35-11
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter35 Configuring AAA Servers and the Local Database
Configuring AAA
Managing User Passwords, page 35-25
.Changing User Passwords, page35-27
Authenticating Users with a Public Key for SSH, page35-28
Differentiating User Roles Using AAA, page 35-28
Task Flow for Configuring AAA
Step1 Do one or both of the following:
Add a AAA server group. See the “Configuring AAA Server Groups” section on page35-11.
Add a user to the local database. See the “Adding a User Account to the Local Database” section on
page 35-20.
Step2 (Optional) Configure authorization from an LDAP server that is separate and distinct from the
authentication mechanism. See the “Configuring Authorization with LDAP for VPN” section on
page 35-16.
Step3 For an LDAP server, configure LDAP attribute maps. See the “Configuring LDAP Attribute Maps”
section on page 35-18.
Step4 For an administrator, specify the password policy attributes for users. See the “Managing User
Passwords” section on page 35-25.
Step5 (Optional) Users can change their own passwords. See the “.Changing User Passwords” section on
page 35-27.
Step6 (Optional) Users can authenticate with a public key. See the “Authenticating Users with a Public Key for
SSH” section on page 35-28.
Step7 (Optional) Distinguish between administrative and remote-access users when they authenticate. See the
“Differentiating User Roles Using AAA” section on page35-28.
Configuring AAA Server Groups
If you want to use an external AAA server for authentication, authorization, or accounting, you must first
create at least one AAA server group per AAA protocol and add one or more servers to each group. You
identify AAA server groups by name. Each server group is specific to one type of server: Kerberos,
LDAP, NT, RADIUS, SDI, or TACACS+.
Guidelines
You can have up to 100 server groups in single mode or 4 server groups per context in multiple mode.
Each group can have up to 16 servers in single mode or 4 servers in multiple mode.
When a user logs in, the servers are accessed one at a time, starting with the first server you specify
in the configuration, until a server responds. If all servers in the group are unavailable, the ASA tries
the local database if you configured it as a fallback method (management authentication and
authorization only). If you do not have a fallback method, the ASA continues to try the AAA servers.