Inhaltszusammenfassung zur Seite Nr. 1
CHAPTER12
Configuring AAA Servers and User Accounts
This chapter describes support for AAA (pronounced “triple A”) and how to configure AAA servers and
the local database.
This chapter contains the following sections:
• AAA Overview, page 12-1
• AAA Server and Local Database Support, page 12-2
• Configuring the Local Database, page 12-7
• Identifying AAA Server Groups and Servers, page 12-12
• Configuring an Authentication Prompt, page 12-20
• Configuring an LDAP Attribute Map, page 12-21
AAA Ov
Inhaltszusammenfassung zur Seite Nr. 2
Chapter 12 Configuring AAA Servers and User Accounts AAA Server and Local Database Support • All administrative connections to the security appliance including the following sessions: – Telnet – SSH – Serial console – ASDM (using HTTPS) – VPN management access • The enable command • Network access • VPN access About Authorization Authorization controls access per user after users authenticate. You can configure the security appliance to authorize the following items: • Management commands
Inhaltszusammenfassung zur Seite Nr. 3
Chapter 12 Configuring AAA Servers and User Accounts AAA Server and Local Database Support • RADIUS Server Support, page 12-3 • TACACS+ Server Support, page 12-4 • SDI Server Support, page 12-4 • NT Server Support, page 12-5 • Kerberos Server Support, page 12-5 • LDAP Server Support, page 12-5 • SSO Support for Clientless SSL VPN with HTTP Forms, page 12-6 • Local Database Support, page 12-6 Summary of Support Table 12-1 summarizes the support for each AAA service by each AAA server type,
Inhaltszusammenfassung zur Seite Nr. 4
Chapter 12 Configuring AAA Servers and User Accounts AAA Server and Local Database Support This section contains the following topics: • Authentication Methods, page 12-4 • Attribute Support, page 12-4 • RADIUS Authorization Functions, page 12-4 Authentication Methods The security appliance supports the following authentication methods with RADIUS: • PAP—For all connection types. • CHAP—For L2TP-over-IPSec. • MS-CHAPv1—For L2TP-over-IPSec. • MS-CHAPv2—For L2TP-over-IPSec, and for regular
Inhaltszusammenfassung zur Seite Nr. 5
Chapter 12 Configuring AAA Servers and User Accounts AAA Server and Local Database Support • Two-step Authentication Process, page 12-5 • SDI Primary and Replica Servers, page 12-5 SDI Version Support The security appliance supports SDI Version 5.0 and 6.0. SDI uses the concepts of an SDI primary and SDI replica servers. Each primary and its replicas share a single node secret file. The node secret file has its name based on the hexadecimal value of the ACE/Server IP address with .sdi app
Inhaltszusammenfassung zur Seite Nr. 6
Chapter 12 Configuring AAA Servers and User Accounts AAA Server and Local Database Support LDAP Server Support This section describes using an LDAP directory with the security appliance for user authentication and VPN authorization. During authentication, the security appliance acts as a client proxy to the LDAP server for the user, and authenticates to the LDAP server in either plain text or using the Simple Authentication and Security Layer (SASL) protocol. By default, the security appl
Inhaltszusammenfassung zur Seite Nr. 7
Chapter 12 Configuring AAA Servers and User Accounts Configuring the Local Database User Profiles User profiles contain, at a minimum, a username. Typically, a password is assigned to each username, although passwords are optional. You can add other information to a specific user profile. The information you can add includes VPN-related attributes, such as a VPN session timeout value. Fallback Support The local database can act as a fallback method for several functions. This behavior is
Inhaltszusammenfassung zur Seite Nr. 8
Chapter 12 Configuring AAA Servers and User Accounts Configuring the Local Database User Accounts The User Accounts pane lets you manage the local user database. The local database is used for the following features: • ASDM per-user access By default, you can log into ASDM with a blank username and the enable password (see Device Name/Password, page 10-12). However, if you enter a username and password at the login screen (instead of leaving the username blank), ASDM checks the local data
Inhaltszusammenfassung zur Seite Nr. 9
Chapter 12 Configuring AAA Servers and User Accounts Configuring the Local Database • VPN Group Lock—Specifies what, if any, group lock policy is in effect for this user. Not available in multimode. • Add—Displays the Add User Account dialog box. • Edit—Displays the Edit User Account dialog box. • Delete—Removes the selected row from the table. There is no confirmation or undo. Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Mul
Inhaltszusammenfassung zur Seite Nr. 10
Chapter 12 Configuring AAA Servers and User Accounts Configuring the Local Database Privilege Level—Selects the privilege level for this user to use with local command authorization. The range is 0 (lowest) to 15 (highest). See the “Configuring Local Command Authorization” section on page 13-31 for more information. – CLI login prompt for SSH, Telnet and console (no ASDM access)—If you configure authentication for management access using the local database (see the “Configuring Authentica
