Cisco Systems OL-12180-01 manual Identifying AAA Server Groups and Servers, 12-12

Chapter 12 Configuring AAA Servers and User Accounts

Identifying AAA Server Groups and Servers

–Subnet Mask list—Specifies the subnet mask for the Dedicated IP address.

Check the Group Lock check box to restrict users to remote access through this group only. Group Lock restricts users by checking if the group configured in the VPN client is the same as the user’s assigned group. If it is not, the VPN Concentrator prevents the user from connecting.

If this box is unchecked (the default), the system authenticates a user without regard to the user’s assigned group.

Modes

The following table shows the modes in which this feature is available:

Identifying AAA Server Groups and Servers

If you want to use an external AAA server for authentication, authorization, or accounting, you must first create at least one AAA server group per AAA protocol and add one or more servers to each group. You identify AAA server groups by name. Each server group is specific to one type of server: Kerberos, LDAP, NT, RADIUS, SDI, or TACACS+.

The security appliance contacts the first server in the group. If that server is unavailable, the security appliance contacts the next server in the group, if configured. If all servers in the group are unavailable, the security appliance tries the local database if you configured it as a fallback method (management authentication and authorization only). If you do not have a fallback method, the security appliance continues to try the AAA servers.

This section includes the following topics:

•AAA Server Groups, page 12-12

•Add/Edit AAA Server Group, page 12-14

•Edit AAA Local Server Group, page 12-15

•Add/Edit AAA Server, page 12-15

•Test AAA Server, page 12-19

AAAServer Groups

The AAA Server Groups pane lets you:

•Configure AAA server groups and the protocols the security appliance uses to communicate with the servers listed in each group.

•Configure and add individual servers to AAA server groups.

You can have up to 15 groups in single-mode or 4 groups in multi-mode. Each group can have up to 16 servers in single mode or 4 servers in multi-mode. When a user logs in, the servers are accessed one at a time, starting with the first server you specify, until a server responds.