Supported AAA Server Technologies
The Cisco Security Appliance supports six AAA server authentication protocols:
■ Remote Authentication Dial-In User Service (RADIUS)—RADIUS was developed by
Livingston Enterprises as an AAA server. It uses a UDP connection between the client
(NAS) and the server (AAA). RADIUS combines the authentication and authorization
into a single response to a query from the NAS. By default, RADIUS authentication is
performed on TCP port 1645.
■ Terminal Access Controller Access Control System Plus (TACACS+)—TACACS+ was
developed by Cisco Systems as an alternative to RADIUS. TACACS+ uses a TCP
connection between the client and server and divides the authentication and authorization
into separate transmissions. The default port for TACACS+ is TCP port 49.
■ SDI—RSA SecureID uses a username and one-time password to authenticate an end user
or application. This authentication type is used for VPN authentication to the Security
Appliance VPN server.
■ NT—Supports Microsoft Windows NTLM version 1 authentication for VPN
authentication.
■ kerberos—Supports Kerberos authentication for VPN end-user access; 3DES, DES, and
RC4 encryption types are supported through kerberos.
■ Lightweight Directory Access Protocol (LDAP)—Supports LDAP through tunnel-groups
for VPN authentication.