Filter
Top Products
12-16
ASDM User Guide
OL-12180-01
Chapter 12 Configuring AAA Servers and User Accounts
Identifying AAA Server Groups and Servers
• Server Name or IP Address—Specifies the name or IP address of the AAA server.
• Timeout—Specifies the timeout interval, in seconds. This is the time after which the security
appliance gives up on the request to the primary AAA server. If there is a standby AAA server, the
security appliance sends the request to the backup server.
• RADIUS Parameters area—Specifies the parameters needed for using a RADIUS server. This area
appears only when the selected server group uses RADIUS.
–
Retry Interval—Specifies the number of seconds to wait after sending a query to the server and
receiving no response, before reattempting the connection. The minimum time is 1 second. The
default time is 10 seconds. The maximum time is 10 seconds.
–
Server Authentication Port—Specifies the server port to use for user authentication. The default
port is 1645.
Note The latest RFC states that RADIUS should be on UDP port number 1812, so you might need to
change this default value to 1812.
–
Server Accounting Port—Specifies the server port to use for user accounting. The default port
is 1646.
–
Server Secret Key—Specifies the server secret key (also called the shared secret) to use for
encryption; for example: C8z077f. The secret is case-sensitive. The security appliance uses the
server secret to authenticate to the RADIUS server. The server secret you configure here should
match the one configured on the RADIUS server. If you do not know the server secret for the
RADIUS server, ask the administrator of the RADIUS server. The maximum field length is 64
characters.
–
Common Password—Specifies the common password for the group. The password is
case-sensitive. If you are defining a RADIUS server to be used for authentication rather than
authorization, do not provide a common password.
A RADIUS authorization server requires a password and username for each connecting user.
You enter the password here. The RADIUS authorization server administrator must configure
the RADIUS server to associate this password with each user authorizing to the server via this
security appliance. Be sure to provide this information to your RADIUS server administrator.
Enter a common password for all users who are accessing this RADIUS authorization server
through this security appliance.
If you leave this field blank, each user password will be his or her own username. For example,
a user with the username “jsmith” would enter “jsmith”. As a security precaution never use a
RADIUS authorization server for authentication. Use of a common password or usernames as
passwords is much less secure than strong passwords per user.
Note The password field is required by the RADIUS protocol and the RADIUS server requires it;
however, users do not need to know it.
–
ACL Netmask Convert—Specifies how the security appliance handles netmasks received in
downloadable access lists. The security appliance expects downloadable access lists to contain
standard netmask expressions whereas Cisco Secure VPN 3000 series concentrators expect
downloadable access lists to contain wildcard netmask expressions, which are the reverse of a
standard netmask expression. A wildcard mask has ones in bit positions to ignore, zeros in bit
positions to match. The ACL Netmask Convert list helps minimize the effects of these
differences upon how you configure downloadable access lists on your RADIUS servers.