i
Contents
Configuring AAA ························································································································································· 1
AAA overview ··································································································································································· 1
RADIUS ······································································································································································ 2
HWTACACS ····························································································································································· 7
Domain-based user management ··························································································································· 9
RADIUS server feature of the switch ···················································································································· 10
AAA for MPLS L3VPNs ········································································································································· 11
Protocols and standards ······································································································································· 12
RADIUS attributes ·················································································································································· 12
FIPS compliance ····························································································································································· 15
AAA configuration considerations and task list ·········································································································· 15
Configuring AAA schemes ············································································································································ 17
Configuring local users ········································································································································· 17
Configuring RADIUS schemes ······························································································································ 21
Configuring HWTACACS schemes ····················································································································· 34
Configuring AAA methods for ISP domains ················································································································ 41
Configuration prerequisites ·································································································································· 41
Creating an ISP domain ······································································································································· 41
Configuring ISP domain attributes ······················································································································· 42
Configuring AAA authentication methods for an ISP domain ·········································································· 43
Configuring AAA authorization methods for an ISP domain ··········································································· 45
Configuring AAA accounting methods for an ISP domain ··············································································· 46
Tearing down user connections ···································································································································· 48
Configuring a NAS ID-VLAN binding ·························································································································· 48
Specifying the device ID used in stateful failover mode ···························································································· 48
Configuring a switch as a RADIUS server ··················································································································· 49
RADIUS server functions configuration task list ·································································································· 49
Configuring a RADIUS user ·································································································································· 49
Specifying a RADIUS client ·································································································································· 50
Displaying and maintaining AAA ································································································································ 50
AAA configuration examples ········································································································································ 51
AAA for Telnet users by an HWTACACS server ······························································································· 51
AAA for Telnet users by separate servers ··········································································································· 52
Authentication/authorization for SSH/Telnet users by a RADIUS server ························································ 54
Level switching authentication for Telnet users by an HWTACACS server ····················································· 57
RADIUS authentication and authorization for Telnet users by a switch ··························································· 61
Troubleshooting AAA ···················································································································································· 63
Troubleshooting RADIUS ······································································································································· 63
Troubleshooting HWTACACS ······························································································································ 64
802.1X overview ······················································································································································· 65
802.1X architecture ······················································································································································· 65
Controlled/uncontrolled port and port authorization status ······················································································ 65
802.1X-related protocols ·············································································································································· 66
Packet formats ························································································································································ 67
EAP over RADIUS ·················································································································································· 68
Initiating 802.1X authentication ··································································································································· 68
802.1X client as the initiator································································································································ 68
Access device as the initiator ······························································································································· 69
To Next Page
Loading...
Need help?
General