1-17
Cisco ASA Series CLI Configuration Guide
Chapter 1 Configuring AAA Servers and the Local Database
Configuring AAA
Examples
Example 1-1 shows how to add one TACACS+ group with one primary and one backup server, one
RADIUS group with a single server, and an NT domain server.
Example 1-1 Multiple AAA Server Groups and Servers
hostname(config)# aaa-server AuthInbound protocol tacacs+
hostname(config-aaa-server-group)# max-failed-attempts 2
hostname(config-aaa-server-group)# reactivation-mode depletion deadtime 20
hostname(config-aaa-server-group)# exit
hostname(config)# aaa-server AuthInbound (inside) host 10.1.1.1
hostname(config-aaa-server-host)# key TACPlusUauthKey
hostname(config-aaa-server-host)# exit
hostname(config)# aaa-server AuthInbound (inside) host 10.1.1.2
ldap-login-password LDAP —
ldap-naming-attribute LDAP —
ldap-over-ssl LDAP 636 If not set, the ASA uses sAMAccountName for
LDAP requests. Whether using SASL or plain
text, you can secure communications between
the ASA and the LDAP server with SSL. If you
do not configure SASL, we strongly
recommend that you secure LDAP
communications with SSL.
ldap-scope LDAP —
mschapv2-capable RADIUS enabled
nt-auth-domain-controller NT —
radius-common-pw RADIUS —
retry-interval Kerberos 10 seconds
RADIUS 10 seconds
SDI 10 seconds
sasl-mechanism LDAP —
server-port Kerberos 88
LDAP 389
NT 139
SDI 5500
TACACS+ 49
server-type LDAP auto-discovery If auto-detection fails to determine the LDAP
server type, and you know the server is either a
Microsoft, Sun or generic LDAP server, you
can manually configure the server type.
timeout All 10 seconds
Table 1-2 Host Mode Commands, Server Types, and Defaults (continued)
Command
Applicable AAA Server
Types Default Value Description
To Next Page
Loading...
