Specifying Your AAA Servers
Only two components are required to build an AAA solution:
■ AAA server
■ Network access server (NAS)
It is possible to divide the AAA functions among multiple devices to reduce the processing
required by any single server. It is also possible for a single AAA server to support multiple
NASs. The point is that there is no single solution. The number of AAA servers and NASs
should be tailored to support the size and scope of the network being accessed. Configuring
the Security Appliance to connect to an AAA server requires only a few commands. Of
course, quite a few options are available with each command. In this exercise, a Security
Appliance, in this case a PIX Firewall, is configured to connect to a Cisco Secure ACS located
on the DMZ segment. Figure 18-1 depicts the network configuration used for the examples
in this chapter. Note that the Cisco Secure ACS is located on a DMZ segment rather than on
the inside or outside segments. This allows you to restrict access to the Cisco Secure ACS
from either segment, making the system more secure.