The AAA policy specifies the failover functionality that you can optionally configure for the authentication server. You can use these two types of failover functionality separately or in combination:
The authentication failover feature enables you to optionally
use a remote RADIUS server for user login authentication, in addition to the
local database. The procedure in this section configures the order in which
authentication is resolved. You can configure authentication to use:
The local database only
The remote server only
The local database first, then the remote server
The remote server first, then the local database
When using both local and remote authentication, you can also
configure whether you want the user attributes that are retrieved from a remote
RADIUS AAA server to be merged with the attributes found in the local user
database for the same username.
When using AAA authentication, a user configured only on the
remote radius server (and not on the local Cisco Unified SIP Proxy user
database) will have low privilege levels and limited GUI access upon logging
into Cisco Unified SIP Proxy. To enable higher privilege levels for this user,
configure a local user with the same username as that on the Radius server, and
assign the appropriate authorization levels. For detailed information, see the
Application Note on AAA based authentication.
The authentication failover feature has the following
Authentication with a RADIUS server is available only when
accessing the GUI or CLI interface and requires only a user ID and password.
Authentication for the TUI, VVE, AvT, and IMAP interfaces can use only the
local database. Therefore, to gain access, users of the TUI, VVE, AvT, and IMAP
interfaces must be configured locally.The auto-attendant interface does not
require authentication because it is user independent.
Login information is not synchronized between the local system
and the remote server. Therefore:
Any security features such, as password expiration, must be
configured separately for Cisco Unified SIP Proxy and the RADIUS server.
Cisco Unified SIP Proxy users are not prompted when security
events, such as password expiration or account lockout, occur on the RADIUS
RADIUS server users are not prompted when security events, such
as password expiration or account lockout, occur on Cisco Unified SIP Proxy.
About Unreachable Failover
The Unreachable Failover feature is used only with RADIUS servers. This feature enables you to configure up to two addresses that can be used to access RADIUS servers.
As Cisco Unified SIP Proxy attempts to authenticate a user with the RADIUS servers, the system sends messages to users to notify them when a RADIUS server either cannot be reached or fails to authenticate the user.
Example of Authentication Sequence
In this example, authentication is performed by the remote server first, then by the local database. Also, two addresses are configured for the remote RADIUS server.
This sequence of events could occur during authentication for this example:
Cisco Unified SIP Proxy tries to contact the first remote RADIUS server.
If the first RADIUS server does not respond or does not accept the authentication credentials of the user, Cisco Unified SIP Proxy tries to contact the second remote RADIUS server.
If the second RADIUS server does not respond or does not accept the authentication credentials of the user, the user receives the appropriate error message and Cisco Unified SIP Proxy tries to contact the local database.
If the local database does not accept the authentication credentials of the user, the user receives an error message.
Connection Parameters for the AAA Authentication Server
Configure > AAA > Authentication.
The system displays the AAA Authentication Server Configuration
Enter the following information in the appropriate fields for
the primary server, and optionally, for the secondary server:
Server IP address or DNS name
Port number used
Cryptographic shared secret and security credentials
Number of login retries
Length of login timeout
OK to save your changes.
Policy that Controls the Behavior of Authentication and Authorization
Use this procedure to configure the information used to log into
the authentication server.
Configure > AAA > Authorization.
The system displays the Configure AAA Authorization Server
Configuration window page.
Select or deselect whether you want to merge the attributes of
the remote AAA server with the attributes in the local database.
OK to save your changes.
Configure AAA Accounting Server
You can configure up to two AAA accounting servers. Automatic failover functionality is provided if you have two accounting servers configured. If the first server is unreachable, the accounting information is sent to the second server. If both accounting servers are unreachable, accounting records are cached until a server becomes available. If a server cannot be reached before the cache is full, the oldest accounting packets are dropped to make room for the new packets.
Because the configuration of the AAA accounting server is completely independent of the AAA authentication server, you can configure the AAA accounting server to be on the same or different machine from the AAA authentication server.
If you use a syslog server, it is not affected by the AAA configuration and continues to use the existing user interfaces. When the RADIUS server sends AAA accounting information to a syslog server, it is normalized into a single string before being recorded. If no syslog server is defined, the AAA accounting logs are recorded by the syslog server running locally on Cisco Unity Express.