Identifying the AAA Server and NAS
You must be sure to have the correct information about your AAA server before you attempt
to configure your Security Appliance. You use the aaa-server command (from configuration
mode on the Security Appliance) to specify the AAA server. Remember that you are dealing
with at least two devices: the Security Appliance and the Cisco Secure ACS.
You must configure the Security Appliance to recognize the Cisco Secure ACS as its AAA
server for authentication. You also must configure the Cisco Secure ACS to communicate
with the Security Appliance with the necessary account information so that the Cisco Secure
ACS can validate authentication requests from the Security Appliance. To accomplish both
tasks, you need to use the following commands:
aaa-server server-tag protocol auth-protocol
aaa-server server-tag [if-name] host server-ip key [timeout seconds]
CSACS
172.16.1.2
Client
192.168.1.28
Web Server
10.10.10.10
FTP Server
10.10.10.20
PIX_Firewall
172.16.1.254
Configuring AAA on the Cisco Security Appliance 543
You must define the following command options and parameters for the configuration to be
successful:
■ aaa-server—Designates the AAA server or server group. A group can have as many as
16 servers, and the PIX Firewall can handle up to 15 single-mode groups of AAA servers,
for a total of 240 AAA servers. This enables you to tailor which AAA servers handle
certain services and lets you configure your AAA servers for redundancy. When a user
logs in, the NAS contacts the first server in the group (see the group-tag description). If
it does not receive a response within the designated timeout period, it moves to the next
server in the group.
■ server-tag—The name used for the AAA server group. The server-tag is also used in the
aaa authentication, aaa authorization, and aaa accounting commands.
■ protocol auth-protocol—The type of AAA server used (kerberos, ldap, NT, SDI,
TACACS+, or RADIUS).
■ if-name—The interface name for the interface on which the AAA server resides. This
designates how the firewall connects to the AAA server.
■ host server-ip—The AAA server’s IP address.
■ key—A shared secret between the Cisco Secure ACS (server) and the Security Appliance
(client). It is an alphanumeric password that can be as many as 127 characters.
■ timeout seconds—How long the Security Appliance waits between transmission
attempts to the AAA server. The Security Appliance makes four attempts to connect with
the AAA server before trying to connect to the next AAA server in the group. The default
timeout is 5 seconds; the maximum timeout is 30 seconds. Using the default timeout of
5 seconds, the Security Appliance attempts four transmissions, waiting 5 seconds
between each attempt, for a total of 20 seconds.
For the network example in this chapter, you would enter the syntax shown in Example 18-1.