Configuring AAA ························································································································································· 1

Overview ············································································································································································ 1

RADIUS ······································································································································································ 2

HWTACACS ····························································································································································· 7

LDAP ·········································································································································································· 9

AAA implementation on the device ····················································································································· 11

AAA for MPLS L3VPNs ········································································································································· 13

Protocols and standards ······································································································································· 14

RADIUS attributes ·················································································································································· 14

FIPS compliance ····························································································································································· 17

AAA configuration considerations and task list ·········································································································· 17

Configuring AAA schemes ············································································································································ 18

Configuring local users ········································································································································· 18

Configuring RADIUS schemes ······························································································································ 22

Configuring HWTACACS schemes ····················································································································· 32

Configuring LDAP schemes ·································································································································· 39

Configuring AAA methods for ISP domains ················································································································ 42

Configuration prerequisites ·································································································································· 42

Creating an ISP domain ······································································································································· 42

Configuring ISP domain attributes ······················································································································· 43

Configuring authentication methods for an ISP domain ··················································································· 43

Configuring authorization methods for an ISP domain ····················································································· 44

Configuring accounting methods for an ISP domain ························································································· 45

Enabling the session-control feature ····························································································································· 46

Setting the maximum number of concurrent login users ···························································································· 47

Displaying and maintaining AAA ································································································································ 47

AAA configuration examples ········································································································································ 47

AAA for SSH users by an HWTACACS server ·································································································· 47

Local authentication, HWTACACS authorization, and RADIUS accounting for SSH users ·························· 49

Authentication and authorization for SSH users by a RADIUS server ····························································· 51

Authentication for SSH users by an LDAP server ······························································································· 54

Troubleshooting RADIUS ··············································································································································· 59

RADIUS authentication failure ······························································································································ 59

RADIUS packet delivery failure ···························································································································· 59

RADIUS accounting error ····································································································································· 60

Troubleshooting HWTACACS ······································································································································ 60

Troubleshooting LDAP ···················································································································································· 60

802.1X overview ······················································································································································· 62

802.1X architecture ······················································································································································· 62

Controlled/uncontrolled port and port authorization status ······················································································ 62

802.1X-related protocols ·············································································································································· 63

Packet formats ························································································································································ 63

EAP over RADIUS ·················································································································································· 64

802.1X authentication initiation ··································································································································· 65

802.1X client as the initiator································································································································ 65

Access device as the initiator ······························································································································· 65

802.1X authentication procedures ······························································································································ 66

Comparing EAP relay and EAP termination ······································································································· 66