31-4
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 31 Configuring AAA Servers and the Local Database
AAA Server and Local Database Support
Note In addition to the native protocol authentication listed in table Table 1-1, the adaptive security appliance
supports proxying authentication. For example, the adaptive security appliance can proxy to an RSA/SDI
and/or LDAP server via a RADIUS server. Authentication via digital certificates and/or digital
certificates with the AAA combinations listed in the table are also supported.
RADIUS Server Support
The adaptive security appliance supports the following RADIUS servers for AAA, in addition to the one
available on the adaptive security appliance itself:
• Cisco Secure ACS 3.2, 4.0, 4.1
• RSA RADIUS in RSA Authentication Manager 5.2 and 6.1
Authentication Methods
The adaptive security appliance supports the following authentication methods with RADIUS:
• PAP—For all connection types.
• CHAP and MS-CHAPv1—For L2TP-over-IPsec connections.
• MS-CHAPv2—For L2TP-over-IPsec connections, and for regular IPsec remote access connections
when the password management feature is enabled. You can also use MS-CHAPv2 with clientless
connections.
• Authentication Proxy modes—Including RADIUS to Active Directory, RADIUS to RSA/SDI,
RADIUS to Token-server, and RSA/SI to RADIUS connections,
Note To enable MS-CHAPv2 as the protocol used between the adaptive security appliance and the RADIUS
server for a VPN connection, password management must be enabled in the tunnel group general
attributes. Enabling password management generates an MS-CHAPv2 authentication request from the
adaptive security appliance to the RADIUS server. See the description of the password-management
command for details.
VPN connections No Yes Yes No No No No No
Firewall sessions No Yes Yes No No No No No
Administrators No Yes
6
Yes N o No No No No
1. For SSL VPN connections, either PAP or MS-CHAPv2 can be used.
2. HTTP Form protocol supports both authentication and single sign-on operations for clientless SSL VPN users sessions only.
3. RSA/SDI is supported for ASDM HTTP administrative access with ASA5500 software version 8.2(1) or later.
4. For firewall sessions, RADIUS authorization is supported with user-specific access lists only, which are received or specified
in a RADIUS authentication response.
5. Local command authorization is supported by privilege level only.
6. Command accounting is available for TACACS+ only.
Table 31-1 Summary of AAA Support (continued)
AAA Service
Database Type
Local RADIUS TACACS+ SDI (RSA) NT Kerberos LDAP HTTP Form
To Next Page
Loading...
Need help?
General
