38-12
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 38 Configuring AAA Servers and the Local Database
Configuring AAA
• NT Domain
• Kerberos
• LDAP
• HTTP Form
Step 5 In the Accounting Mode field, click the radio button for the mode you want to use (Simultaneous or
Single).
In Single mode, the ASA sends accounting data to only one server.
In Simultaneous mode, the ASA sends accounting data to all servers in the group.
Note This option is not available for the following protocols: HTTP Form, SDI, NT, Kerberos, and
LDAP.
Step 6 In the Reactivation Mode field, click the radio button for the mode you want to use (Depletion or
Timed).
In Depletion mode, failed servers are reactivated only after all of the servers in the group are inactive.
In Timed mode, failed servers are reactivated after 30 seconds of down time.
Step 7 If you chose the Depletion reactivation mode, enter a time interval in the Dead Time field.
The Dead Time is the duration of time, in minutes, that elapses between the disabling of the last server
in a group and the subsequent reenabling of all servers.
Step 8 In the Max Failed Attempts field, add the number of failed attempts allowed.
This option sets the number of failed connection attempts allowed before declaring a nonresponsive
server to be inactive.
Step 9 (Optional) If you are adding a RADIUS server type, perform the following steps:
a. Check the Enable interim accounting update check box if you want to enable multi-session
accounting for clientless SSL and AnyConnect sessions.
b. Check the Enable Active Directory Agent Mode check box to specify the shared secret between
the ASA and the AD agent and indicate that a RADIUS server group includes AD agents that are
not full-function RADIUS servers. Only a RADIUS server group that has been configured using this
option can be associated with user identity.
c. Click the VPN3K Compatibility Option down arrow to expand the list, and click one of the
following radio buttons to specify whether or not a downloadable ACL received from a RADIUS
packet should be merged with a Cisco AV pair ACL:
–
Do not merge
–
Place the downloadable ACL after Cisco AV-pair ACL
–
Place the downloadable ACL before Cisco AV-pair ACL
Step 10 Click OK.
The Add AAA Server Group dialog box closes, and the new server group is added to the AAA Server
Groups table.
Step 11 In the AAA Server Groups dialog box, click Apply to save the changes.
The changes are saved to the running configuration.