6-26
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 6 Managing Policy Objects
Understanding AAA Server and Server Group Objects
• TACACS+—Terminal Access Controller Access Control System (TACACS+) is a security
application that provides centralized validation of users attempting to gain access to a router or
network access server. The goal of TACACS+ is to provide a methodology for managing multiple
network access points from a single management service.
TACACS+ provides for separate and modular authentication, authorization, and accounting
facilities. TACACS+ allows for a single access control server (the TACACS+ daemon) to provide
each service independently.
• LDAP—Lightweight Directory Access Protocol (LDAP). The use of LDAP servers is specific to
certain policies. For example, identity firewall configurations on ASA, VPN configurations on ASA,
and ScanSafe configurations on IOS devices. For more information on using LDAP on ASA, see
Additional AAA Support on ASA, PIX, and FWSM Devices, page 6-26.
Related Topics
• Additional AAA Support on ASA, PIX, and FWSM Devices, page 6-26
• Creating AAA Server Objects, page 6-29
• Understanding AAA Server and Server Group Objects, page 6-24
Additional AAA Support on ASA, PIX, and FWSM Devices
In addition to supporting RADIUS and TACACS+, ASA, PIX 7.0+, and FWSM 3.1+ devices can support
AAA servers running the following protocols. For more information, see the explanation of AAA usage
in the configuration guides for the device type and operating system version that interests you.
• Kerberos—These devices can use Kerberos servers for authentication. 3DES, DES, and RC4
encryption types are supported.
• NT—These devices can use Windows Domain servers for NTLMv1 authentication.
• SDI Servers—SecureID servers from RSA Security, Inc. are known as SDI servers. When a user
attempts to establish VPN access and the applicable tunnel-group policy specifies an SDI
authentication server group, the ASA device sends the username and one-time password to the SDI
server. The device then grants or denies user access based on the response from the server. Version
5.0 of SDI introduced the concept of SDI master and slave servers that share a single-node secret
file (SECURID). As a result, when you configure an SDI server as a AAA server object, you must
specify whether the server is version 5.0 or an earlier version.
• LDAP—These devices can use Lightweight Directory Access Protocol (LDAP) servers for VPN
authorization and user group identification for identity-aware firewall policies. These devices
support LDAP version 3 and are compatible with any v3 or v2 directory server. However, password
management is supported only on the Sun Microsystems JAVA System Directory Server and the
Microsoft Active Directory.
With any other type of LDAP server (such as Novell or OpenLDAP), all LDAP functions are
supported except for password management. Therefore, if someone tries to log in to one of these
devices using one of these other servers for authentication and their password has expired, the device
drops the connection and a manual password reset is required.
You can configure Simple Authentication and Security Layer (SASL) mechanisms to authenticate
an LDAP client (in this case, the ASA, PIX, or FWSM device) to an LDAP server. These devices
and LDAP servers can support multiple mechanisms. If both mechanisms (MD5 and Kerberos) are
available, the ASA, PIX, or FWSM device uses the stronger mechanism, Kerberos, for
authentication.