Overview ···························································································································································· 1

RADIUS ······················································································································································ 2

HWTACACS ··············································································································································· 7

LDAP ·························································································································································· 9

AAA implementation on the device ·········································································································· 11

AAA for MPLS L3VPNs ···························································································································· 13

Protocols and standards ·························································································································· 13

RADIUS attributes ···································································································································· 14

FIPS compliance ·············································································································································· 17

AAA configuration considerations and task list ································································································ 17

Configuring AAA schemes ······························································································································· 18

Configuring local users ····························································································································· 18

Configuring RADIUS schemes ················································································································· 23

Configuring HWTACACS schemes ·········································································································· 33

Configuring LDAP schemes ····················································································································· 39

Configuring AAA methods for ISP domains ····································································································· 42

Configuration prerequisites ······················································································································ 42

Creating an ISP domain ··························································································································· 43

Configuring ISP domain attributes ··········································································································· 43

Configuring authentication methods for an ISP domain ··········································································· 44

Configuring authorization methods for an ISP domain ············································································· 45

Configuring accounting methods for an ISP domain ················································································ 46

Enabling the session-control feature ················································································································ 47

Configuring the RADIUS DAE server feature ·································································································· 48

Setting the maximum number of concurrent login users ·················································································· 48

Configuring a NAS-ID profile ···························································································································· 49

Displaying and maintaining AAA ······················································································································ 49

AAA configuration examples ···························································································································· 49

AAA for SSH users by an HWTACACS server ························································································ 49

Local authentication, HWTACACS authorization, and RADIUS accounting for SSH users ····················· 51

Authentication and authorization for SSH users by a RADIUS server ····················································· 53

Authentication for SSH users by an LDAP server ···················································································· 56

AAA for 802.1X users by a RADIUS server ····························································································· 61

Troubleshooting RADIUS ································································································································· 65

RADIUS authentication failure ················································································································· 65

RADIUS packet delivery failure ················································································································ 66

RADIUS accounting error ························································································································· 66

Troubleshooting HWTACACS ·························································································································· 66

Troubleshooting LDAP ····································································································································· 67

802.1X overview ··························································································· 68

802.1X architecture ·········································································································································· 68

Controlled/uncontrolled port and port authorization status ·············································································· 68

802.1X-related protocols ·································································································································· 69

Packet formats ········································································································································· 69

EAP over RADIUS ··································································································································· 70

802.1X authentication initiation ························································································································ 71

802.1X client as the initiator ····················································································································· 71

Access device as the initiator ··················································································································· 71

802.1X authentication procedures ··················································································································· 72

Comparing EAP relay and EAP termination ····························································································· 72

EAP relay ················································································································································· 73

EAP termination ······································································································································· 74

Configuring 802.1X ······················································································· 76

Access control methods ··································································································································· 76