Configure the AAA Authentication Server
The two procedures for configuring AAA authentication consist of:
-
Configure connection parameters for the AAA authentication server
-
Configure whether the authentication servers or local authentication database will be queried first
Note
To help protect the cryptographic information of the RADIUS server, you must view the running configuration to see this information.
About the Authentication Order
The AAA policy specifies the failover functionality that you can optionally configure for the authentication server. You can use these two types of failover functionality separately or in combination:
-
Authentication failover
-
Unreachable failover
About Authentication Failover
The authentication failover feature enables you to optionally use a remote RADIUS server for user login authentication, in addition to the local database. The procedure in this section configures the order in which authentication is resolved. You can configure authentication to use:
-
The local database only
-
The remote server only
-
The local database first, then the remote server
-
The remote server first, then the local database
When using both local and remote authentication, you can also configure whether you want the user attributes that are retrieved from a remote RADIUS AAA server to be merged with the attributes found in the local user database for the same username.
The authentication failover feature has the following limitations:
-
Authentication with a RADIUS server is available only when accessing the GUI or CLI interface and requires only a user ID and password. Authentication for the TUI, VVE, AvT, and IMAP interfaces can use only the local database. Therefore, to gain access, users of the TUI, VVE, AvT, and IMAP interfaces must be configured locally. The auto-attendant interface does not require authentication because it is user independent.
-
Login information is not synchronized between the local system and the remote server. Therefore:
-
Any security features such, as password expiration, must be configured separately for Cisco Unity Express and the RADIUS server.
-
Cisco Unity Express users are not prompted when security events, such as password expiration or account lockout, occur on the RADIUS server.
-
RADIUS server users are not prompted when security events, such as password expiration or account lockout, occur on Cisco Unity Express.
-
Unreachable Failover
The Unreachable Failover feature is used only with RADIUS servers. This feature enables you to configure up to two addresses that can be used to access RADIUS servers.
As Cisco Unity Express attempts to authenticate a user with the RADIUS servers, the system sends messages to users to notify them when a RADIUS server either cannot be reached or fails to authenticate the user.
Example of Authentication Sequence
In this example, authentication is performed by the remote server first, then by the local database. Also, two addresses are configured for the remote RADIUS server.
This sequence of events could occur during authentication for this example:
-
Cisco Unity Express tries to contact the first remote RADIUS server.
-
If the first RADIUS server does not respond or does not accept the authentication credentials of the user, Cisco Unity Express tries to contact the second remote RADIUS server.
-
If the second RADIUS server does not respond or does not accept the authentication credentials of the user, the user receives the appropriate error message and Cisco Unity Express tries to contact the local database.
-
If the local database does not accept the authentication credentials of the user, the user receives an error message.
Configure Connection Parameters for the AAA Authentication Server
Procedure
Step 1 |
Choose Configure > AAA > Authentication. The system displays the AAA Authentication Server Configuration windowConfigure AAA Authentication page. |
Step 2 |
Enter the following information in the appropriate fields for the primary server, and optionally, for the secondary server:
|
Step 3 |
Hostname Port Password Click Apply. |
Step 4 |
Click OK to save your changes. |