6-29
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter6 Managing Policy Objects
Understanding AAA Server and Server Group Objects
For TACACS+: CSM-tac-grp
Both of these special AAA server groups are marked in the Policy Object Manager as the default groups
for their protocol. This is indicated by the Make this Group the Default AAA Server Group check box.
These groups are created solely for the purpose of management by Security Manager. During
deployment, the AAA servers in these special groups are deployed back to the IOS device as individual
servers, not as part of the group.
You can also create your own default group. The default group can be used in most cases, except when
you need to configure multiple AAA server groups that use the same protocol. For example, you might
want to define multiple RADIUS groups so that one group can be used for authentication and another
group for authorization. Service providers may want to define multiple groups with the same protocol in
order to provide customer separation when using VRF.
Note If you use one of these default AAA server groups in a policy defined for a PIX/ASA/FWSM device, the
AAA servers are deployed as a group to that device, not as individual servers. This is because all AAA
servers on PIX/ASA/FWSM devices must belong to a AAA server group.
Caution We recommend that you use caution when using these default AAA server groups in a policy definition.
There are certain commands (for example, ip radius and ip tacacs, which are configured using the
Interface field in the AAA Server dialog box) that can be defined once for each AAA server group and
once for all individual AAA servers. Because the AAA servers in the default group are deployed to IOS
devices as individual servers, you might inadvertently change the ip radius or ip tacacs settings for all
the individual AAA severs configured on the device, including servers that are not being managed by
Security Manager (and whose configurations would otherwise be left undisturbed).
Related Topics
Predefined AAA Authentication Server Groups, page 6-28
Creating AAA Server Group Objects, page 6-45
Understanding AAA Server and Server Group Objects, page 6-24
Creating AAA Server Objects
You can create AAA server objects to populate the AAA server group objects that are referenced by
policies such as AAA rules, Easy VPN, and 802.1x. In some cases, AAA server objects are used directly
by a policy, such as in AAA policies on IPS devices.
When creating a AAA server object, you must specify the IP address or DNS name of the external AAA
server and the protocol used by the server. The other settings required depend on the protocol.
Note On PIX/ASA/FWSM devices, AAA objects in a device configuration that are not referenced by any
policies are removed from the device during the next deployment. However, the predefined AAA objects
named RADIUS and TACACS+ are never removed from PIX 6.3 devices, even if they are not referenced
by any policies.
Related Topics
Creating Policy Objects, page 6-9