A remotely authenticated user account is any user account that is authenticated through LDAP, RADIUS, or TACACS+. Remote
authentication allows for a maximum of 16 TACACS+ servers, 16 RADIUS servers, and 16 LDAP providers for a total of 48 providers.
AAA is a set of services for controlling access to computer resources, enforcing policies, assessing usage, and providing
the information necessary to bill for services. These processes are considered important for effective network management
and security.
Note that if a user maintains a local user account and a remote user account simultaneously, the roles defined in the local
user account override those maintained in the remote user account.
TACACS+ is an authentication protocol that the FXOS chassis can use to authenticate management users against a remote AAA
server. These management users can access the FXOS chassis via SSH, HTTPS, telnet, or HTTP. We recommend SSH for maximum security
when accessing the FXOS chassis. Numerous authentication methods provide enhanced security.
TACACS+ authentication, or more generally AAA authentication, provides the ability to use individual user accounts for each
network administrator. When you do not depend on a single shared password, the security of the network is improved and your
accountability is strengthened.
RADIUS is a protocol similar in purpose to TACACS+; however, it encrypts only the password sent across the network. In contrast,
TACACS+ encrypts the entire TCP payload, which includes both the username and password. For this reason, we recommend that
you use TACACS+ in preference to RADIUS when TACACS+ is supported by the AAA server.
LDAP is a client-server protocol for accessing directory services, such as Microsoft Active Directory. LDAP does not require
any security between the client and server. However, through the use of SSL, LDAP can encrypt user sessions between the client
and server. This keeps all information transferred in LDAP transactions over the network secure. For this reason, we strongly
recommend that you use LDAP in preference to TLS.
For more information and detailed procedures on how to configure RADIUS, TACAS+, and LDAP on your FXOS chassis, see the Configuring AAA section in the Platform Settings chapter of the Cisco Firepower 4100/9300 FXOS CLI Configuration Guide.