Aaa-policy, Chapter 8, Chapter 8, aaa-policy – Brocade Mobility RFS Controller CLI Reference Guide (Supporting software release 5.5.0.0 and later) User Manual

Brocade Mobility RFS Controller CLI Reference Guide

831

53-1003098-01

Chapter

8

AAA-POLICY

This chapter summarizes the Authentication, Authorization, and Accounting (AAA) policy
commands in the CLI command structure.

A AAA policy enables administrators to define access control settings governing network
permissions. External RADIUS and LDAP servers (AAA servers) also provide user database
information and user authentication data. Each WLAN maintains its own unique AAA configuration.

AAA provides a modular way of performing the following services:

Authentication — Provides a means for identifying users, including login and password dialog,
challenge and response, messaging support and (depending on the security protocol), encryption.
Authentication is the technique by which a user is identified before allowed access to the network.
Configure AAA authentication by defining a list of authentication methods, and then applying the
list to various interfaces. The list defines the authentication schemes performed and their
sequence. The list must be applied to an interface before the defined authentication technique is
conducted.

Authorization — Authorization occurs immediately after authentication. Authorization is a method
for remote access control, including authorization for services and individual user accounts and
profiles. Authorization functions through the assembly of attribute sets describing what the user is
authorized to perform. These attributes are compared to information contained in a database for a
given user and the result is returned to AAA to determine the user's actual capabilities and
restrictions. The database could be located locally or be hosted remotely on a RADIUS server.
Remote RADIUS servers authorize users by associating attribute-value (AV) pairs with the
appropriate user. Each authorization method must be defined through AAA. When AAA
authorization is enabled it’s applied equally to all interfaces.

Accounting — Collects and sends security server information for billing, auditing, and reporting user
data; such as start and stop times, executed commands (such as PPP), number of packets, and
number of bytes. Accounting enables wireless network administrators to track the services users
are accessing and the network resources they are consuming. When accounting is enabled, the
network access server reports user activity to a RADIUS security server in the form of accounting
records. Each accounting record is comprised of AV pairs and is stored locally on the access control
server. The data can be analyzed for network management, client billing, and/or auditing.
Accounting methods must be defined through AAA. When AAA accounting is activated, it is applied
equally to all interfaces on the access servers.

Use the (config) instance to configure AAA policy commands. To navigate to the config-aaa-policy
instance, use the following commands:

(config)#aaa-policy

rfs7000-37FABE(config)#aaa-policy test

rfs7000-37FABE(config-aaa-policy-test)#?

AAA Policy Mode commands:

accounting Configure accounting parameters

attribute Configure RADIUS attributes in access and accounting

requests