Contents
Configuring AAA ····························································································· 1
Overview ···························································································································································· 1
RADIUS ······················································································································································ 2
HWTACACS ··············································································································································· 6
LDAP ·························································································································································· 9
AAA for MPLS L3VPNs ···························································································································· 13
Protocols and standards ·························································································································· 13
RADIUS attributes ···································································································································· 14
FIPS compliance ·············································································································································· 16
Configuring AAA schemes ······························································································································· 18
Configuring local users ····························································································································· 18
Configuring RADIUS schemes ················································································································· 22
Configuring LDAP schemes ····················································································································· 40
Configuration prerequisites ······················································································································ 43
Creating an ISP domain ··························································································································· 43
Configuring a NAS-ID profile ···························································································································· 49
Displaying and maintaining AAA ······················································································································ 49
AAA configuration examples ···························································································································· 50
Troubleshooting RADIUS ································································································································· 61
RADIUS authentication failure ················································································································· 61
RADIUS accounting error ························································································································· 62
Troubleshooting HWTACACS ·························································································································· 62
Troubleshooting LDAP ····································································································································· 62
802.1X overview ··························································································· 64
802.1X architecture ·········································································································································· 64
802.1X-related protocols ·································································································································· 65
Packet formats ········································································································································· 65
EAP over RADIUS ··································································································································· 66
802.1X client as the initiator ····················································································································· 67
EAP relay ················································································································································· 69
EAP termination ······································································································································· 70
Configuring 802.1X ······················································································· 72
Access control methods ··································································································································· 72
802.1X VLAN manipulation ······························································································································ 72
i