1-6
Cisco ASA Series CLI Configuration Guide
 
Chapter 1      Configuring AAA Servers and the Local Database
  Information About AAA
locks the username, preventing another (replica) server from accepting it. This actions means that the 
same user cannot authenticate to two ASAs using the same authentication servers simultaneously. After 
a successful username lock, the ASA sends the passcode.
RSA/SDI Primary and Replica Servers
The ASA obtains the server list when the first user authenticates to the configured server, which can be 
either a primary or a replica. The ASA then assigns priorities to each of the servers on the list, and 
subsequent server selection is derived at random from those assigned priorities. The highest priority 
servers have a higher likelihood of being selected. 
NT Server Support
The ASA supports Microsoft Windows server operating systems that support NTLM Version 1, 
collectively referred to as NT servers.
Note NT servers have a maximum length of 14 characters for user passwords. Longer passwords are truncated, 
which is a limitation of NTLM Version 1.
Kerberos Server Support
The ASA supports 3DES, DES, and RC4 encryption types.
Note The ASA does not support changing user passwords during tunnel negotiation. To avoid this situation 
happening inadvertently, disable password expiration on the Kerberos/Active Directory server for users 
connecting to the ASA.
For a simple Kerberos server configuration example, see Example 1-2 on page 1-18.
LDAP Server Support
The ASA supports LDAP. This section includes the following topics:
• Authentication with LDAP, page 1-6
• LDAP Server Types, page 1-7
Authentication with LDAP
During authentication, the ASA acts as a client proxy to the LDAP server for the user, and authenticates 
to the LDAP server in either plain text or by using the SASL protocol. By default, the ASA passes 
authentication parameters, usually a username and password, to the LDAP server in plain text.
The ASA supports the following SASL mechanisms, listed in order of increasing strength:
• Digest-MD5—The ASA responds to the LDAP server with an MD5 value computed from the 
username and password.