Configuring AAA

Before configuring AAA, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the data required for the configuration. This will help you complete the configuration task quickly and efficiently.

Usage Scenario

Local authentication and authorization

If user authentication or authorization is required when no RADIUS or HWTACACS server is deployed on the network, user authentication or authorization can be implemented in local authentication or authorization mode. Local authentication and authorization feature fast processing and low operation cost, whereas the amount of information that can be stored is limited by the hardware capacity of the device.

Local authentication and authorization are often used for administrators. Local authentication is a backup of RADIUS authentication and HWTACACS authentication; local authorization is a backup of HWTACACS authorization.
HWTACACS authentication, authorization, and accounting: The authentication, authorization, and accounting in HWTACACS mode can prevent unauthorized users from attacking the network. In addition, the HWTACACS mode supports the authorization of command lines. Compared with RADIUS, HWTACACS is more reliable in transmission and encryption and is more suitable for security control.
RADIUS authentication and accounting: The authentication and accounting in RADIUS mode can prevent unauthorized users from attacking the network. The RADIUS mode is often used in network environments requiring high security and remote access control.

Pre-configuration Tasks

Before configuring AAA, complete the following tasks:

Power on the router or switch and ensuring that the self-test is successful.
Ensure that the device is accessible.

Configuration Procedures

Figure 1 AAA configuration flowchart

Configuring AAA Schemes: Configuring AAA schemes involves the configurations of the authentication scheme, authorization scheme, and accounting scheme.

(Optional) Configuring Local Users: When the authentication and authorization are implemented in local mode, the authentication and authorization information (such as the user name, password, level, maximum number of user accesses, and maximum number of continuous authentication failures).

(Optional) Configuring the HWTACACS Server Template: In an HWTACACS server template, you must specify the IP address, port number, and shared key of a specified HWTACACS server. Default configurations are available for the configurations such as configuring whether the user name of the HWTACACS server contains the domain name and configuring the time for the primary server to return to the active state. The user can change the default configurations according to the actual requirements.

(Optional) Configuring the RADIUS Server Group

Configuring AAA Schemes for the Domain: Associate the remote authentication, authorization, and accounting schemes of the domain user with the server template by configuring a domain. Then, corresponding authentication, authorization, and accounting will be implemented for the users accessing the domain.

Verifying the AAA Configuration: After configuring AAA, check the configurations.