AAA configuration ··························································································································································· 1

AAA overview ··································································································································································· 1

RADIUS ······································································································································································ 2

HWTACACS ····························································································································································· 7

Domain-based user management ··························································································································· 9

RADIUS server feature of the device ··················································································································· 10

Protocols and standards ······································································································································· 11

RADIUS attributes ·················································································································································· 11

AAA configuration considerations and task list ·········································································································· 14

Configuring AAA schemes ············································································································································ 16

Configuring local users ········································································································································· 16

Configuring RADIUS schemes ······························································································································ 20

Configuring HWTACACS schemes ····················································································································· 30

Configuring AAA methods for ISP domains ················································································································ 36

Configuration prerequisites ·································································································································· 36

Creating an ISP domain ······································································································································· 36

Configuring ISP domain attributes ······················································································································· 36

Configuring AAA authentication methods for an ISP domain ·········································································· 37

Configuring AAA authorization methods for an ISP domain ··········································································· 39

Configuring AAA accounting methods for an ISP domain ··············································································· 40

Tearing down user connections forcibly ······················································································································ 42

Configuring a network device as a RADIUS server ··································································································· 42

RADIUS server functions configuration task list ·································································································· 42

Configuring a RADIUS user ·································································································································· 42

Specifying a RADIUS client ·································································································································· 43

Displaying and maintaining AAA ································································································································ 44

AAA configuration examples ········································································································································ 44

AAA for Telnet users by an HWTACACS server ······························································································· 44

AAA for Telnet users by separate servers ··········································································································· 45

Authentication/Authorization for SSH/Telnet users by a RADIUS server ······················································· 47

AAA for 802.1X users by a RADIUS server ······································································································· 50

Level switching authentication for Telnet users by an HWTACACS server ····················································· 56

RADIUS authentication and authorization for Telnet users by a network device ··········································· 59

Troubleshooting AAA ···················································································································································· 61

Troubleshooting RADIUS ······································································································································ 61

Troubleshooting HWTACACS······························································································································ 62

802.1X fundamentals ···················································································································································· 63

802.1X architecture ······················································································································································· 63

Controlled/uncontrolled port and pot authorization status ······················································································· 63

802.1X-related protocols ·············································································································································· 64

Packet format ························································································································································· 64

EAP over RADIUS ·················································································································································· 66

Initiating 802.1X authentication ··································································································································· 66

802.1X client as the initiator ······························································································································· 66

Access device as the initiator ······························································································································· 66

802.1X authentication procedures ······························································································································ 67

A comparison of EAP relay and EAP termination ······························································································ 67

EAP relay ································································································································································ 68

EAP termination ····················································································································································· 69

iii