beautypg.com
i
Contents
Configuring AAA ························································································································································· 1
Overview ············································································································································································ 1
RADIUS ······································································································································································ 2
HWTACACS ····························································································································································· 7
LDAP ·········································································································································································· 9
AAA implementation on the device ····················································································································· 11
Protocols and standards ······································································································································· 13
RADIUS attributes ·················································································································································· 13
FIPS compliance ····························································································································································· 16
AAA configuration considerations and task list ·········································································································· 16
Configuring AAA schemes ············································································································································ 18
Configuring local users ········································································································································· 18
Configuring RADIUS schemes ······························································································································ 22
Configuring HWTACACS schemes ····················································································································· 32
Configuring LDAP schemes ·································································································································· 38
Configuring AAA methods for ISP domains ················································································································ 41
Configuration prerequisites ·································································································································· 42
Creating an ISP domain ······································································································································· 42
Setting the ISP domain status ······························································································································· 42
Configuring authentication methods for an ISP domain ··················································································· 43
Configuring authorization methods for an ISP domain ····················································································· 44
Configuring accounting methods for an ISP domain ························································································· 45
Enabling the session-control feature ····························································································································· 46
Setting the maximum number of concurrent login users ···························································································· 47
Displaying and maintaining AAA ································································································································ 47
AAA configuration examples ········································································································································ 47
AAA for SSH users by an HWTACACS server ·································································································· 47
Local authentication, HWTACACS authorization, and RADIUS accounting for SSH users ·························· 49
Authentication and authorization for SSH users by a RADIUS server ····························································· 51
Authentication for SSH users by an LDAP server ······························································································· 54
Troubleshooting RADIUS ··············································································································································· 59
RADIUS authentication failure ······························································································································ 59
RADIUS packet delivery failure ···························································································································· 59
RADIUS accounting error ····································································································································· 60
Troubleshooting HWTACACS ······································································································································ 60
Troubleshooting LDAP ···················································································································································· 60
802.1X overview ······················································································································································· 62
802.1X architecture ······················································································································································· 62
Controlled/uncontrolled port and port authorization status ······················································································ 62
802.1X-related protocols ·············································································································································· 63
Packet formats ························································································································································ 63
EAP over RADIUS ·················································································································································· 64
Initiating 802.1X authentication ··································································································································· 65
802.1X client as the initiator································································································································ 65
Access device as the initiator ······························································································································· 65
802.1X authentication procedures ······························································································································ 66
Comparing EAP relay and EAP termination ······································································································· 66
EAP relay ································································································································································ 67