Inhaltszusammenfassung zur Seite Nr. 11
Chapter 12 Configuring AAA Servers and User Accounts Configuring the Local Database L2TP over IPSec—Allows remote users with VPN clients provided with several common PC and mobile PC operating systems to establish secure connections over the public IP network to the security appliance and private corporate networks. Note If no protocol is selected, an error message appears. • Filter—Specifies what filter to use, or whether to inherit the value from the group policy. Filters consist of rul
Inhaltszusammenfassung zur Seite Nr. 12
Chapter 12 Configuring AAA Servers and User Accounts Identifying AAA Server Groups and Servers – Subnet Mask list—Specifies the subnet mask for the Dedicated IP address. Check the Group Lock check box to restrict users to remote access through this group only. Group Lock restricts users by checking if the group configured in the VPN client is the same as the user’s assigned group. If it is not, the VPN Concentrator prevents the user from connecting. If this box is unchecked (the default),
Inhaltszusammenfassung zur Seite Nr. 13
Chapter 12 Configuring AAA Servers and User Accounts Identifying AAA Server Groups and Servers If AAA accounting is in effect, the accounting information goes only to the active server, unless you have configured simultaneous accounting. For an overview of AAA services, see the “AAA Overview” section on page 12-1. Fields The fields in the AAA Server Groups pane are grouped into two main areas: the AAA Server Groups area and the Servers In The Selected Group area. The AAA Server Groups are
Inhaltszusammenfassung zur Seite Nr. 14
Chapter 12 Configuring AAA Servers and User Accounts Identifying AAA Server Groups and Servers • Delete—Removes the selected AAA server from the list. • Move up—Moves the selected AAA server up in the AAA sequence. • Move down—Moves the selected AAA server back in the AAA sequence. • Test—Displays the Test AAA Server dialog box. Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed Transparent Single Context System 1 •
Inhaltszusammenfassung zur Seite Nr. 15
Chapter 12 Configuring AAA Servers and User Accounts Identifying AAA Server Groups and Servers Modes The following table shows the modes in which this feature is available: Firewall Mode Security Context Multiple Routed Transparent Single Context System 1 •• •• — 1. HTTP Form and Clientless SSL VPN are supported only in single routed mode. Edit AAA Local Server Group The Edit AAA Local Server Group dialog box lets you specify whether to enable local user lockout and the maximum number of
Inhaltszusammenfassung zur Seite Nr. 16
Chapter 12 Configuring AAA Servers and User Accounts Identifying AAA Server Groups and Servers • Server Name or IP Address—Specifies the name or IP address of the AAA server. • Timeout—Specifies the timeout interval, in seconds. This is the time after which the security appliance gives up on the request to the primary AAA server. If there is a standby AAA server, the security appliance sends the request to the backup server. • RADIUS Parameters area—Specifies the parameters needed for usi
Inhaltszusammenfassung zur Seite Nr. 17
Chapter 12 Configuring AAA Servers and User Accounts Identifying AAA Server Groups and Servers If you choose Detect Automatically, the security appliance attempts to determine the type of netmask expression used. If it detects a wildcard netmask expression, it converts it to a standard netmask expression; however, because some wildcard expressions are difficult to detect unambiguously, this setting may occasionally misinterpret a wildcard netmask expression as a standard netmask expressio
Inhaltszusammenfassung zur Seite Nr. 18
Chapter 12 Configuring AAA Servers and User Accounts Identifying AAA Server Groups and Servers – Naming Attribute(s)—Specifies the Relative Distinguished Name attribute (or attributes) that uniquely identifies an entry on the LDAP server. Common naming attributes are Common Name (cn) and User ID (uid). – Login DN—Specifies the login DN. Some LDAP servers (including the Microsoft Active Directory server) require the security appliance to establish a handshake via authenticated binding befo
Inhaltszusammenfassung zur Seite Nr. 19
Chapter 12 Configuring AAA Servers and User Accounts Identifying AAA Server Groups and Servers – Start URL—Specifies the complete URL of the authenticating web server location where a pre-login cookie can be retrieved. This parameter must be configured only when the authenticating web server loads a pre-login cookie with the login page. A drop-down list offers both HTTP and HTTPS. The maximum number of characters is 1024, and there is no minimum. – Action URI—Specifies the complete Unifor
Inhaltszusammenfassung zur Seite Nr. 20
Chapter 12 Configuring AAA Servers and User Accounts Configuring an Authentication Prompt Tip Checking for basic network connectivity to the AAA server may save you time in troubleshooting. To test basic connectivity, click Tools > Ping. Fields • AAA Server Group—Display only. Shows the AAA server group that the selected AAA server belongs to. • Host —Display only. Shows the hostname of the AAA server you selected. • Authorization—Specifies that ASDM tests authorizing a user with the sele