Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 Add AAA Server Group

69-14

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter69 General VPN Setup

Add AAA Server Group

•Name—Specifies the name of this group policy. For the Edit function, this field is read-only.

•Tunneling Protocols—Specifies the tunneling protocols that this group can use. Users can use only

the selected protocols. The choices are as follows:

–

Clientless SSL VPN—Specifies the use of VPN via SSL/TLS, which uses a web browser to

establish a secure remote-access tunnel to a ASA; requires neither a software nor hardware

client. Clientless SSL VPN can provide easy access to a broad range of enterprise resources,

including corporate websites, web-enabled applications, NT/AD file share (web-enabled),

e-mail, and other TCP-based applications from almost any computer that can reach HTTPS

Internet sites.

–

SSL VPN Client—Specifies the use of the Cisco AnyConnect VPN client or the legacy SSL

VPN client.

–

IPsec—IP Security Protocol. Regarded as the most secure protocol, IPsec provides the most

complete architecture for VPN tunnels. Both Site-to-Site (peer-to-peer) connections and

client-to-LAN connections can use IPsec.

–

L2TP/IPsec—Allows remote users with VPN clients provided with several common PC

and mobile PC operating systems to establish secure connections over the public IP network

to the security appliance and private corporate networks. L2TP uses PPP over UDP (port 1701)

to tunnel the data. The security appliance must be configured for IPsec transport mode.

Note If you do not select a protocol, an error message appears.

•Filter—(Network (Client) Access only) Specifies which access control list to use, or whether to

inherit the value from the group policy. Filters consist of rules that determine whether to allow or

reject tunneled data packets coming through the ASA, based on criteria such as source address,

destination address, and protocol. To configure filters and rules, see the Group Policy dialog box.

•Manage—Displays the ACL Manager dialog box, with which you can add, edit, and delete Access

Control Lists (ACLs) and Extended Access Control Lists (ACEs). For more information about the

ACL Manager, see the online Help for that dialog box.

Add AAA Server Group

The Add AAA Server Groups dialog box lets you configure a new AAA server group. It is accessed

fromAAA/Local Users > AAA Server Groups on the Remote Access VPN tab. The Accounting Mode

attribute applies only to RADIUS and TACACS+ protocols.

Fields

•Server Group—Specifies the name of the server group.

•Protocol—(Display only) Indicates whether this is a RADIUS or an LDAP server group.

•Accounting Mode—Indicates whether to use simultaneous or single accounting mode. In single

mode, the ASA sends accounting data to only one server. In simultaneous mode, the ASA sends

accounting data to all servers in the group. The Accounting Mode attribute applies only to RADIUS

and TACACS+ protocols.

•Reactivation Mode—Specifies the method by which failed servers are reactivated: Depletion or

Timed reactivation mode. In Depletion mode, failed servers are reactivated only after all of the

servers in the group become inactive. In Timed mode, failed servers are reactivated after 30 seconds

of down time.

Cisco Systems Add AAA Server Group

Models: ASA 5510 ASA 5512-X ASA 5515-X ASA 5520 ASA 5525-X ASA 5540 ASA 5545-X ASA 5550 ASA 5555-X ASA 5580 ASA 5585-X ASA 5505