i
Contents
Configuring AAA ························································································································································· 1
Overview············································································································································································1
RADIUS ······································································································································································2
HWTACACS ·····························································································································································7
LDAP ··········································································································································································9
AAA implementation on the device····················································································································· 11
AAA for MPLS L3VPNs ········································································································································· 13
Protocols and standards ······································································································································· 13
RADIUS attributes ·················································································································································· 14
FIPS compliance ····························································································································································· 17
AAA configuration considerations and task list ·········································································································· 17
Configuring AAA schemes ············································································································································ 18
Configuring local users ········································································································································· 18
Configuring RADIUS schemes ······························································································································ 22
Configuring HWTACACS schemes ····················································································································· 30
Configuring LDAP schemes ·································································································································· 37
Configuring AAA methods for ISP domains ················································································································ 40
Configuration prerequisites ·································································································································· 40
Creating an ISP domain ······································································································································· 40
Configuring ISP domain status ····························································································································· 41
Configuring authentication methods for an ISP domain ··················································································· 41
Configuring authorization methods for an ISP domain ····················································································· 42
Configuring accounting methods for an ISP domain························································································· 43
Enabling the session-control feature ····························································································································· 44
Displaying and maintaining AAA ································································································································ 44
AAA configuration examples········································································································································ 45
AAA for SSH users by an HWTACACS server ·································································································· 45
Local authentication, HWTACACS authorization, and RADIUS accounting for SSH users ·························· 46
Authentication and authorization for SSH users by a RADIUS server ····························································· 48
Authentication for SSH users by an LDAP server ······························································································· 51
Troubleshooting RADIUS ··············································································································································· 56
RADIUS authentication failure ······························································································································ 56
RADIUS packet delivery failure ···························································································································· 56
RADIUS accounting error ····································································································································· 57
Troubleshooting HWTACACS ······································································································································ 57
Troubleshooting LDAP ···················································································································································· 57
802.1X overview ······················································································································································· 59
802.1X architecture ······················································································································································· 59
Controlled/uncontrolled port and port authorization status ······················································································ 59
802.1X-related protocols ·············································································································································· 60
Packet formats
························································································································································ 61
EAP over RADIUS ·················································································································································· 62
Initiating 802.1X authentication ··································································································································· 62
802.1X client as the initiator································································································································ 62
Access device as the initiator ······························································································································· 63
802.1X authentication procedures ······························································································································ 63
A comparison of EAP relay and EAP termination ······························································································ 64
EAP relay ································································································································································ 64