|
Defining the AAA Server
Feb 06,2010 00:00
by
alperen
Use the configuration mode aaa-server commands to specify AAA server groups. AAA server groups are defined by a tag name. If the first authentication server defined in the group fails, AAA fails over to the next server in the tag group. There can be up to 14 tag groups, and each group can have up to 14 AAA servers, for a total of up to 196 AAA servers. Creating a Server Group (Optional)The following command creates a server group, assigns a name (server_tag) to the group, and—most important—specifies which protocol is used by the group. Use the clear aaa-server command to remove a named server group. The syntax is
This command is optional because three default server groups are defined on the PIX Firewall in v6.2 that can be used. The show aaa-server command shows the default groups. Pix(config)# show aaa-server Notice the group name (tag) is nothing more than the protocol name. This provides backward compatibility to older OS versions. Another group should only be created if several AAA servers exist and it would help to keep their functions straight. The LOCAL group was added in version 6.2, and can be used for authentication and command authorization. This new feature is covered in the next section. The following output shows creating separate TACACS+ server groups for inbound and outbound traffic, plus a RADIUS group for accounting functions. The server tags are up to the administrator, but should be descriptive. The server tags are case sensitive. Pix(config)# aaa-server TacIn protocol tacacs+ The remaining AAA commands use the group tag to identify which group of servers will perform the AAA function. Defining the Server GroupThe next command defines the connecting PIX interface, server IP address, an optional encryption key shared with the AAA server, and an optional retransmit timer. The default interface is (inside). If more than one server is defined in the group, they’ll be used in order of entry. This command doesn’t verify the existence of the server(s). Use the no form of the command to remove the server from the group. The syntax is
This example tries to demonstrate this case importance. The first command, show aaa-server, displays the default groups. Lines 5 and 6 show an attempt to assign a server to each of the default server groups (TACACS+ and RADIUS). The next show aaa-server command reveals that two new groups were created and they both use the tacacs+ protocol. Pix(config)# show aaa-server The following example creates the RadIn and TacOut server groups and defines two inside servers to each. From the previous example, you know Line 1 is necessary, but Line 4 could be omitted. Pix(config)# aaa-server RadIn protocol radius |