aaa-server server_group_name protocol kerberos

max-failed-attempts number

The number argument can range from 1 and 5. The default is 3.

If you configured a fallback method using the local database (for management access only), and all the servers in the group fail to respond, or their responses are invalid, then the group is considered to be unresponsive, and the fallback method is tried. The server group remains marked as unresponsive for a period of 10 minutes (by default), so that additional AAA requests within that period do not attempt to contact the server group, and the fallback method is used immediately. To change the unresponsive period from the default, see the reactivation-mode command in the next step.

If you do not have a fallback method, the ASA continues to retry the servers in the group.

reactivation-mode {depletion [deadtime minutes] | timed}

The depletion keyword reactivates failed servers only after all of the servers in the group are inactive. This is the default mode.

The deadtime minutes keyword-argument pair specifies the amount of time in minutes, between 0 and 1440, that elapses between the disabling of the last server in the group and the subsequent reenabling of all servers. Deadtime applies only if you configure fallback to the local database; authentication is attempted locally until the deadtime elapses. The default is 10 minutes.

The timed keyword reactivates failed servers after 30 seconds of down time.

validate-kdc

To accomplish the authentication, you must also import a keytab file that you exported from the Kerberos Key Distribution Center (KDC). By validating the KDC, you can prevent an attack where the attacker spoofs the KDC so that user credentials are authenticated against the attacker’s Kerberos server.

For information about how to upload the keytab file, see Configure Kerberos Key Distribution Center Validation.

aaa-server server_group [(interface_name)] host server_ip

If you do not specify an interface, then the ASA uses the inside interface by default.

You can use an IPv4 or IPv6 address.

timeout seconds

Specify the timeout interval (1-300 seconds) for the server; the default is 10 seconds. For each AAA transaction the ASA retries connection attempts (based on the interval defined on the retry-interval command) until the timeout is reached. If the number of consecutive failed transactions reaches the limit specified on the max-failed-attempts command in the AAA server group, the AAA server is deactivated and the ASA starts sending requests to another AAA server if it is configured.

retry-interval seconds

You can specify 1-10 seconds. The default is 10.

server-port port_number

kerberos-realm name

Kerberos realm names use numbers and upper case letters only, and can be up to 64 characters. The name should match the output of the Microsoft Windows set USERDNSDOMAIN command when it is run on the Active Directory server for the Kerberos realm. In the following example, EXAMPLE.COM is the Kerberos realm name:

C:\>set USERDNSDOMAIN
USERDNSDOMAIN=EXAMPLE.COM 

Although the ASA accepts lower case letters in the name, it does not translate lower case letters to upper case letters. Be sure to use upper case letters only.

C:> setspn -A HOST/asahost.example.com asahost 

C:\Users\Administrator> ktpass /out new.keytab +rndPass 
/princ host/asahost@EXAMPLE.COM 
/mapuser asahost@example.com 
/ptype KRB5_NT_SRV_HST 
/mapop set 

ciscoasa(config)# aaa kerberos import-keytab ftp://ftpserver.example.com/new.keytab 
ftp://ftpserver.example.com/new.keytab imported successfully 

ciscoasa(config)# aaa-server svrgrp1 protocol kerberos 
ciscoasa(config-aaa-server-group)# validate-kdc