i
Contents
Configuring AAA ····························································································· 1
Overview ···························································································································································· 1
RADIUS ······················································································································································ 2
HWTACACS ··············································································································································· 6
LDAP ·························································································································································· 9
AAA implementation on the device ·········································································································· 12
AAA for MPLS L3VPNs ···························································································································· 14
Protocols and standards ·························································································································· 14
RADIUS attributes ···································································································································· 14
FIPS compliance ·············································································································································· 19
AAA configuration considerations and task list ································································································ 19
Configuring AAA schemes ······························································································································· 20
Configuring local users ····························································································································· 20
Configuring RADIUS schemes ················································································································· 24
Configuring HWTACACS schemes ·········································································································· 36
Configuring LDAP schemes ····················································································································· 42
Configuring AAA methods for ISP domains ····································································································· 46
Configuration prerequisites ······················································································································ 47
Creating an ISP domain ··························································································································· 47
Configuring ISP domain attributes ··········································································································· 48
Configuring authentication methods for an ISP domain ··········································································· 49
Configuring authorization methods for an ISP domain ············································································· 50
Configuring accounting methods for an ISP domain ················································································ 51
Configuring the RADIUS session-control feature ····························································································· 53
Configuring the RADIUS DAE server feature ·································································································· 53
Changing the DSCP priority for RADIUS packets ···························································································· 54
Configuring the RADIUS attribute translation feature ······················································································ 54
Setting the maximum number of concurrent login users ·················································································· 56
Configuring a NAS-ID profile ···························································································································· 56
Configuring the device ID ································································································································· 57
Displaying and maintaining AAA ······················································································································ 57
AAA configuration examples ···························································································································· 57
AAA for SSH users by an HWTACACS server ························································································ 57
Local authentication, HWTACACS authorization, and RADIUS accounting for SSH users ····················· 59
Authentication and authorization for SSH users by a RADIUS server ····················································· 60
Authentication for SSH users by an LDAP server ···················································································· 64
Troubleshooting RADIUS ································································································································· 68
RADIUS authentication failure ················································································································· 68
RADIUS packet delivery failure ················································································································ 68
RADIUS accounting error ························································································································· 69
Troubleshooting HWTACACS ·························································································································· 69
Troubleshooting LDAP ····································································································································· 69
LDAP authentication failure ······················································································································ 69
802.1X overview ··························································································· 71
802.1X architecture ·········································································································································· 71
Controlled/uncontrolled port and port authorization status ·············································································· 71
802.1X-related protocols ·································································································································· 72
Packet formats ········································································································································· 72
EAP over RADIUS ··································································································································· 73
802.1X authentication initiation ························································································································ 74
802.1X client as the initiator ····················································································································· 74
Access device as the initiator ··················································································································· 74
802.1X authentication procedures ··················································································································· 75
Comparing EAP relay and EAP termination ····························································································· 75
EAP relay ················································································································································· 76
EAP termination ······································································································································· 77
To Next Page
Loading...
Need help?
General