Configuring AAA ························································································································································· 1

Overview ············································································································································································ 1

RADIUS ······································································································································································ 2

HWTACACS ····························································································································································· 7

LDAP ·········································································································································································· 9

AAA implementation on the device ····················································································································· 11

AAA for MPLS L3VPNs ········································································································································· 13

Protocols and standards ······································································································································· 14

RADIUS attributes ·················································································································································· 14

FIPS compliance ····························································································································································· 17

AAA configuration considerations and task list ·········································································································· 17

Configuring AAA schemes ············································································································································ 18

Configuring local users ········································································································································· 18

Configuring RADIUS schemes ······························································································································ 23

Configuring HWTACACS schemes ····················································································································· 33

Configuring LDAP schemes ·································································································································· 40

Configuring AAA methods for ISP domains ················································································································ 43

Configuration prerequisites ·································································································································· 43

Creating an ISP domain ······································································································································· 43

Configuring ISP domain attributes ······················································································································· 44

Configuring authentication methods for an ISP domain ··················································································· 45

Configuring authorization methods for an ISP domain ····················································································· 46

Configuring accounting methods for an ISP domain ························································································· 47

Enabling the session-control feature ····························································································································· 49

Configuring the RADIUS DAE server function ············································································································· 49

Changing the DSCP priority for RADIUS packets ······································································································· 50

Setting the maximum number of concurrent login users ···························································································· 50

Displaying and maintaining AAA ································································································································ 50

AAA configuration examples ········································································································································ 51

Authentication and authorization for SSH users by a RADIUS server ····························································· 51

Local authentication and authorization for SSH users ······················································································· 54

AAA for SSH users by an HWTACACS server ·································································································· 55

Authentication for SSH users by an LDAP server ······························································································· 57

Troubleshooting RADIUS ··············································································································································· 60

RADIUS authentication failure ······························································································································ 60

RADIUS packet delivery failure ···························································································································· 61

RADIUS accounting error ····································································································································· 61

Troubleshooting HWTACACS ······································································································································ 62

Troubleshooting LDAP ···················································································································································· 62

Configuring portal authentication ····························································································································· 64

Extended portal functions ····································································································································· 64

Portal system components ····································································································································· 64

Interaction between portal system components ·································································································· 66

Portal authentication modes ································································································································· 66

Portal authentication process ······························································································································· 67

Portal configuration task list ·········································································································································· 69