Chapter 12 Configuring AAA Servers and User Accounts
Identifying AAA Server Groups and Servers
If you choose Detect Automatically, the security appliance attempts to determine the type of netmask expression used. If it detects a wildcard netmask expression, it converts it to a standard netmask expression; however, because some wildcard expressions are difficult to detect unambiguously, this setting may occasionally misinterpret a wildcard netmask expression as a standard netmask expression.
If you choose Standard, the security appliance assumes downloadable access lists received from the RADIUS server contain only standard netmask expressions. No translation from wildcard netmask expressions is performed.
If you choose Wildcard, the security appliance assumes downloadable access lists received from the RADIUS server contain only wildcard netmask expressions and it converts them all to standard netmask expressions when the access lists are downloaded.
•TACACS+ Parameters—Specifies the parameters needed for using a TACACS+ server. This area appears only when the selected server group uses TACACS+.
–Server Port—Specifies the server port to use.
–Server Secret Key—Specifies the server secret key to use for encryption. The secret is case-sensitive. The field displays only asterisks.
•SDI Parameters—Specifies the parameters needed for using an SDI server. This area appears only when the selected server group uses SDI.
–Server Port—Specifies the server port to use.
–Retry Interval—Specifies the number of seconds to wait before reattempting the connection.
•Kerberos Parameters—Specifies the parameters needed for using a Kerberos server. This area appears only when the selected server group uses Kerberos.
–Server Port—Specifies the server port that the Kerberos server listens to.
–Retry Interval—Retry Interval value is the amount of time between retry attempts and its range is 1 to 10 seconds.
–Kerberos Realm—Specifies the name of the Kerberos realm to use, for example: USDOMAIN.ACME.COM. The maximum length is 64 characters. The following types of servers require that you enter the realm name in all uppercase letters: Windows 2000, Windows XP, and Windows.NET. You must enter this name, and it must be the correct realm name for the server whose IP address you entered in the Server IP Address field.
•LDAP Parameters—Specifies the parameters needed for using an LDAP server. This area appears only when the selected server group uses LDAP.
–Enable LDAP Over SSL—Specifies that SSL secures communications between the security appliance and the LDAP server. Also called secure LDAP.
–Server Port—Specifies the server port to use. Enter the TCP port number by which you access the server.
–Server Type—Lets you manually set the LDAP server type, or lets you specify auto-detection for server type determination.
–Base DN—Specifies the Base DN. Enter the location in the LDAP hierarchy where the server should begin searching when it receives an authorization request. For example, OU=people,
dc=cisco, dc=com.
–Scope—Specifies the extent of the search in the LDAP hierarchy that the server should make when it receives an authorization request—One Level (Search only one level beneath the Base DN. This option is quicker.) All Levels (Search all levels beneath the Base DN; in other words, search the entire subtree hierarchy. This option takes more time.)
| | | | | | |
| | ASDM User Guide | | |
| | |
| OL-12180-01 | | | 12-17 | |
| | | |
