Cisco Systems OL-12180-01 manual 12-16

Chapter 12 Configuring AAA Servers and User Accounts

Identifying AAA Server Groups and Servers

•Server Name or IP Address—Specifies the name or IP address of the AAA server.

•Timeout—Specifies the timeout interval, in seconds. This is the time after which the security appliance gives up on the request to the primary AAA server. If there is a standby AAA server, the security appliance sends the request to the backup server.

•RADIUS Parameters area—Specifies the parameters needed for using a RADIUS server. This area appears only when the selected server group uses RADIUS.

–Retry Interval—Specifies the number of seconds to wait after sending a query to the server and receiving no response, before reattempting the connection. The minimum time is 1 second. The default time is 10 seconds. The maximum time is 10 seconds.

–Server Authentication Port—Specifies the server port to use for user authentication. The default port is 1645.

Note The latest RFC states that RADIUS should be on UDP port number 1812, so you might need to change this default value to 1812.

–Server Accounting Port—Specifies the server port to use for user accounting. The default port is 1646.

–Server Secret Key—Specifies the server secret key (also called the shared secret) to use for encryption; for example: C8z077f. The secret is case-sensitive. The security appliance uses the server secret to authenticate to the RADIUS server. The server secret you configure here should match the one configured on the RADIUS server. If you do not know the server secret for the RADIUS server, ask the administrator of the RADIUS server. The maximum field length is 64 characters.

–Common Password—Specifies the common password for the group. The password is case-sensitive. If you are defining a RADIUS server to be used for authentication rather than authorization, do not provide a common password.

A RADIUS authorization server requires a password and username for each connecting user. You enter the password here. The RADIUS authorization server administrator must configure the RADIUS server to associate this password with each user authorizing to the server via this security appliance. Be sure to provide this information to your RADIUS server administrator. Enter a common password for all users who are accessing this RADIUS authorization server through this security appliance.

If you leave this field blank, each user password will be his or her own username. For example, a user with the username “jsmith” would enter “jsmith”. As a security precaution never use a RADIUS authorization server for authentication. Use of a common password or usernames as passwords is much less secure than strong passwords per user.

Note The password field is required by the RADIUS protocol and the RADIUS server requires it; however, users do not need to know it.

–ACL Netmask Convert—Specifies how the security appliance handles netmasks received in downloadable access lists. The security appliance expects downloadable access lists to contain standard netmask expressions whereas Cisco Secure VPN 3000 series concentrators expect downloadable access lists to contain wildcard netmask expressions, which are the reverse of a standard netmask expression. A wildcard mask has ones in bit positions to ignore, zeros in bit positions to match. The ACL Netmask Convert list helps minimize the effects of these differences upon how you configure downloadable access lists on your RADIUS servers.