12-17
ASDM User Guide
OL-12180-01
Chapter 12 Configuring AAA Servers and User Accounts
Identifying AAA Server Groups and Servers
If you choose Detect Automatically, the security appliance attempts to determine the type of
netmask expression used. If it detects a wildcard netmask expression, it converts it to a standard
netmask expression; however, because some wildcard expressions are difficult to detect
unambiguously, this setting may occasionally misinterpret a wildcard netmask expression as a
standard netmask expression.
If you choose Standard, the security appliance assumes downloadable access lists received from
the RADIUS server contain only standard netmask expressions. No translation from wildcard
netmask expressions is performed.
If you choose Wildcard, the security appliance assumes downloadable access lists received from
the RADIUS server contain only wildcard netmask expressions and it converts them all to
standard netmask expressions when the access lists are downloaded.
• TACACS+ Parameters—Specifies the parameters needed for using a TACACS+ server. This area
appears only when the selected server group uses TACACS+.
–
Server Port—Specifies the server port to use.
–
Server Secret Key—Specifies the server secret key to use for encryption. The secret is
case-sensitive. The field displays only asterisks.
• SDI Parameters—Specifies the parameters needed for using an SDI server. This area appears only
when the selected server group uses SDI.
–
Server Port—Specifies the server port to use.
–
Retry Interval—Specifies the number of seconds to wait before reattempting the connection.
• Kerberos Parameters—Specifies the parameters needed for using a Kerberos server. This area
appears only when the selected server group uses Kerberos.
–
Server Port—Specifies the server port that the Kerberos server listens to.
–
Retry Interval—Retry Interval value is the amount of time between retry attempts and its range
is 1 to 10 seconds.
–
Kerberos Realm—Specifies the name of the Kerberos realm to use, for example:
USDOMAIN.ACME.COM. The maximum length is 64 characters. The following types of
servers require that you enter the realm name in all uppercase letters: Windows 2000, Windows
XP, and Windows.NET. You must enter this name, and it must be the correct realm name for the
server whose IP address you entered in the Server IP Address field.
• LDAP Parameters—Specifies the parameters needed for using an LDAP server. This area appears
only when the selected server group uses LDAP.
–
Enable LDAP Over SSL—Specifies that SSL secures communications between the security
appliance and the LDAP server. Also called secure LDAP.
–
Server Port—Specifies the server port to use. Enter the TCP port number by which you access
the server.
–
Server Type—Lets you manually set the LDAP server type, or lets you specify auto-detection
for server type determination.
–
Base DN—Specifies the Base DN. Enter the location in the LDAP hierarchy where the server
should begin searching when it receives an authorization request. For example, OU=people,
dc=cisco, dc=com.
–
Scope—Specifies the extent of the search in the LDAP hierarchy that the server should make
when it receives an authorization request—One Level (Search only one level beneath the Base
DN. This option is quicker.) All Levels (Search all levels beneath the Base DN; in other words,
search the entire subtree hierarchy. This option takes more time.)
