CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.1

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Book Contents
Find Matches in This Book
Available Languages
Download Options

Book Title

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.1

Chapter Title

Information about AAA

Results

Updated:
June 16, 2014

Chapter: Information about AAA

Information About AAA

This chapter describes authentication, authorization, and accounting (AAA, pronounced “triple A”). AAA is a a set of services for controlling access to computer resources, enforcing policies, assessing usage, and providing the information necessary to bill for services. These processes are considered important for effective network management and security.

This chapter includes the following sections:

Authentication

Authentication provides a way to identify a user, typically by having the user enter a valid username and valid password before access is granted. The AAA server compares a user's authentication credentials with other user credentials stored in a database. If the credentials match, the user is permitted access to the network. If the credentials do not match, authentication fails and network access is denied.

You can configure the ASA to authenticate the following items:

  • All administrative connections to the ASA, including the following sessions:

Telnet

SSH. For more information, see Chapter41, “Configuring Management Access”

Serial console

ASDM using HTTPS

VPN management access

Authorization

Authorization is the process of enforcing policies: determining what types of activities, resources, or services a user is permitted to access. After a user is authenticated, that user may be authorized for different types of access or activity.

You can configure the ASA to authorize the following items:

  • Management commands. For more information, see Chapter41, “Configuring Management Access”
  • Network access. For more information, see Chapter 7, “Configuring AAA Rules for Network Access” of the firewall configuration guide.
  • VPN access. For more information, see Chapter 6, “Configuring Remote Access IPsec VPNs,” Chapter 8, “Configuring Easy VPN Services on the ASA 5505,” Chapter 10, “Configuring LAN-to-LAN IPsec VPNs,” and Chapter 82, “Introduction to Clientless SSL VPN” of the VPN configuration guide.

Accounting

Accounting measures the resources a user consumes during access, which may include the amount of system time or the amount of data that a user has sent or received during a session. Accounting is carried out through the logging of session statistics and usage information, which is used for authorization control, billing, trend analysis, resource utilization, and capacity planning activities.

Interaction Between Authentication, Authorization, and Accounting

You can use authentication alone or with authorization and accounting. Authorization always requires a user to be authenticated first. You can use accounting alone, or with authentication and authorization.

AAA Servers

The AAA server is a network server that is used for access control. Authentication identifies the user. Authorization implements policies that determine which resources and services an authenticated user may access. Accounting keeps track of time and data resources that are used for billing and analysis.

AAA Server Groups

If you want to use an external AAA server for authentication, authorization, or accounting, you must first create at least one AAA server group per AAA protocol and add one or more servers to each group. You identify AAA server groups by name. Each server group is specific to one type of server or service.

Local Database Support

The ASA maintains a local database that you can populate with user profiles. You can use a local database instead of AAA servers to provide user authentication, authorization, and accounting. For more information, see Chapter33, “Configuring the Local Database for AAA”

Summary of AAA Service Support

Table 32-1 provides cross-references to the configuration guide chapters that describe support for specific AAA service types.

 

Table 32-1 AAA Service Support

AAA Service
Configuration Guide Cross-Reference

Certificates

See Chapter40, “Configuring Digital Certificates”

HTTP Form

See Chapter 87, “Configuring Clientless SSL VPN Users,” of the VPN configuration guide.

Identity Firewall

See Chapter38, “Configuring the Identity Firewall”

Kerberos

See the “Microsoft Kerberos Constrained Delegation Solution” section on page 84-1 of the VPN configuration guide.

LDAP

See Chapter36, “Configuring LDAP Servers for AAA”

Local Database

See Chapter33, “Configuring the Local Database for AAA”

NT

See Chapter37, “Configuring Windows NT Servers for AAA”

RADIUS

See Chapter34, “Configuring RADIUS Servers for AAA”

RSA/SDI

See the following chapters of the VPN configuration guide:

  • Chapter 1, “Configuring IPsec and ISAKMP”
  • Chapter 3, “Setting General VPN Parameters”
  • Chapter 4, “Configuring Connection Profiles, Group Policies, and Users”
  • Chapter 6, “Configuring Remote Access IPsec VPNs,”
  • Chapter 8, “Configuring Easy VPN Services on the ASA 5505”
  • Chapter 10, “Configuring LAN-to-LAN IPsec VPNs”

TACACS+

See Chapter35, “Configuring TACACS+ Servers for AAA”

TrustSec

See Chapter39, “Configuring the ASA to Integrate with Cisco TrustSec”

Was this Document Helpful?

FeedbackFeedback

Contact Cisco