iContentsConfiguring AAA ························································································································································· 1Overview············································································································································································ 1RADIUS ······································································································································································ 2HWTACACS ····························································································································································· 7LDAP ·········································································································································································· 9AAA implementation on the device ····················································································································· 11AAA for MPLS L3VPNs ········································································································································· 13Protocols and standards ······································································································································· 13RADIUS attributes ·················································································································································· 14FIPS compliance ····························································································································································· 17AAA configuration considerations and task list ·········································································································· 17Configuring AAA schemes ············································································································································ 18Configuring local users ········································································································································· 18Configuring RADIUS schemes ······························································································································ 22Configuring HWTACACS schemes ····················································································································· 30Configuring LDAP schemes ·································································································································· 36Configuring AAA methods for ISP domains ················································································································ 39Configuration prerequisites ·································································································································· 40Creating an ISP domain ······································································································································· 40Configuring ISP domain status ····························································································································· 40Configuring authentication methods for an ISP domain ··················································································· 41Configuring authorization methods for an ISP domain ····················································································· 42Configuring accounting methods for an ISP domain ························································································· 43Enabling the session-control feature ····························································································································· 44Displaying and maintaining AAA ································································································································ 44AAA configuration examples ········································································································································ 44AAA for SSH users by an HWTACACS server ·································································································· 44Local authentication, HWTACACS authorization, and RADIUS accounting for SSH users ·························· 46Authentication and authorization for SSH users by a RADIUS server ····························································· 47Authentication for SSH users by an LDAP server ······························································································· 51Troubleshooting RADIUS ··············································································································································· 56RADIUS authentication failure ······························································································································ 56RADIUS packet delivery failure ···························································································································· 56RADIUS accounting error ····································································································································· 57Troubleshooting HWTACACS ······································································································································ 57Troubleshooting LDAP ···················································································································································· 57802.1X overview ······················································································································································· 59802.1X architecture ······················································································································································· 59Controlled/uncontrolled port and port authorization status ······················································································ 59802.1X-related protocols ·············································································································································· 60Packet formats ························································································································································ 61EAP over RADIUS ·················································································································································· 62Initiating 802.1X authentication ··································································································································· 62802.1X client as the initiator································································································································ 62Access device as the initiator ······························································································································· 63802.1X authentication procedures ······························································································································ 63Comparing EAP relay and EAP termination ······································································································· 64EAP relay ································································································································································ 64