38-9
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 38 Configuring AAA Servers and the Local Database
Licensing Requirements for AAA Servers
–
Enabled by the authentication server group setting in the tunnel group (also called ASDM
Connection Profile)
–
Uses the username and password as credentials
• Authorization
–
Enabled by the authorization server group setting in the tunnel group (also called ASDM
Connection Profile)
–
Uses the username as a credential
Using Certificates
If user digital certificates are configured, the ASA first validates the certificate. It does not, however, use
any of the DNs from certificates as a username for the authentication.
If both authentication and authorization are enabled, the ASA uses the user login credentials for both
user authentication and authorization.
• Authentication
–
Enabled by the authentication server group setting
–
Uses the username and password as credentials
• Authorization
–
Enabled by the authorization server group setting
–
Uses the username as a credential
If authentication is disabled and authorization is enabled, the ASA uses the primary DN field for
authorization.
• Authentication
–
DISABLED (set to None) by the authentication server group setting
–
No credentials used
• Authorization
–
Enabled by the authorization server group setting
–
Uses the username value of the certificate primary DN field as a credential
Note If the primary DN field is not present in the certificate, the ASA uses the secondary DN field value as
the username for the authorization request.
For example, consider a user certificate that includes the following Subject DN fields and values:
Cn=anyuser,OU=sales;O=XYZCorporation;L=boston;S=mass;C=us;ea=anyuser@example.com
If the Primary DN = EA (E-mail Address) and the Secondary DN = CN (Common Name), then the
username used in the authorization request would be anyuser@example.com.
Licensing Requirements for AAA Servers
