i
Contents
Configuring AAA ·············································································· 1
Overview ·································································································································· 1
RADIUS ···························································································································· 2
HWTACACS ······················································································································ 6
LDAP ································································································································ 9
AAA implementation on the device ························································································ 11
AAA for MPLS L3VPNs ······································································································ 13
Protocols and standards ····································································································· 13
RADIUS attributes ············································································································· 14
FIPS compliance······················································································································ 16
AAA configuration considerations and task list ··············································································· 17
Configuring AAA schemes ········································································································· 18
Configuring local users ······································································································· 18
Configuring RADIUS schemes ····························································································· 22
Configuring HWTACACS schemes························································································ 33
Configuring LDAP schemes ································································································· 40
Configuring AAA methods for ISP domains ···················································································· 43
Configuration prerequisites ·································································································· 43
Creating an ISP domain ······································································································ 43
Configuring ISP domain attributes ························································································· 44
Configuring authentication methods for an ISP domain ······························································ 44
Configuring authorization methods for an ISP domain ······························································· 45
Configuring accounting methods for an ISP domain ·································································· 47
Enabling the session-control feature ···························································································· 48
Setting the maximum number of concurrent login users···································································· 48
Configuring a NAS-ID profile ······································································································ 48
Displaying and maintaining AAA ·································································································· 49
AAA configuration examples ······································································································· 49
AAA for SSH users by an HWTACACS server ········································································· 49
Local authentication, HWTACACS authorization, and RADIUS accounting for SSH users ················· 50
Authentication and authorization for SSH users by a RADIUS server ············································ 52
Authentication for SSH users by an LDAP server ····································································· 56
Troubleshooting RADIUS ··········································································································· 61
RADIUS authentication failure ······························································································ 61
RADIUS packet delivery failure ···························································································· 61
RADIUS accounting error ···································································································· 62
Troubleshooting HWTACACS ····································································································· 62
Troubleshooting LDAP ·············································································································· 62
LDAP authentication failure ································································································· 62
802.1X overview ············································································ 64
802.1X architecture ·················································································································· 64
Controlled/uncontrolled port and port authorization status ································································· 64
802.1X-related protocols ············································································································ 65
Packet formats ·················································································································· 65
EAP over RADIUS ············································································································· 66
802.1X authentication initiation ··································································································· 67
802.1X client as the initiator ································································································· 67
Access device as the initiator ······························································································· 67
802.1X authentication procedures ······························································································· 68
Comparing EAP relay and EAP termination ············································································· 68
EAP relay ························································································································ 69
EAP termination ················································································································ 70
Configuring 802.1X ········································································· 72
Access control methods ············································································································ 72
802.1X VLAN manipulation ········································································································ 72
To Next Page
Loading...
