35-16
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter35 Configuring AAA Servers and the Local Database
Configuring AAA
hostname(config)# aaa-server AuthOutbound protocol radius
hostname(config-aaa-server-group)# exit
hostname(config)# aaa-server AuthOutbound (inside) host 10.1.1.3
hostname(config-aaa-server-host)# key RadUauthKey
hostname(config-aaa-server-host)# exit
hostname(config)# aaa-server NTAuth protocol nt
hostname(config-aaa-server-group)# exit
hostname(config)# aaa-server NTAuth (inside) host 10.1.1.4
hostname(config-aaa-server-host)# nt-auth-domain-controller primary1
hostname(config-aaa-server-host)# exit
Example 35-2 shows how to configure a Kerberos AAA server group named watchdogs, add a AAA
server to the group, and define the Kerberos realm for the server. Because Example35-2 does not define
a retry interval or the port that the Kerberos server listens to, the ASA uses the default values for these
two server-specific parameters. Table 35 -2 lists the default values for all AAA server host mode
commands.
Note Kerberos realm names use numbers and upper-case letters only. Although the ASA accepts lower-case
letters for a realm name, it does not translate lower-case letters to upper-case letters. Be sure to use
upper-case letters only.
Example 35-2 Kerberos Server Group and Server
hostname(config)# aaa-server watchdogs protocol kerberos
hostname(config-aaa-server-group)# aaa-server watchdogs host 192.168.3.4
hostname(config-aaa-server-host)# kerberos-realm EXAMPLE.COM
hostname(config-aaa-server-host)# exit
hostname(config)#
Configuring Authorization with LDAP for VPN
When user LDAP authentication for VPN access has succeeded, the ASA queries the LDAP server which
returns LDAP attributes. These attributes generally include authorization data that applies to the VPN
session. Thus, using LDAP accomplishes authentication and authorization in a single step.
There may be cases, however, where you require authorization from an LDAP directory server that is
separate and distinct from the authentication mechanism. For example, if you use an SDI or certificate
server for authentication, no authorization information is passed back. For user authorizations in this
case, you can query an LDAP directory after successful authentication, accomplishing authentication
and authorization in two steps.