Filter
Top Products
6-28
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 6 Managing Policy Objects
Understanding AAA Server and Server Group Objects
Predefined AAA Authentication Server Groups
There are several predefined AAA server groups that define an authentication method without specifying
particular AAA servers. In policies such as IPSec proposals, you can use these predefined server groups
to define the types of AAA authentication to perform and the order in which to perform them.
Table 6-6 on page 6-28 describes the predefined AAA authentication server groups.
Related Topics
• Creating AAA Server Group Objects, page 6-45
• Default AAA Server Groups and IOS Devices, page 6-28
• Understanding AAA Server and Server Group Objects, page 6-24
Default AAA Server Groups and IOS Devices
IOS software enables you to define AAA servers either as members of AAA server groups or as
individual servers. Security Manager, however, requires all AAA servers to belong to a AAA server
group.
Therefore, when you discover an IOS device whose device configuration contains individual AAA
servers that do not belong to a AAA server group, Security Manager creates the following server groups
to contain these servers:
• For RADIUS: CSM-rad-grp
Table 6-6 Predefined AAA Authentication Server Groups
Name Description
Enable Uses the enable password defined on the device for authentication.
KRB5
KRB5-Telnet
Uses Kerberos 5 for authentication. Use KRB5-Telnet when using Telnet to
connect.
For Cisco IOS routers, you can use Kerberos 5 client configuration only on
selected platforms running IOS Software versions that support this protocol.
Server configuration is not supported. The device must include an Advanced
series feature set (k9 crypto image).
If-Authenticated Uses the if-authenticated method, which allows the user to access the
requested function if the user is authenticated.
Line Uses the line password defined on the device for authentication.
Local
Local-case
Uses the local username database (defined on the device) for authentication.
Use Local-case if you want the login to be case-sensitive.
None Uses no authentication.
RADIUS
TACACS+
Use RADIUS or TACACS+ authentication. (Does not apply to Cisco IOS
routers.)
These AAA server groups do not contain any AAA servers. To use one of
them when defining a policy, you must create a device-level override and
define the AAA servers to associate with the group. For more information,
see Creating or Editing Object Overrides for a Single Device, page 6-18.