35-3
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter35 Configuring AAA Servers and the Local Database
Information About AAA
Information About Accounting
Accounting tracks traffic that passes through the ASA, enabling you to have a record of user activity. If
you enable authentication for that traffic, you can account for traffic per user. If you do not authenticate
the traffic, you can account for traffic per IP address. Accounting information includes session start and
stop times, username, the number of bytes that pass through the ASA for the session, the service used,
and the duration of each session.
Summary of Server Support
Table35-1 summarizes the support for each AAA service by each AAA server type, including the local
database. For more information about support for a specific AAA server type, see the topics following
the table.
Note In addition to the native protocol authentication listed in Table35-1, the ASA supports proxying
authentication. For example, the ASA can proxy to an RSA/SDI and/or LDAP server via a RADIUS
server. Authentication via digital certificates and/or digital certificates with the AAA combinations
listed in the table are also supported.
Table35-1 Summary of AAA Support
AAA Service
Database Type
Local RADIUS TACACS+ SDI (RSA) NT Kerberos LDAP HTTP Form
Authentication of...
VPN users1
1. For SSL VPN connections, either PAP or MS-CHAPv2 can be used.
Yes Yes Yes Yes Yes Yes Yes Yes2
2. HTTP Form protocol supports both authentication and single sign-on operations for clientless SSL VPN users sessions only.
Fir ewa ll s ess io ns Yes Yes Yes Yes Yes Yes Yes No
Administrators Yes Yes Yes Yes3
3. RSA/SDI is supported for ASDM HTTP administrative access with ASA 5500 software version 8.2(1) or later.
Yes Yes Ye s No
Authorization of...
VPN users Yes Yes No No No No Yes No
Firewall sessions No Yes4
4. For firewall sessions, RADIUS authorization is supported with user-specific access lists only, which are received or specified
in a RADIUS authentication response.
Yes No No N o No No
Administrators Yes5
5. Local command authorization is supported by privilege level only.
No Yes No No No No No
Accounting of...
VPN connections No Yes Yes No No No No No
Firewall sessions No Yes Yes No No No No No
Administrators No Yes6
6. Command accounting is available for TACACS+ only.
Yes No No N o No No