Defining an Authentication Server

Before configuring an authentication server on Cisco ASA, you must specify AAA server groups with the aaa-server command. The syntax of the aaa-server command to specify a new AAA server group and the respective protocol is as follows:

  aaa-server server-tag protocol server-protocol

server-tag is the server group name that is referenced by the other AAA command, and server-protocol is the name of the supported AAA protocol. Example 7-1 shows the different authentication protocols that can be defined within a AAA server group.

Example 7-1. AAA Server Group Authentication Protocols

Chicago(config)# aaa-server mygroup protocol ?

  kerberos  Protocol Kerberos

  ldap      Protocol LDAP

  nt        Protocol NT

  radius    Protocol RADIUS

  sdi       Protocol SDI

  tacacs+   Protocol TACACS+

In Example 7-1, the AAA server group tag is named mygroup. After defining the AAA server group with the respective authentication protocol, you are shown the (config-aaa-server) prompt, which has several subcommands and options that are shown in Example 7-2.

Example 7-2. AAA Server Group Configuration Options

Chicago(config)# aaa-server mygroup protocol radius

Chicago(config-aaa-server)# ?

aaa-server group configuration commands:

  accounting-mode      Enter this keyword to specify accounting mode

  max-failed-attempts  Specify the maximum number of failures that will be allowed

  for any server in the group before that server is deactivated

  no                   Remove an item from aaa-server group configuration

  reactivation-mode    Specify the method by which failed servers are reactivated

In Example 7-2, the AAA server group mygroup was configured for RADIUS authentication. You can specify the accounting mode using the accounting-mode subcommand with one of these options:

simultaneous� Indicates that accounting messages are sent to all servers in the group
single� Indicates that accounting messages are sent to a single server

Note

Accounting mode options are available only if you are configuring a AAA server group for RADIUS or TACACS+.

The max-failed-attempts subcommand specifies the maximum allowed number of communication failures for any server in the AAA server group before that server is disabled or deactivated. The maximum number of failures can be configured in a range from 1 to 5.

Cisco ASA supports two different AAA server reactivation policies or modes:

Timed mode� The failed or deactivated servers are reactivated after 30 seconds of downtime. Example 7-3 includes the subcommand to enable server reactivation in timed mode.
Depletion mode� The failed or deactivated servers remain inactive until all other servers within the configured group are inactive. Example 7-4 shows the Cisco ASA configured with a server group called mygroup, a maximum allowed number of communication failures set to 4, and server reactivation in depletion mode.

Example 7-3. AAA Server Reactivation in Timed Mode

Chicago(config-aaa-server)# reactivation-mode timed

Example 7-4. AAA Server Reactivation in Depletion Mode

Chicago# configure terminal

Chicago(config)# aaa-server mygroup protocol radius

Chicago(config-aaa-server)# max-failed-attempts 4

Chicago(config-aaa-server)# reactivation-mode depletion deadtime 5

Chicago(config-aaa-server)# exit

Chicago(config)# exit

The deadtime keyword stipulates the amount of time that will elapse between the disabling of the last server in the group and the subsequent re-enabling of all servers. The deadtime value in this example is set to 5 minutes.

To specify the AAA servers that will belong to specific groups, use the following command:

  aaa-server server-tag host ip_address

Example 7-5 shows all the AAA server host configuration options.

Example 7-5. AAA Server Host Available Configuration Options

Chicago(config-aaa-server)# ?

aaa-server host configuration commands:

  accounting-port      Specify the port number to be used for accounting

  authentication-port  Specify the port number to be used for authentication

  key                  Specify the secret used to authenticate the NAS to the AAA

                       server

  no                   Remove an item from aaa-server host configuration

  radius-common-pw     Specify a common password for all RADIUS authorization

                       transactions

  retry-interval       Specify the amount of time between retry attempts

  timeout              Specify the maximum time to wait for response from configured

                       server

Example 7-6 shows the Cisco ASA configured with two AAA servers under the server group called mygroup.

Example 7-6. AAA Server Host Configuration

Chicago# configure terminal

Chicago(config)# aaa-server mygroup host 172.18.124.11

Chicago(config-aaa-server)# retry-interval 3

Chicago(config-aaa-server)# timeout 30

Chicago(config-aaa-server)# key cisco123

Chicago(config-aaa-server)# exit

Chicago(config)# aaa-server mygroup host 172.18.124.12

Chicago(config-aaa-server)# retry-interval 3

Chicago(config-aaa-server)# timeout 30

Chicago(config-aaa-server)# key cisco123

Chicago(config-aaa-server)# exit

Chicago(config)# exit

To view statistics about all AAA servers defined for a specific protocol, use the following command:

  show aaa-server protocol server-protocol

Example 7-7 includes the output of this command for the RADIUS protocol.

Example 7-7. Output of the show aaa-server protocol Command

Chicago# show aaa-server protocol radius

Server Group:    mygroup

Server Protocol: radius

Server Address:  172.18.124.11

Server port:     1645(authentication), 1646(accounting)

Server status:   ACTIVE, Last transaction at unknown

Number of pending requests              0

Average round trip time                 0ms

Number of authentication requests       55

Number of authorization requests        13

Number of accounting requests           45

Number of retransmissions               0

Number of accepts                       54

Number of rejects                       1

Number of challenges                    54

Number of malformed responses           0

Number of bad authenticators            0

Number of timeouts                      0

Number of unrecognized responses        0

Server Group:    mygroup

Server Protocol: radius

Server Address:  172.18.124.12

Server port:     1645(authentication), 1646(accounting)

Server status:   ACTIVE, Last transaction at unknown

Number of pending requests              0

Average round trip time                 0ms

Number of authentication requests       0

Number of authorization requests        0

Number of accounting requests           0

Number of retransmissions               0

Number of accepts                       0

Number of rejects                       0

Number of challenges                    0

Number of malformed responses           0

Number of bad authenticators            0

Number of timeouts                      0

Number of unrecognized responses        0

Chicago#

To show the configuration of a specific AAA server, use the following command:

  show running-config aaa-server [server-group [(if_name) host ip_address]]

To show statistics about a specific AAA server, use the following command:

  show aaa-server [server-tag [host hostname]]

Example 7-8 includes the output of this command for server 172.18.124.11.

Example 7-8. Output of the show aaa-server Command for a Specific Host

Chicago# show aaa-server mygroup host 172.18.124.11

Server Group:    mygroup

Server Protocol: radius

Server Address:  172.18.124.11

Server port:     1645(authentication), 1646(accounting)

Server status:   ACTIVE, Last transaction at unknown

Number of pending requests              0

Average round trip time                 0ms

Number of authentication requests       55

Number of authorization requests        13

Number of accounting requests           45

Number of retransmissions               0

Number of accepts                       54

Number of rejects                       1

Number of challenges                    54

Number of malformed responses           0

Number of bad authenticators            0

Number of timeouts                      0

Number of unrecognized responses        0

To clear the AAA server statistics for a specific server, use this command:

  clear aaa-server statistics [tag [host hostname]]

To clear the AAA server statistics for all servers providing services for a specific protocol, use this command:

  clear aaa-server statistics protocol server-protocol

To clear a specific AAA server group, use this command:

  clear configure aaa-server [server-tag]

< Day Day Up >