CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.1

acl

Identifies a locally configured ACL to be applied to the connection.

idletime

Indicates the amount of inactivity in minutes that is allowed before the authenticated user session is terminated.

timeout

Specifies the absolute amount of time in minutes that authentication credentials remain active before the authenticated user session is terminated.

bytes_in

Specifies the number of input bytes transferred during this connection (stop records only).

bytes_out

Specifies the number of output bytes transferred during this connection (stop records only).

cmd

Defines the command executed (command accounting only).

disc-cause

Indicates the numeric code that identifies the reason for disconnecting (stop records only).

elapsed_time

Defines the elapsed time in seconds for the connection (stop records only).

foreign_ip

Specifies the IP address of the client for tunnel connections. Defines the address on the lowest security interface for cut-through-proxy connections.

local_ip

Specifies the IP address that the client connected to for tunnel connections. Defines the address on the highest security interface for cut-through-proxy connections.

NAS port

Contains a session ID for the connection.

packs_in

Specifies the number of input packets transferred during this connection.

packs_out

Specifies the number of output packets transferred during this connection.

priv-level

Set to the user privilege level for command accounting requests or to 1 otherwise.

rem_iddr

Indicates the IP address of the client.

service

Specifies the service used. Always set to “shell” for command accounting only.

task_id

Specifies a unique task ID for the accounting transaction.

username

Indicates the name of the user.

Step 1

ciscoasa(config)# aaa-server servergroup1 protocol tacacs+

ciscoasa(config-aaa-server-group)#

Identifies the server group name and the protocol.

When you enter the aaa-server protocol command, you enter aaa-server group configuration mode.

Step 2

ciscoasa(config-aaa-server-group)# max-failed-attempts 2

Specifies the maximum number of requests sent to a AAA server in the group before trying the next server. The number argument can range from 1 and 5. The default is 3.

If you configured a fallback method using the local database (for management access only), and all the servers in the group fail to respond, then the group is considered to be unresponsive, and the fallback method is tried. The server group remains marked as unresponsive for a period of 10 minutes (by default), so that additional AAA requests within that period do not attempt to contact the server group, and the fallback method is used immediately. To change the unresponsive period from the default, see the reactivation-mode command in the next step.

If you do not have a fallback method, the ASA continues to retry the servers in the group.

Step 3

ciscoasa(config-aaa-server-group)# reactivation-mode deadtime 20

Specifies the method (reactivation policy) by which failed servers in a group are reactivated.

The depletion keyword reactivates failed servers only after all of the servers in the group are inactive.

The deadtime minutes keyword-argument pair specifies the amount of time in minutes, between 0 and 1440, that elapses between the disabling of the last server in the group and the subsequent reenabling of all servers. The default is 10 minutes.

The timed keyword reactivates failed servers after 30 seconds of down time.

Step 4

Sends accounting messages to all servers in the group.

To restore the default of sending messages only to the active server, enter the accounting-mode single command.

Step 1

Identifies the TACACS+ server and the server group to which it belongs.

When you enter the aaa-server host command, you enter aaa-server host configuration mode.

Step 2

Specifies the length of time, in seconds, that the ASA waits for a response from the primary server before sending the request to the backup server.

Step 3

Specifies the server port as port number 49, or the TCP port number used by the ASA to communicate with the TACACS+ server.

Step 4

Specifies the server secret value used to authenticate the NAS to the TACACS+ server. This value is a case-sensitive, alphanumeric keyword of up to 127 characters, which is the same value as the key on the TACACS+ server. Any characters over 127 are ignored. The key is used between the client and the server to encrypt data between them and must be the same on both the client and server systems. The key cannot contain spaces, but other special characters are allowed.