Cisco Systems OL-12180-01 manual NT Server Support, Kerberos Server Support, SDI Version Support

Page 5

Chapter 12 Configuring AAA Servers and User Accounts

AAA Server and Local Database Support

Two-step Authentication Process, page 12-5

SDI Primary and Replica Servers, page 12-5

SDI Version Support

The security appliance supports SDI Version 5.0 and 6.0. SDI uses the concepts of an SDI primary and SDI replica servers. Each primary and its replicas share a single node secret file. The node secret file has its name based on the hexadecimal value of the ACE/Server IP address with .sdi appended.

A version 5.0 or 6.0 SDI server that you configure on the security appliance can be either the primary or any one of the replicas. See the “SDI Primary and Replica Servers” section for information about how the SDI agent selects servers to authenticate users.

Two-step Authentication Process

SDI version 5.0 and 6.0 uses a two-step process to prevent an intruder from capturing information from an RSA SecurID authentication request and using it to authenticate to another server. The Agent first sends a lock request to the SecurID server before sending the user authentication request. The server locks the username, preventing another (replica) server from accepting it. This means that the same user cannot authenticate to two security appliances using the same authentication servers simultaneously. After a successful username lock, the security appliance sends the passcode.

SDI Primary and Replica Servers

The security appliance obtains the server list when the first user authenticates to the configured server, which can be either a primary or a replica. The security appliance then assigns priorities to each of the servers on the list, and subsequent server selection derives at random from those assigned priorities. The highest priority servers have a higher likelihood of being selected.

NT Server Support

The security appliance supports Microsoft Windows server operating systems that support NTLM version 1, collectively referred to as NT servers.

Note NT servers have a maximum length of 14 characters for user passwords. Longer passwords are truncated. This is a limitation of NTLM version 1.

Kerberos Server Support

The security appliance supports 3DES, DES, and RC4 encryption types.

Note The security appliance does not support changing user passwords during tunnel negotiation. To avoid this situation happening inadvertently, disable password expiration on the Kerberos/Active Directory server for users connecting to the security appliance.

 

 

ASDM User Guide

 

 

 

 

 

 

OL-12180-01

 

 

12-5

 

 

 

 

 

Page 4 Page 6
Image 5
Page 4 Page 6
Contents 12-1 About AuthenticationAAA Overview AAA Server and Local Database Support About AuthorizationAbout Accounting 12-212-3 Summary of SupportRadius Server Support Radius Authorization Functions Authentication MethodsTACACS+ Server Support SDI Server SupportNT Server Support Two-step Authentication ProcessKerberos Server Support SDI Version SupportSSO Support for Clientless SSL VPN with Http Forms Ldap Server SupportLocal Database Support 12-6User Profiles Configuring the Local DatabaseFallback Support 12-712-8 User Accounts12-9 Add/Edit User Account Identity12-10 Add/Edit User Account VPN Policy12-11 12-12 Identifying AAA Server Groups and ServersAAA Server Groups 12-13 12-14 Add/Edit AAA Server Group12-15 Edit AAA Local Server GroupAdd/Edit AAA Server 12-16 12-17 12-18 12-19 Test AAA Server12-20 Configuring an Authentication Prompt12-21 Configuring an Ldap Attribute Map12-22 Add/Edit Ldap Attribute MapAdd/Edit Ldap Attribute Map Map Name Tab 12-23 Add/Edit Ldap Attribute Map Map Value TabAdd/Edit Ldap Attributes Value Map 12-24
Top Page Image Contents