Specifications
10-7
Cisco Security Appliance Command Line Configuration Guide
OL-6721-01
Chapter 10 Configuring AAA Servers and the Local Database
AAA Server and Local Database Support
A version 5.0 SDI server that you configure on the security appliance can be either the primary or
any one of the replicas. See the “SDI Primary and Replica Servers” section on page 10-7 for
information about how the SDI agent selects servers to authenticate users.
Two-step Authentication Process
SDI version 5.0 uses a two-step process to prevent an intruder from capturing information from an RSA
SecurID authentication request and using it to authenticate to another server. The Agent first sends a lock
request to the SecurID server before sending the user authentication request. The server locks the
username, preventing another (replica) server from accepting it. This means that the same user cannot
authenticate to two security appliances using the same authentication servers simultaneously. After a
successful username lock, the security appliance sends the passcode.
SDI Primary and Replica Servers
The security appliance obtains the server list when the first user authenticates to the configured server,
which can be either a primary or a replica. The security appliance then assigns priorities to each of the
servers on the list, and subsequent server selection derives at random from those assigned priorities. The
highest priority servers have a higher likelihood of being selected.
NT Server Support
The security appliance supports VPN authentication with Microsoft Windows server operating systems
that support NTLM version 1, which we collectively refer to as NT servers. When a user attempts to
establish VPN access and the applicable tunnel-group record specifies a NT authentication server group,
the security appliance uses NTLM version 1 to for user authentication with the Microsoft Windows
domain server. The security appliance grants or denies user access based on the response from the
domain server.
Note NT servers have a maximum length of 14 characters for user passwords. Longer passwords are truncated.
This is a limitation of NTLM version 1.
Kerberos Server Support
The security appliance can use Kerberos servers for VPN authentication. When a user attempts to
establish VPN access through the security appliance, and the traffic matches an authentication statement,
the security appliance consults the Kerberos server for user authentication and grants or denies user
access based on the response from the server.
The security appliance supports 3DES, DES, and RC4 encryption types.
Note The security appliance does not support changing user passwords during tunnel negotiation. To avoid
this situation happening inadvertently, disable password expiration on the Kerberos/Active Directory
server for users connecting to the security appliance.