Home > Articles > Security > Network Security

  • Print
  • + Share This
This chapter is from the book

Defining an Authentication Server

Before configuring an authentication server on Cisco ASA, you must specify AAA server groups. A server group defines the attributes of one or more AAA servers. This information includes the AAA protocol used, IP address of the AAA servers, and other related information. Complete the following steps to accomplish this using ASDM:

  • Step 1. Log in to ASDM and navigate to Configuration > Device Management > Users/AAA > AAA Server Groups > AAA Server Groups.
  • Step 2. By default the LOCAL Server group is present in the configuration. To add a AAA server group click on Add.
  • Step 3. The screen illustrated in Figure 6-4 is shown. Enter a server group name under the Server Group field, as illustrated in Figure 6-4. The AAA server group name used in this example is my-radius-group.
    Figure 6-4

    Figure 6-4 Add AAA Server Group Dialog Box

  • Step 4. Select the AAA protocol to be used from the Protocol drop-down list. RADIUS is used in this example; however, you can choose from any of the following server types:
    • RADIUS
    • TACACS+
    • SDI
    • NT Domain
    • Kerberos
    • LDAP
    • HTTP Form
  • Step 5. Several of the parameters in this dialog box depend on the authentication protocol that is used. In this example all the other fields are left with default values. The Accounting Mode field has two options: Simultaneous and Single. When single mode is selected, the Cisco ASA sends accounting data to only one accounting server. To send accounting data to all servers in the group select Simultaneous.
  • Step 6. Depletion is selected in the Reactivation Mode field. The reactivation mode is used to control the behavior when AAA servers fail. When depletion mode is selected in the Cisco ASA, failed servers are reactivated only after all the servers in the group are inactive. If this option is selected you must add a time interval in the Dead Time field. In this example, the default value is configured (10 minutes).

    Alternatively, you can select Timed mode where failed servers are reactivated after 30 seconds of down time.

  • Step 7. The Max Failed Attempts is used to limit the maximum number of failed authentication attempts. The default is 3 attempts.
  • Step 8. Click OK.
  • Step 9. Click Apply to apply the configuration changes.
  • Step 10. Click Save to save the configuration in the Cisco ASA.

Complete the following steps to add the AAA server to the AAA server group that was previously configured:

  • Step 1. Log in to ASDM and navigate to Configuration > Device Management > Users/AAA > AAA Server Groups > AAA Server Groups.
  • Step 2. Click on Add under the Servers in the Selected Group (while selecting the group called my-radius-group. The dialog box shown in Figure 6-5 is displayed.
    Figure 6-5

    Figure 6-5 Add AAA Server Dialog Box

  • Step 3. As you see in Figure 6-5, the Server Group my-radius-group is already pre-populated in the screen. Select the interface where the RADIUS server resides, using the Interface Name pull-down menu. In this example, the RADIUS server is reachable through the management interface.
  • Step 4. Enter the AAA server name or IP address under the Server Name or IP Address field. In this example, the RADIUS server's IP address is 172.18.124.145.
  • Step 5. Specify the amount of time (in seconds) that the Cisco ASA waits before timing out the authentication session under the Timeout field. The default value of 10 seconds is used in this example.
  • Step 6. You can specify the port used by the Cisco ASA to communicate to the RADIUS server for authentication purposes. In this example, the default RADIUS authentication port 1645 is entered under the Server Authentication Port field.
  • Step 7. Similarly, you can specify the port used by the Cisco ASA to communicate to the RADIUS server for accounting. In this example, the default RADIUS accounting port 1646 is entered under the Server Accounting Port field.
  • Step 8. The Retry Interval is the amount of time the Cisco ASA waits to retry an authentication attempt, in case the RADIUS server does not respond. The default value of 10 seconds is used in this example.
  • Step 9. Enter the secret key used by the Cisco ASA and the RADIUS server to authenticate each other under the Server Secret Key field. This can be a string of up to 64 characters.
  • Step 10. Enter a case-sensitive password that is common among users who access this RADIUS authorization server via the Cisco ASA under the Common Password field. If you do not use a common password, the user's username is used as the password when accessing the RADIUS authorization server.
  • Step 11. You can optionally specify how the Cisco ASA will handle netmasks received in downloadable ACLs (covered later in this chapter) by selecting any of the following in the ACL Netmask Convert pull down menu:
    • Detect automatically—The Cisco ASA automatically detects a wildcard netmask expression and converts it to a standard netmask.
    • Standard—The Cisco ASA honors the netmask received from the RADIUS server and does not perform any translation from wildcard netmask expressions.
    • Wildcard—The Cisco ASA converts all netmasks to standard netmask expressions.
    The default value (Standard) is used in this example.
  • Step 12. Click OK.
  • Step 13. Click Apply to apply the configuration changes.
  • Step 14. Click Save to save the configuration in the Cisco ASA.

