Configuring the AAA Authentication Server
The two procedures for configuring AAA authentication consist of:
-
Configuring connection parameters for the AAA authentication server
-
Configuring whether the authentication servers or local authentication database will be queried first
Note
To help protect the cryptographic information of the RADIUS server, you must view the running configuration to see this information.
About the Authentication Order
The AAA policy specifies the failover functionality that you can optionally configure for the authentication server. You can use these two types of failover functionality separately or in combination:
-
Authentication failover
-
Unreachable failover
About Authentication Failover
The authentication failover feature enables you to optionally use a remote RADIUS server for user login authentication, in addition to the local database. The procedure in this section configures the order in which authentication is resolved. You can configure authentication to use:
-
The local database only
-
The remote server only
-
The local database first, then the remote server
-
The remote server first, then the local database
When using both local and remote authentication, you can also configure whether you want the user attributes that are retrieved from a remote RADIUS AAA server to be merged with the attributes found in the local user database for the same username.
Note |
When using AAA authentication, a user configured only on the remote radius server (and not on the local Cisco Unified SIP Proxy user database) will have low privilege levels and limited GUI access upon logging into Cisco Unified SIP Proxy. To enable higher privilege levels for this user, configure a local user with the same username as that on the Radius server, and assign the appropriate authorization levels. For detailed information, see the Application Note on AAA based authentication. |
The authentication failover feature has the following limitations:
-
Authentication with a RADIUS server is available only when accessing the GUI or CLI interface and requires only a user ID and password.
-
Login information is not synchronized between the local system and the remote server. Therefore:
-
Any security features such, as password expiration, must be configured separately for Cisco Unified SIP Proxy and the RADIUS server.
-
Cisco Unified SIP Proxy users are not prompted when security events, such as password expiration or account lockout, occur on the RADIUS server.
-
RADIUS server users are not prompted when security events, such as password expiration or account lockout, occur on Cisco Unified SIP Proxy.
-
About Unreachable Failover
The Unreachable Failover feature is used only with RADIUS servers. This feature enables you to configure up to two addresses that can be used to access RADIUS servers.
As Cisco Unified SIP Proxy attempts to authenticate a user with the RADIUS servers, the system sends messages to users to notify them when a RADIUS server either cannot be reached or fails to authenticate the user.
Example of Authentication Sequence
In this example, authentication is performed by the remote server first, then by the local database. Also, two addresses are configured for the remote RADIUS server.
This sequence of events could occur during authentication for this example:
-
Cisco Unified SIP Proxy tries to contact the first remote RADIUS server.
-
If the first RADIUS server does not respond or does not accept the authentication credentials of the user, Cisco Unified SIP Proxy tries to contact the second remote RADIUS server.
-
If the second RADIUS server does not respond or does not accept the authentication credentials of the user, the user receives the appropriate error message and Cisco Unified SIP Proxy tries to contact the local database.
-
If the local database does not accept the authentication credentials of the user, the user receives an error message.
Configuring Connection Parameters for the AAA Authentication Server
SUMMARY STEPS
- Choose Configure > AAA > Authentication.
- Enter the following information in the appropriate fields for the primary server, and optionally, for the secondary server:
- Click Apply.
- Click OK to save your changes.
DETAILED STEPS
Step 1 |
Choose Configure > AAA > Authentication. The system displays the AAA Authentication Server Configuration page. |
Step 2 |
Enter the following information in the appropriate fields for the primary server, and optionally, for the secondary server:
|
Step 3 |
Click Apply. |
Step 4 |
Click OK to save your changes. |