6-25
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter6 Managing Policy Objects
Understanding AAA Server and Server Group Objects
Accounting—Accounting is used to track the services users are accessing, as well as the amount of
network resources they are consuming. When AAA accounting is activated, the network access
server reports user activity to the RADIUS or TACACS+ security server (depending on which
security method you have implemented) in the form of accounting records. Accounting information
includes when sessions start and stop, usernames, the number of bytes that pass through the device
for each session, the service used, and the duration of each session. This data can then be analyzed
for network management, client billing, or auditing. You can use accounting alone or together with
authentication and authorization.
AAA provides an extra level of protection and control for user access over using access rules (ACLs)
alone. For example, you can create an access rule allowing all outside users to attempt to use Telnet on
a server on the DMZ network. If you want only some users to actually reach the server (and you might
not always know the IP addresses of these users, making it impossible to configure simple access rules),
you can enable AAA to allow only authenticated or authorized users to make it through the network
device (for example, the ASA or router). Thus, users must authenticate before reaching the Telnet server,
where Telnet can also require a separate login.
AAA server objects are collected into AAA server group objects. Policies requiring AAA (such as Easy
VPN, Remote Access VPNs, and router platform policies such as Secured Device Provisioning and
802.1x) usually refer to AAA server group objects. These objects contain multiple AAA servers that use
the same protocol, such as RADIUS or TACACS+. In essence, AAA server groups represent collections
of authentication servers focused on enforcing specific aspects of your overall network security policy.
For example, you can group those servers dedicated to authenticating internal traffic, external traffic, or
remote dial-in users, as well as servers that authorize the administration of your firewall devices.
The following topics describe how to work with AAA server objects:
Supported AAA Server Types, page6-25
Additional AAA Support on ASA, PIX, and FWSM Devices, page 6-26
Predefined AAA Authentication Server Groups, page 6-28
Default AAA Server Groups and IOS Devices, page6-28
Creating AAA Server Objects, page 6-29
Add or Edit AAA Server Dialog Box, page 6-30
Add and Edit LDAP Attribute Map Dialog Boxes, page6-43
Creating AAA Server Group Objects, page 6-45
Supported AAA Server Types
You can use AAA servers that use the RADIUS protocol with all devices, and the TACACS+ and LDAP
protocols with all devices except IPS. For ASA, PIX, and FWSM devices, you can also use the protocols
described in Additional AAA Support on ASA, PIX, and FWSM Devices, page 6-26
RADIUS—Remote Authentication Dial-In User Service (RADIUS) is a distributed client/server
system that secures networks against unauthorized access. In the Cisco implementation, RADIUS
clients run on Cisco devices and send authentication requests to a central RADIUS server that
contains all user authentication and network service access information.
You can use RADIUS with other AAA security protocols, such as TACACS+, Kerberos, and local
username lookup, depending on what is supported by a particular device type. RADIUS is supported
on all Cisco platforms, but some RADIUS-supported features run only on specified platforms.