Contents
Configuring AAA ························································································································································· 1
Overview ············································································································································································ 1
RADIUS ······································································································································································ 2
HWTACACS ····························································································································································· 7
LDAP ·········································································································································································· 9
Protocols and standards ······································································································································· 13
RADIUS attributes ·················································································································································· 13
FIPS compliance ····························································································································································· 16
Configuring AAA schemes ············································································································································ 18
Configuring local users ········································································································································· 18
Configuring RADIUS schemes ······························································································································ 22
Configuring HWTACACS schemes ····················································································································· 32
Configuring LDAP schemes ·································································································································· 38
Configuration prerequisites ·································································································································· 42
Creating an ISP domain ······································································································································· 42
Configuring a NAS-ID profile ······································································································································· 47
Displaying and maintaining AAA ································································································································ 48
AAA configuration examples ········································································································································ 48
Troubleshooting RADIUS ··············································································································································· 59
RADIUS authentication failure ······························································································································ 59
RADIUS packet delivery failure ···························································································································· 59
RADIUS accounting error ····································································································································· 60
Troubleshooting HWTACACS ······································································································································ 60
Troubleshooting LDAP ···················································································································································· 60
802.1X overview ······················································································································································· 62
802.1X architecture ······················································································································································· 62
802.1X-related protocols ·············································································································································· 63
Packet formats ························································································································································ 63
EAP over RADIUS ·················································································································································· 64
802.1X authentication initiation ··································································································································· 65
802.1X client as the initiator································································································································ 65
Access device as the initiator ······························································································································· 65
802.1X authentication procedures ······························································································································ 66
i