Identifying Aaa Server Groups And Servers - Cisco 7604 Configuration Manual
Catalyst 6500 series switch and cisco 7600 series router firewall services module configuration guide using the cli
Hide thumbs
Also See for 7604:
- Configuration manual (1011 pages) ,
- Installation manual (324 pages) ,
- User manual (98 pages)
Table of Contents
Advertisement
Chapter 11
Configuring AAA Servers and the Local Database
hostname(config-username)# vpn-tunnel-protocol IPSec
hostname(config-username)# vpn-simultaneous-logins 6
hostname(config-username)# exit
Identifying AAA Server Groups and Servers
If you want to use an external AAA server for authentication, authorization, or accounting, you must first
create at least one AAA server group per AAA protocol and add one or more servers to each group. You
identify AAA server groups by name. Each server group is specific to one type of server: Kerberos,
LDAP, NT, RADIUS, SDI, or TACACS+.
The FWSM contacts the first server in the group. If that server is unavailable, the FWSM contacts the
next server in the group, if configured. If all servers in the group are unavailable, the FWSM tries the
local database if you configured it as a fallback method (management authentication and authorization
only). If you do not have a fallback method, the FWSM continues to try the AAA servers.
To create a server group and add AAA servers to it, perform the following steps:
For each AAA server group you need to create, perform the following steps:
Step 1
a.
b.
c.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
Identify the server group name and the protocol by entering the following command:
hostname(config)# aaa-server server_group protocol {kerberos | ldap | nt | radius |
sdi | tacacs+}
For example, to use RADIUS to authenticate network access and TACACS+ to authenticate CLI
access, you need to create at least two server groups, one for RADIUS servers and one for TACACS+
servers.
You can have up to 15 AAA server groups in single mode or 4 AAA server groups per context in
multiple mode. Each group can have up to 16 servers in single mode or 4 servers in multiple mode.
When you enter a aaa-server command, you enter group mode.
If you want to specify the maximum number of requests sent to a AAA server in the group before
trying the next server, enter the following command:
hostname(config-aaa-server-group)# max-failed-attempts number
The number can be between 1 and 5. The default is 3.
If you configured a fallback method using the local database (for management access only; see the
"AAA for System Administrators" section on page 23-10
Command Authorization" section on page 23-18
servers in the group fail to respond, then the group is considered to be unresponsive, and the fallback
method is tried. The server group remains marked as unresponsive for a period of 10 minutes (by
default) so that additional AAA requests within that period do not attempt to contact the server
group, and the fallback method is used immediately. To change the unresponsive period from the
default, see the reactivation-mode command in the following step.
If you do not have a fallback method, the FWSM continues to retry the servers in the group.
If you want to specify the method (reactivation policy) by which failed servers in a group are
reactivated, use the reactivation-mode command. For more information about this command, see
the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command
Reference.
Identifying AAA Server Groups and Servers
and the
"Configuring TACACS+
to configure the fallback mechanism), and all the
11-9
- Quick Links:
- C H a P T E...
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
