Header
Home | Set as homepage | Add to favorites
Sections
Syndication


Blogroll:

||||| ALL Cisco-Network ARTICLES |||||  
CCIE Journey,
The CCIE Journey, 

Home : CCSP-Cisco Certified Security Professional : Defining the AAA Server

Defining the AAA Server

image


 

Use the configuration mode aaa-server commands to specify AAA server groups. AAA server groups are defined by a tag name. If the first authentication server defined in the group fails, AAA fails over to the next server in the tag group. There can be up to 14 tag groups, and each group can have up to 14 AAA servers, for a total of up to 196 AAA servers.

Creating a Server Group (Optional)

The following command creates a server group, assigns a name (server_tag) to the group, and—most important—specifies which protocol is used by the group. Use the clear aaa-server command to remove a named server group. The syntax is

Pix(config)# aaa-server server_tag protocol [tacacs+ | radius]
Pix(config)# clear aaa-server server_tag

This command is optional because three default server groups are defined on the PIX Firewall in v6.2 that can be used. The show aaa-server command shows the default groups.

Pix(config)# show aaa-server
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
Pix(config)#

Notice the group name (tag) is nothing more than the protocol name. This provides backward compatibility to older OS versions. Another group should only be created if several AAA servers exist and it would help to keep their functions straight. The LOCAL group was added in version 6.2, and can be used for authentication and command authorization. This new feature is covered in the next section.

The following output shows creating separate TACACS+ server groups for inbound and outbound traffic, plus a RADIUS group for accounting functions. The server tags are up to the administrator, but should be descriptive. The server tags are case sensitive.

Pix(config)# aaa-server TacIn protocol tacacs+
Pix(config)# aaa-server TacOut protocol tacacs+
Pix(config)# aaa-server RadAcctg protocol radius

The remaining AAA commands use the group tag to identify which group of servers will perform the AAA function.

Defining the Server Group

The next command defines the connecting PIX interface, server IP address, an optional encryption key shared with the AAA server, and an optional retransmit timer. The default interface is (inside). If more than one server is defined in the group, they’ll be used in order of entry. This command doesn’t verify the existence of the server(s). Use the no form of the command to remove the server from the group. The syntax is

Pix(config)# aaa-server server_tag [(if_name)] host server_ip [key] [timeout seconds]
Pix(config)# no aaa-server server_tag [(if_name)] host server_ip [key] [timeout seconds]

host server_ip

IP address of the TACACS+ or RADIUS server.

key

Case-sensitive, alphanumeric key up to 127 characters, shared by the PIX and AAA server for encrypting data between them. No spaces, but most special characters are allowed.

timeout seconds

Retransmit timer. The time the PIX unit waits for each transmit attempt. After four failed attempts to reach the AAA server, PIX transmits to the next server. Default: five seconds (range 1 to 30 seconds).


 Note 

The server_tag is case sensitive. The way you type it here determines how it must be addressed in future AAA commands. If you type one of the default groups TACACS+ or RADIUS in any other case, then you create a new server group using the default protocol tacacs+.

This example tries to demonstrate this case importance. The first command, show aaa-server, displays the default groups. Lines 5 and 6 show an attempt to assign a server to each of the default server groups (TACACS+ and RADIUS). The next show aaa-server command reveals that two new groups were created and they both use the tacacs+ protocol.

Pix(config)# show aaa-server
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
Pix(config)# aaa-server tacacs+ (inside) host 192.168.1.3 3key timeout 20
Pix(config)# aaa-server radius host 192.168.1.4 4key
Pix(config)# show aaa-server
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server tacacs+ protocol tacacs+
aaa-server tacacs+ (inside) host 192.168.1.3 3key timeout 20
aaa-server radius protocol tacacs+
aaa-server radius (inside) host 192.168.1.4 4key timeout 10
Pix(config)#

The following example creates the RadIn and TacOut server groups and defines two inside servers to each. From the previous example, you know Line 1 is necessary, but Line 4 could be omitted.

Pix(config)# aaa-server RadIn protocol radius
Pix(config)# aaa-server RadIn (inside) host 192.168.1.5 5key timeout 10
Pix(config)# aaa-server RadIn (inside) host 192.168.1.6 6key
Pix(config)# aaa-server TacOut protocol tacacs+
Pix(config)# aaa-server TacOut host 192.168.1.7 7key timeout 20
Pix(config)# aaa-server TacOut host 192.168.1.8 8key
158 times read

Related news
» Define AAA Group Server (Optional)
by alperen posted on Sep 17,2009
» Enable Authorization Proxy (auth-proxy) for AAA
by alperen posted on Sep 17,2009
» Define TACACS+ Server Key Option
by alperen posted on Sep 17,2009
» Losing Access to the TACACS+ Server
by admin posted on Jul 21,2008
» Define the Security Server—TACACS+
by alperen posted on Jul 12,2009
Did you enjoy this article?
1 2 3 4 5
(total 0 votes)

comment Comments (0 posted) 

More Top News
CCSP-Cisco Certified Security Professional
arrow Cisco SAFE Implementation
arrow Preparation Documents
arrow Exam Topics
arrow Skills Required for the Exam
arrow Cisco SAFE Implementation Questions and Answers
arrow Access Control Lists Cisco
arrow Access List Basics
arrow Standard Access Lists
arrow Verifying ACLs
arrow Extended Access Lists
arrow TCP Access Lists
arrow UDP Access Lists
arrow ICMP Access Lists
arrow Named Access Lists
arrow Signature and Alarm Management Review
arrow Signature and Alarm Management Review Questions and Answers
arrow Event Viewer
arrow Managing Alarms
arrow Event Viewer Customization
arrow Preference Settings
arrow Sensor Installation
arrow Connecting to Your Network Sensor Appliance
arrow Sensor Bootstrap
arrow Sensor Installation and Configuration Review
arrow Sensor Installation and Configuration Questions and Answers
arrow Signature and Alarm Management
arrow CIDS Signatures
arrow Signature Series
arrow Signature Implementations
arrow Signature Classes
arrow Signature Types
arrow Signature Severity
Most Popular
Most Commented
Featured Author

alperen

image
<| Cisco Articles | Maximum Learning | All Cisco-Network Study Notes | Privacy Policy |>
Website Statistics
If you think you own the material being used without permission, contact alperenmad[at]hotmail.com. material will be removed from the site.