About AAA and the Local Database
This section describes AAA and the local database.
Authentication
Authentication provides a way to identify a user, typically by having the user enter a valid username and valid password before access is granted. The AAA server compares a user's authentication credentials with other user credentials stored in a database. If the credentials match, the user is permitted access to the network. If the credentials do not match, authentication fails and network access is denied.
You can configure the ASA to authenticate the following items:
-
All administrative connections to the ASA, including the following sessions:
-
Telnet
-
SSH
-
Serial console
-
ASDM using HTTPS
-
VPN management access
-
-
The enable command
-
Network access
-
VPN access
Authorization
Authorization is the process of enforcing policies: determining what types of activities, resources, or services a user is permitted to access. After a user is authenticated, that user may be authorized for different types of access or activity.
You can configure the ASA to authorize the following items:
-
Management commands
-
Network access
-
VPN access
Accounting
Accounting measures the resources a user consumes during access, which may include the amount of system time or the amount of data that a user has sent or received during a session. Accounting is carried out through the logging of session statistics and usage information, which is used for authorization control, billing, trend analysis, resource utilization, and capacity planning activities.
Interaction Between Authentication, Authorization, and Accounting
You can use authentication alone or with authorization and accounting. Authorization always requires a user to be authenticated first. You can use accounting alone, or with authentication and authorization.
AAA Servers and Server Groups
The AAA server is a network server that is used for access control. Authentication identifies the user. Authorization implements policies that determine which resources and services an authenticated user may access. Accounting keeps track of time and data resources that are used for billing and analysis.
If you want to use an external AAA server, you must first create a AAA server group for the protocol that the external server uses, and add the server to the group. You can create more than one group per protocol, and separate groups for all protocols that you want to use. Each server group is specific to one type of server or service.
See the following topics for details on how to create the groups:
See the VPN configuration guide for more information on using HTTP Form.
Note |
From ASA 9.22.1, the Kerberos protocol is not supported. You can no longer use Kerberos for AAA services. We recommend that you to use other supported servers listed in the below table. |
The following table summarizes the supported types of server and their uses, including the local database.
Server Type and Service |
Authentication |
Authorization |
Accounting |
---|---|---|---|
Local Database |
|||
|
Yes |
Yes |
No |
|
Yes |
No |
No |
|
Yes |
Yes |
No |
RADIUS |
|||
|
Yes |
Yes |
Yes |
|
Yes |
Yes |
Yes |
|
Yes |
Yes |
Yes |
TACACS+ |
|||
|
Yes |
Yes |
Yes |
|
Yes |
No |
Yes |
|
Yes |
Yes |
Yes |
LDAP |
|||
|
Yes |
No |
No |
|
Yes |
Yes |
No |
|
Yes |
No |
No |
SDI (RSA SecurID) |
|||
|
Yes |
No |
No |
|
Yes |
No |
No |
|
Yes |
No |
No |
HTTP Form |
|||
|
No |
No |
No |
|
Yes |
No |
No |
|
No |
No |
No |
Notes
|
About the Local Database
The ASA maintains a local database that you can populate with user profiles. You can use a local database instead of AAA servers to provide user authentication, authorization, and accounting.
You can use the local database for the following functions:
-
ASDM per-user access
-
Console authentication
-
Telnet and SSH authentication
-
enable command authentication
This setting is for CLI-access only and does not affect the Cisco ASDM login.
-
Command authorization
If you turn on command authorization using the local database, then the ASA refers to the user privilege level to determine which commands are available. Otherwise, the privilege level is not generally used. By default, all commands are either privilege level 0 or level 15.
-
Network access authentication
-
VPN client authentication
For multiple context mode, you can configure usernames in the system execution space to provide individual logins at the CLI using the login command; however, you cannot configure any AAA rules that use the local database in the system execution space.
Note |
You cannot use the local database for network access authorization. |
Fallback Support
The local database can act as a fallback method for several functions. This behavior is designed to help you prevent accidental lockout from the ASA.
When a user logs in, the servers in the group are accessed one at a time, starting with the first server that you specify in the configuration, until a server responds. If all servers in the group are unavailable, the ASA tries the local database if you have configured it as a fallback method (for management authentication and authorization only). If you do not have a fallback method, the ASA continues to try the AAA servers.
For users who need fallback support, we recommend that their usernames and passwords in the local database match their usernames and passwords on the AAA servers. This practice provides transparent fallback support. Because the user cannot determine whether a AAA server or the local database is providing the service, using usernames and passwords on AAA servers that are different than the usernames and passwords in the local database means that the user cannot be certain which username and password should be given.
The local database supports the following fallback functions:
-
Console and enable password authentication—If the servers in the group are all unavailable, the ASA uses the local database to authenticate administrative access, which can also include enable password authentication.
-
Command authorization—If the TACACS+ servers in the group are all unavailable, the local database is used to authorize commands based on privilege levels.
-
VPN authentication and authorization—VPN authentication and authorization are supported to enable remote access to the ASA if AAA servers that normally support these VPN services are unavailable. When a VPN client of an administrator specifies a tunnel group configured to fallback to the local database, the VPN tunnel can be established even if the AAA server group is unavailable, provided that the local database is configured with the necessary attributes.
How Fallback Works with Multiple Servers in a Group
If you configure multiple servers in a server group and you enable fallback to the local database for the server group, fallback occurs when no server in the group responds to the authentication request from the ASA. To illustrate, consider this scenario:
You configure an LDAP server group with two Active Directory servers, server 1 and server 2, in that order. When the remote user logs in, the ASA attempts to authenticate to server 1.
If server 1 responds with an authentication failure (such as user not found), the ASA does not attempt to authenticate to server 2.
If server 1 does not respond within the timeout period (or the number of authentication attempts exceeds the configured maximum), the ASA tries server 2.
If both servers in the group do not respond, and the ASA is configured to fall back to the local database, the ASA tries to authenticate to the local database.