|
Firewall commands - aaa-serverSpecify an AAA server. (Configuration mode.)
aaa-serverSpecifies an AAA server or up to 14 groups of servers with a maximum of 14 servers each. Certain types of AAA services can be directed to different servers. Services can also be set up to fail over to multiple servers.group_tagAn alphanumeric string which is the name of the server group. Use the group_tag in the aaa command to associate aaa authentication and aaa accounting command statements to an AAA server. Up to 14 server groups are permitted.if_nameThe interface name on which the server resides.host server_ipThe IP address of the TACACS+ or RADIUS server.keyA case-sensitive, alphanumeric keyword of up to 127 characters that is the same value as the key on the TACACS+ server. Any characters entered past 127 are ignored. The key is used between the client and server for encrypting data between them. The key must be the same on both the client and server systems. Spaces are not permitted in the key, but other special characters are.timeout secondsA retransmit timer that specifies the duration that the PIX Firewall retries access four times to the AAA server before choosing the next AAA server. The default is 5 seconds. The maximum time is 30 seconds.For example, if the timeout value is 10 seconds, PIX Firewall retransmits for 10 seconds and if no acknowledgment is received, tries three times more for a total of 40 seconds to retransmit data before the next AAA server is selected. protocol auth_protocolThe type of AAA server, either TACACS+ or radius.aaa-server radius-acctportSets the port number of the RADIUS server which the PIX Firewall unit will use for accounting functions. The default port number used for RADIUS accounting is 1646.aaa-server radius-authportSets the port number of the RADIUS server which the PIX Firewall will use for authentication functions. The default port number used for RADIUS authentication is 1645.portSpecifies the destination TCP/UDP port number of the remote RADIUS server host to which you wish to assign authentication or accounting functions for the PIX Firewall.These port pairs are listed as assigned to authentication and accounting services on RADIUS servers:
You can view these and other commonly used port number assignments online at the following website: http://www.iana.org/assignments/port-numbersSee "Ports" in "Using PIX Firewall Commands" for additional information. no aaa-serverUnbinds an AAA server from and interface or host.show aaa-serverDisplays configuration information of an AAA server in the configuration.clear aaa-serverRemoves an AAA server from the configuration.DefaultsBy default, the PIX Firewall listens for RADIUS on ports 1645 for authentication and 1646 for accounting.UsageThe aaa-server command allows you to specify an AAA server group. PIX Firewall lets you define separate groups of TACACS+ or RADIUS servers for specifying different types of traffic; such as, a TACACS+ server for inbound traffic and another for outbound traffic. Another use is where all outbound HTTP traffic will be authenticated by a TACACS+ server, and all inbound traffic will use RADIUS AAA server groups are defined by a tag name that directs different types of traffic to each authentication server. If the first authentication server in the list fails, the AAA subsystem fails over to the next server in the tag group. You can have up to 14 tag groups and each group can have up to 14 AAA servers for a total of up to 196 AAA servers. If the RADIUS server uses ports 1812 for authentication and 1813 for accounting you are required to reconfigure the PIX Firewall to use ports 1812 and 1813. Note This is a global setting that takes effect when RADIUS service is started. The default ports are 1645 for authentication and 1646 for accounting as defined in RFC 2058. Newer RADIUS servers may use the port numbers 1812 and 1813 as defined in RFC 2138 and 2139. If the server uses ports other than 1645 and 1646, then you should define ports using the aaa-server radius-authport and aaa-server radius-acctport commands prior to starting the RADIUS service with the aaa-server command. The aaa command references the tag group. Note The previous server type option at the end of the aaa authentication and aaa accounting commands has been replaced with the aaa-server group tag. Backward compatibility with previous versions is maintained by the inclusion of two default protocols for TACACS+ and RADIUS. If accounting is in effect, the accounting information goes only to the active server. The default configuration provides these two aaa-server protocols: aaa-server TACACS+ protocol tacacs+ Changing authorization and accounting port settings is possible. By default, PIX Firewall listens for RADIUS on ports 1645 and 1646. If the RADIUS server uses ports 1812 and 1813, you may also reconfigure it to use ports 1812 and 1813 with the aaa-server radius-authport and aaa-server radius-acctport commands. If you are upgrading from a previous version of PIX Firewall and have aaa command statements in the configuration, using the default server groups allows you to maintain backward compatibility with the aaa command statements in the configuration. Examples
|