Cisco ASA 5505 User Manual
Page 695
35-15
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 35 Configuring AAA Servers and the Local Database
Configuring AAA
Examples
shows how to add one TACACS+ group with one primary and one backup server, one
RADIUS group with a single server, and an NT domain server.
Example 35-1 Multiple AAA Server Groups and Servers
hostname(config)# aaa-server AuthInbound protocol tacacs+
hostname(config-aaa-server-group)# max-failed-attempts 2
hostname(config-aaa-server-group)# reactivation-mode depletion deadtime 20
hostname(config-aaa-server-group)# exit
hostname(config)# aaa-server AuthInbound (inside) host 10.1.1.1
hostname(config-aaa-server-host)# key TACPlusUauthKey
hostname(config-aaa-server-host)# exit
hostname(config)# aaa-server AuthInbound (inside) host 10.1.1.2
hostname(config-aaa-server-host)# key TACPlusUauthKey2
hostname(config-aaa-server-host)# exit
ldap-login-password
LDAP
—
ldap-naming-attribute
LDAP
—
ldap-over-ssl
LDAP
636
If not set, the ASA uses sAMAccountName for
LDAP requests. Whether using SASL or plain
text, you can secure communications between
the ASA and the LDAP server with SSL. If you
do not configure SASL, we strongly
recommend that you secure LDAP
communications with SSL.
ldap-scope
LDAP
—
mschapv2-capable
RADIUS
enabled
nt-auth-domain-controller NT
—
radius-common-pw
RADIUS
—
retry-interval
Kerberos
10 seconds
RADIUS
10 seconds
SDI
10 seconds
sasl-mechanism
LDAP
—
server-port
Kerberos
88
LDAP
389
NT
139
SDI
5500
TACACS+
49
server-type
LDAP
auto-discovery If auto-detection fails to determine the LDAP
server type, and you know the server is either a
Microsoft, Sun or generic LDAP server, you
can manually configure the server type.
timeout
All
10 seconds
Table 35-2
Host Mode Commands, Server Types, and Defaults (continued)
Command
Applicable AAA Server Types Default Value
Description