Contents
Configuring AAA ························································································································································· 1
Overview ············································································································································································ 1
RADIUS ······································································································································································ 2
HWTACACS ····························································································································································· 7
LDAP ·········································································································································································· 9
AAA for MPLS L3VPNs ········································································································································· 13
Protocols and standards ······································································································································· 14
RADIUS attributes ·················································································································································· 14
FIPS compliance ····························································································································································· 17
Configuring AAA schemes ············································································································································ 18
Configuring local users ········································································································································· 18
Configuring RADIUS schemes ······························································································································ 22
Configuring HWTACACS schemes ····················································································································· 32
Configuring LDAP schemes ·································································································································· 39
Configuration prerequisites ·································································································································· 42
Creating an ISP domain ······································································································································· 42
Displaying and maintaining AAA ································································································································ 47
AAA configuration examples ········································································································································ 47
Troubleshooting RADIUS ··············································································································································· 59
RADIUS authentication failure ······························································································································ 59
RADIUS packet delivery failure ···························································································································· 59
RADIUS accounting error ····································································································································· 60
Troubleshooting HWTACACS ······································································································································ 60
Troubleshooting LDAP ···················································································································································· 60
802.1X overview ······················································································································································· 62
802.1X architecture ······················································································································································· 62
802.1X-related protocols ·············································································································································· 63
Packet formats ························································································································································ 63
EAP over RADIUS ·················································································································································· 64
802.1X authentication initiation ··································································································································· 65
802.1X client as the initiator································································································································ 65
Access device as the initiator ······························································································································· 65
802.1X authentication procedures ······························································································································ 66
i