Nextelco:ASA aaa

From its-wiki.no
Jump to: navigation, search

Authentication, Authorization & Accounting with ASA

  • Guidelines: ASA can send accounting information to a RADIUS or TACACS+ server about any TCP or UDP traffic that passes through it. If that traffic is also authenticated, then the AAA server can maintain accounting information by username. If the traffic is not authenticated, the AAA server can maintain accounting information by IP address. Accounting information includes when sessions start and stop, username, the number of bytes that pass through the adaptive security appliance for the session, the service used, and the duration of each session. Before you can use this command, you must first designate a AAA server with the aaa-server command. To enable accounting for traffic that is specified by an access list, use the aaa accounting match command. You cannot use the match command in the same configuration as the include and exclude commands. We suggest that you use the match command instead of the include and exclude commands; the include and exclude commands are not supported by ASDM. You cannot use the aaa accounting include and exclude commands between same-security interfaces. For that scenario, you must use the aaa accounting match command.

ASA 8.2 


hostname(config)# aaa-server server-tag protocol server-protocol
hostname(config)# aaa-server FreeRADIUS protocol radius
hostname(config-aaa-server-group)# accounting-mode simultaneous
hostname(config-aaa-server-group)# reactivation mode timed
hostname(config-aaa-server-group)# max-failed attempts 2
hostname(config-aaa-server-group)# exit

You control AAA server configuration by defining a AAA server group protocol with the aaa-server command, and then you add servers to the group using the aaa-server host command.

You can have up to 100 server groups in single mode or 4 server groups per context in multiple mode. Each group can have up to 16 servers in single mode or 4 servers in multiple mode. When a user logs in, the servers are accessed one at a time starting with the first server you specify in the configuration, until a server responds. 

hostname(config)# aaa-server server-tag [(interface-name)] host {server-ip | name} [key] [timeout seconds]
hostname(config)# aaa-server FreeRADIUS (inside) host 192.168.14.4 key 10

You control AAA server configuration by defining a AAA server group with the aaa-server command, and then you add servers to the group using the aaa-server host command.

You can have up to 15 server groups in single mode or 4 server groups per context in multiple mode. Each group can have up to 16 servers in single mode or 4 servers in multiple mode. When a user logs in, the servers are accessed one at a time starting with the first server you specify in the configuration, until a server responds.



Return to Phase 1 page.

Return to Technology page.

Retrieved from "https://its-wiki.no/index.php?title=Nextelco:ASA_aaa&oldid=20770"