Configuration Guide AAA Configuration
The figure above illustrates a typical AAA network configuration, including two security servers:
R1 and R2 are both RADIUS servers.
Supposed the system administrator has defined a method list, R1 is used first to capture the
identity information, then R2, and finally the local username database on the NAS. If a remote
PC user attempts to access the network via dialup, the NAS first queries the authentication
information from R1. If the user passes the authentication on R1, R1 sends a SUCCESS reply
to the NAS, and thus the user's access to the network is allowed. If R1 returns FAIL reply, the
user's access is refused and the disconnected. If R1 has no reply, the NAS regards it as
ERROR and queries authentication information from R2. This process continues for the
remaining methods till the user passes the authentication, is refused or the session is
terminated. If ERROR is returned for all methods, the authentication fails and the user is
disconnected.
The REJECT response is not the same as the TIMEOUT response. REJECT
means the user fails to comply with the standard in the available authentication
database and does not pass the authentication, thus the access request will be
refused. TIMEOUT means there is no reply from the security server to the
authentication. When an ERROR is detected, the AAA selects the next
authentication method in the method list to continue the authentication process.
In this chapter, take RADIUS for example of the configuration of the related
authentication, authorization and accouting of the AAA security server. For the
TACACS+, refer to TACACS+ Configuration.
Basic Configuration Steps
First you shall decide to choose which security solution, evaluate the potential security risks in
the specific network and select the proper measures to prevent unauthorized accesses. For
the security risk evaluation and the possible security solutions, see Chapter 2, Security
Overview. We recommend the use of AAA as much as possible to guarantee the network
security.
Overview
The AAA configuration may become simple when the basic operation process of AAA is
understood. On the network devices, the AAA is configured through the following steps:
1. Enable AAA by using the global configuration command aaa new-model.
2. Configure the security protocol parameters if you decide to use the security server,
such as RADIUS.
3. Define the authentication method list by using the aaa authentication command.
4. Apply the method list on specific interface or line, if necessary.
To Next Page
Loading...
