6-45
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter6 Managing Policy Objects
Understanding AAA Server and Server Group Objects
Creating AAA Server Group Objects
You can create AAA server group objects for Security Manager policies requiring AAA services, such
as authentication and authorization. Each AAA server group object can contain multiple AAA servers,
all of which use the same protocol, such as RADIUS or TACACS+. For example, if you want to use
RADIUS to authenticate network access and TACACS+ to authenticate CLI access, you must create at
least two AAA server group objects, one for RADIUS servers and one for TACACS+ servers.
In addition, only one source interface can be defined for the AAA servers in the group. An error is
displayed when you submit your changes if different AAA servers in the group use different source
interfaces.
Note The error is triggered by the actual interface defined as the source, not the name of the interface role that
represents the interface. That is, two AAA servers can have different interface roles defined as the source
interface as long as they both resolve to the same device interface. An error is also displayed if the
interface role defined for the source interface matches more than one actual interface on the device.
The number of AAA server group objects that can be created and the number of AAA server objects that
can be included in each group object depend on the selected platform. For example, ASA devices support
up to 18 single-mode server groups (with up to 16 servers each) and 7 multi-mode server groups (with
up to 4 servers each). PIX firewalls support up to 14 server groups, each containing up to 14 servers.
Note Security Manager includes a predefined AAA server group object that you can use when you perform
authentication locally inside the Cisco IOS router.
Tip You can also create AAA server group objects when you define policies or objects that use this object
type. For more information, see Selecting Objects for Policies, page 6-2.
Related Topics
Creating Policy Objects, page 6-9
Predefined AAA Authentication Server Groups, page 6-28
Default AAA Server Groups and IOS Devices, page6-28
Understanding AAA Server and Server Group Objects, page 6-24
Step 1 Select Manage > Policy Objects to open the Policy Object Manager (see Policy Object Manager,
page 6-4).
Step 2 Select AAA Server Groups from the Object Type selector.
Step 3 Right-click inside the work area, then select New Object to open the AAA Server Group Dialog Box,
page 6-46.
Step 4 Enter a name for the object. The maximum name length is 16 characters if you plan to use this object
with ASA, PIX, or FWSM devices and 128 characters for Cisco IOS routers. Spaces are not supported.
Note Cisco IOS routers do not support the following AAA server group names: RADIUS, TACACS,
TACACS+. In addition, we do not recommend using an abbreviation of one of these names, such
as rad or tac.