If you are using the command line interface (CLI) to configure the Cisco ASA, specify AAA server groups with the aaa-server command. The syntax of the aaa-server command to specify a new AAA server group and the respective protocol is as follows:

aaa-server server-tag protocol server-protocol

The server-tag keyword is the server group name that is referenced by the other AAA command, and server-protocol is the name of the supported AAA protocol. Example 6-1 shows the different authentication protocols that can be defined within a AAA server group.

Example 6-1. AAA Server Group Authentication Protocols

New York(config)# aaa-server my-radius-group protocol ?
  kerberos  Protocol Kerberos
  ldap      Protocol LDAP
  nt        Protocol NT
  radius    Protocol RADIUS
  sdi       Protocol SDI
  tacacs+   Protocol TACACS+

In Example 6-1, the AAA server group tag is named my-radius-group. After defining the AAA server group with the respective authentication protocol, you are shown the (config-aaa-server) prompt. Example 6-2 shows the commands that are used to accomplish the same tasks that were previously demonstrated for ASDM.

Example 6-2. Configuring the AAA Server Using the CLI

NewYork(config)# aaa-server my-radius-group protocol radius
NewYork(config-aaa-server-group)# aaa-server my-radius-group (management) host
172.18.124.145
NewYork(config-aaa-server-host)#  key myprivatekey
NewYork(config-aaa-server-host)#  radius-common-pw mycommonpassword

In Example 6-2, the AAA server group my-radius-group is defined to process authentication requests using the RADIUS protocol. In the second line the RADIUS server (172.18.124.145) is defined, as well as the interface (management) where the RADIUS server resides. The key used for authentication is myprivatekey. The RADIUS common password is set to mycommonpassword.

You can also use the max-failed-attempts subcommand, which specifies the maximum allowed number of communication failures for any server in the AAA server group before that server is disabled or deactivated. The maximum number of failures can be configured in a range from 1 to 5.

Cisco ASA supports two different AAA server reactivation policies or modes:

  • Timed mode—The failed or deactivated servers are reactivated after 30 seconds of downtime.
  • Depletion mode—The failed or deactivated servers remain inactive until all other servers within the configured group are inactive.

To view statistics about all AAA servers defined for a specific protocol, use the following command:

show aaa-server protocolserver-protocol

Example 6-3 includes the output of this command for the RADIUS protocol.

Example 6-3. Output of the show aaa-server protocol Command

New York# show aaa-server protocol radius
Server Group:    mygroup
Server Protocol: radius
Server Address:  172.18.124.145
Server port:     1645(authentication), 1646(accounting)
Server status:   ACTIVE, Last transaction at unknown
Number of pending requests               0
Average round trip time                  0ms
Number of authentication requests       55
Number of authorization requests        13
Number of accounting requests           45
Number of retransmissions               0
Number of accepts                       54
Number of rejects                        1
Number of challenges                    54
Number of malformed responses           0
Number of bad authenticators            0
Number of timeouts                       0
Number of unrecognized responses        0

Several counters can be helpful when troubleshooting AAA-related problems. For instance, you can compare the number of authentication requests versus the number of authentication rejects and accepts. Additionally, you should pay attention to any malformed authentication requests, unrecognized responses, or timeouts to determine whether there is a communication problem with the AAA server.

To show the configuration of a specific AAA server, use the following command:

show running-config aaa-server [server-group [(if_name) host ip_address]]

To show statistics about a specific AAA server, use the following command:

show aaa-server [server-tag [host hostname]]

Example 6-4 includes the output of this command for server 172.18.124.145.

Example 6-4. Output of the show aaa-server Command for a Specific Host

New York# show aaa-server mygroup host 172.18.124.145
Server Group:    my-radius-group
Server Protocol: radius
Server Address:  172.18.124.145
Server port:     1645(authentication), 1646(accounting)
Server status:   ACTIVE, Last transaction at unknown
Number of pending requests               0
Average round trip time                  0ms
Number of authentication requests       55
Number of authorization requests        13
Number of accounting requests           45
Number of retransmissions               0
Number of accepts                        54
Number of rejects                        1
Number of challenges                     54
Number of malformed responses           0
Number of bad authenticators            0
Number of timeouts                       0
Number of unrecognized responses        0

To clear the AAA server statistics for a specific server, use this command:

clear aaa-server statistics [tag [host hostname]]

To clear the AAA server statistics for all servers providing services for a specific protocol, use this command:

clear aaa-server statistics protocol server-protocol

To erase a specific AAA server group from the configuration, use this command:

clear configure aaa-server [server-tag]
  • + Share This
  • 🔖 Save To Your Account