Defining an Authentication Server
Before configuring an authentication server on Cisco ASA, you must specify AAA server groups with the aaa-server command. The syntax of the aaa-server command to specify a new AAA server group and the respective protocol is as follows:
aaa-server server-tag protocol server-protocol
server-tag is the server group name that is referenced by the other AAA command, and server-protocol is the name of the supported AAA protocol. Example 7-1 shows the different authentication protocols that can be defined within a AAA server group.
Example 7-1. AAA Server Group Authentication Protocols
Chicago(config)# aaa-server mygroup protocol ? kerberos Protocol Kerberos ldap Protocol LDAP nt Protocol NT radius Protocol RADIUS sdi Protocol SDI tacacs+ Protocol TACACS+
In Example 7-1, the AAA server group tag is named mygroup. After defining the AAA server group with the respective authentication protocol, you are shown the (config-aaa-server) prompt, which has several subcommands and options that are shown in Example 7-2.
Example 7-2. AAA Server Group Configuration Options
Chicago(config)# aaa-server mygroup protocol radius Chicago(config-aaa-server)# ? aaa-server group configuration commands: accounting-mode Enter this keyword to specify accounting mode max-failed-attempts Specify the maximum number of failures that will be allowed for any server in the group before that server is deactivated no Remove an item from aaa-server group configuration reactivation-mode Specify the method by which failed servers are reactivated
In Example 7-2, the AAA server group mygroup was configured for RADIUS authentication. You can specify the accounting mode using the accounting-mode subcommand with one of these options:
- simultaneous Indicates that accounting messages are sent to all servers in the group
- single Indicates that accounting messages are sent to a single server
Note
Accounting mode options are available only if you are configuring a AAA server group for RADIUS or TACACS+.
The max-failed-attempts subcommand specifies the maximum allowed number of communication failures for any server in the AAA server group before that server is disabled or deactivated. The maximum number of failures can be configured in a range from 1 to 5.
Cisco ASA supports two different AAA server reactivation policies or modes:
- Timed mode The failed or deactivated servers are reactivated after 30 seconds of downtime. Example 7-3 includes the subcommand to enable server reactivation in timed mode.
- Depletion mode The failed or deactivated servers remain inactive until all other servers within the configured group are inactive. Example 7-4 shows the Cisco ASA configured with a server group called mygroup, a maximum allowed number of communication failures set to 4, and server reactivation in depletion mode.
Example 7-3. AAA Server Reactivation in Timed Mode
Chicago(config-aaa-server)# reactivation-mode timed
Example 7-4. AAA Server Reactivation in Depletion Mode
Chicago# configure terminal Chicago(config)# aaa-server mygroup protocol radius Chicago(config-aaa-server)# max-failed-attempts 4 Chicago(config-aaa-server)# reactivation-mode depletion deadtime 5 Chicago(config-aaa-server)# exit Chicago(config)# exit
The deadtime keyword stipulates the amount of time that will elapse between the disabling of the last server in the group and the subsequent re-enabling of all servers. The deadtime value in this example is set to 5 minutes.
To specify the AAA servers that will belong to specific groups, use the following command:
aaa-server server-tag host ip_address
Example 7-5 shows all the AAA server host configuration options.
Example 7-5. AAA Server Host Available Configuration Options
Chicago(config-aaa-server)# ? aaa-server host configuration commands: accounting-port Specify the port number to be used for accounting authentication-port Specify the port number to be used for authentication key Specify the secret used to authenticate the NAS to the AAA server no Remove an item from aaa-server host configuration radius-common-pw Specify a common password for all RADIUS authorization transactions retry-interval Specify the amount of time between retry attempts timeout Specify the maximum time to wait for response from configured server
Example 7-6 shows the Cisco ASA configured with two AAA servers under the server group called mygroup.
Example 7-6. AAA Server Host Configuration
Chicago# configure terminal Chicago(config)# aaa-server mygroup host 172.18.124.11 Chicago(config-aaa-server)# retry-interval 3 Chicago(config-aaa-server)# timeout 30 Chicago(config-aaa-server)# key cisco123 Chicago(config-aaa-server)# exit Chicago(config)# aaa-server mygroup host 172.18.124.12 Chicago(config-aaa-server)# retry-interval 3 Chicago(config-aaa-server)# timeout 30 Chicago(config-aaa-server)# key cisco123 Chicago(config-aaa-server)# exit Chicago(config)# exit
To view statistics about all AAA servers defined for a specific protocol, use the following command:
show aaa-server protocol server-protocol
Example 7-7 includes the output of this command for the RADIUS protocol.
Example 7-7. Output of the show aaa-server protocol Command
Chicago# show aaa-server protocol radius Server Group: mygroup Server Protocol: radius Server Address: 172.18.124.11 Server port: 1645(authentication), 1646(accounting) Server status: ACTIVE, Last transaction at unknown Number of pending requests 0 Average round trip time 0ms Number of authentication requests 55 Number of authorization requests 13 Number of accounting requests 45 Number of retransmissions 0 Number of accepts 54 Number of rejects 1 Number of challenges 54 Number of malformed responses 0 Number of bad authenticators 0 Number of timeouts 0 Number of unrecognized responses 0 Server Group: mygroup Server Protocol: radius Server Address: 172.18.124.12 Server port: 1645(authentication), 1646(accounting) Server status: ACTIVE, Last transaction at unknown Number of pending requests 0 Average round trip time 0ms Number of authentication requests 0 Number of authorization requests 0 Number of accounting requests 0 Number of retransmissions 0 Number of accepts 0 Number of rejects 0 Number of challenges 0 Number of malformed responses 0 Number of bad authenticators 0 Number of timeouts 0 Number of unrecognized responses 0 Chicago#
To show the configuration of a specific AAA server, use the following command:
show running-config aaa-server [server-group [(if_name) host ip_address]]
To show statistics about a specific AAA server, use the following command:
show aaa-server [server-tag [host hostname]]
Example 7-8 includes the output of this command for server 172.18.124.11.
Example 7-8. Output of the show aaa-server Command for a Specific Host
Chicago# show aaa-server mygroup host 172.18.124.11 Server Group: mygroup Server Protocol: radius Server Address: 172.18.124.11 Server port: 1645(authentication), 1646(accounting) Server status: ACTIVE, Last transaction at unknown Number of pending requests 0 Average round trip time 0ms Number of authentication requests 55 Number of authorization requests 13 Number of accounting requests 45 Number of retransmissions 0 Number of accepts 54 Number of rejects 1 Number of challenges 54 Number of malformed responses 0 Number of bad authenticators 0 Number of timeouts 0 Number of unrecognized responses 0
To clear the AAA server statistics for a specific server, use this command:
clear aaa-server statistics [tag [host hostname]]
To clear the AAA server statistics for all servers providing services for a specific protocol, use this command:
clear aaa-server statistics protocol server-protocol
To clear a specific AAA server group, use this command:
clear configure aaa-server [server-tag]