Filter
Top Products
6-48
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 6 Managing Policy Objects
Understanding AAA Server and Server Group Objects
AD Agent Mode
(ASA 8.4(2+) devices only.)
Whether the servers in the group are Active Directory agents, which are
used in identity-aware firewall configurations. You must select this
option for an AD agent group to indicate that the group is not a
full-function RADIUS server group.
Use the AD agent group in the Identity Options policy. For more
information, see Identifying Active Directory Servers and Agents,
page 13-8.
Max Failed Attempts
(PIX, ASA, FWSM devices
only.)
The number of connection failures that will be tolerated for any given
server in the server group before that server is deactivated. The default
is 3 attempts, the range is 1 to 5.
Reactivation Mode
(PIX, ASA, FWSM devices
only.)
The method to use when reactivating failed servers in the group:
• Depletion—Reactivate failed servers only after all of the servers in
the group are inactive. This is the default.
When a server is deactivated, it remains inactive until all other
servers in the group are inactive. When and if this occurs, all
servers in the group are reactivated. This approach minimizes the
occurrence of connection delays due to failed servers.
If you configured a fallback method using the local database (for
management access only) and all the servers in the group fail to
respond, then the group is considered to be unresponsive, and the
fallback method is tried. You can configure the Reactivation
Deadtime value to determine the number of minutes that will
elapse between the disabling of the last server in the group and the
subsequent re-enabling of all servers.
If you do not have a fallback method, the device continues to retry
the servers in the group.
• Timed—Reactivate failed servers after 30 seconds of downtime.
This option is useful if the first server in the group is the primary
server and you prefer that it be used whenever possible rather than
the backup servers. This policy breaks down in the case of UDP
servers. Because a connection to a UDP server will not fail, even if
the server is not present, UDP servers are put back on line blindly.
This could lead to slowed connection times or connection failures
if a server group contains multiple servers that are not reachable.
Reactivation Deadtime
(PIX, ASA, FWSM devices
only.)
When you select Depletion as the reactivation mode, the number of
minutes that should elapse between the deactivation of the last server in
the group and the reactivation of all the servers in the group. The default
is 10, the range is 0 to 1440 minutes (24 hours).
Table 6-17 AAA Server Group Dialog Box (Continued)
Element Description