Cisco Systems OL-12180-01 NT Server Support, Kerberos Server Support

12-5

ASDM User Guide

OL-12180-01

Chapter12 Configuring AAA Servers and User Accounts AAA Server and Local Database Support

•Two-step Authentication Process, page 12-5

•SDI Primary and Replica Servers, page 12-5

The security appliance supports SDI Version5.0 and 6.0. SDI uses the concepts of an SDI primary and

SDIreplica servers. Each primary and its replicas share a single node secret file. The node secret file has

its name based on the hexadecimal value of the ACE/Server IP address with .sdi appended.

Aversion 5.0 or 6.0 SDI server that you configure on the security appliance can be either the primary or

any one of the replicas. See the “SDI Primary and Replica Servers” section for information about how

the SDI agent selects servers to authenticate users.

SDIversion 5.0 and 6.0 uses a two-step process to prevent an intruder from capturing information from

an RSA SecurID authentication request and using it to authenticate to another server. The Agent first

sends a lock request to the SecurID server before sending the user authentication request. The server

locksthe username, preventing another (replica) server from accepting it. This means that the same user

cannot authenticate to two security appliances using the same authentication servers simultaneously.

After a successful username lock, the security appliance sends the passcode.

The security appliance obtains the server list when the first user authenticates to the configured server,

which can be either a primary or a replica. The security appliance then assigns priorities to each of the

serverson the list, and subsequent server selection derives at random from those assigned priorities. The

highest priority servers have a higher likelihood of being selected.

NT Server Support

The security appliance supports Microsoft Windows server operating systems that support NTLM

version 1, collectively referred to as NT servers.

Note NTservers have a maximum length of 14 characters for user passwords. Longer passwords are truncated.

This is a limitation of NTLM version 1.

Kerberos Server Support

The security appliance supports 3DES, DES, and RC4 encryption types.

Note The security appliance does not support changing user passwords during tunnel negotiation. To avoid

this situation happening inadvertently, disable password expiration on the Kerberos/Active Directory

server for users connecting to the security appliance.