AAA
Cisco ASA can use an external authentication server such as RADIUS or TACACS to offload the authentication process. To set up an external authentication server for SecureMe, for example, follow these three simple steps:
Step 1. |
Select an authentication protocol.
SecureMe wants to use an external RADIUS server for the Telnet and SSH connections to the security Cisco ASA. Navigate to Configuration > Features > Properties > AAA Setup > AAA Server Groups and click Add to specify the protocol used on Cisco ASA, as shown in Figure 19-15. The server group name is Rad and the selected protocol is RADIUS.
Figure 19-15. Specifying an Authentication Protocol |
Step 2. |
Define an authentication server.
To specify an authentication server, navigate to Configuration > Features > Properties > AAA Setup > AAA Servers and click Add to open the Add AAA Server window, shown in Figure 19-16. Select the server group name that is defined in the previous step. Because the AAA server resides toward the inside interface, select the inside interface from the drop-down menu. The IP address of the RADIUS server is 192.168.10.105 while the shared secret key between the server and the security Cisco ASA is cisco123 (which is displayed as asterisks).
Figure 19-16. Defining an Authentication Server |
Step 3. |
Map the configured authentication server.
Navigate to Configuration > Features > Device Administration > Administration > AAA Access > Authentication to map the configured RADIUS server to the appropriate login processes. As shown in Figure 19-17, select the server group Rad under Enable, SSH, and Telnet connections. In case the RADIUS server is not available, the security Cisco ASA is being set up to use the local user database for authentication. Click Apply to send the configuration commands to the security Cisco ASA.
Figure 19-17. Mapping the Authentication Server |
Example 19-7 shows the complete AAA configuration generated by ASDM.
Example 19-7. AAA Configuration Generated by ASDM
aaa-server Rad protocol radius aaa-server Rad host 192.168.10.105 key cisco123 aaa authentication enable console Rad LOCAL aaa authentication ssh console Rad LOCAL aaa authentication telnet console Rad LOCAL