents
Troubleshooting
