AAA is an architectural framework for configuring a set of three independent security functions in a consistent manner. AAA provides a modular way of performing the following services:

• Authentication—Provides the method of identifying users, including login and password dialog, challenge and response, messaging support, and, depending on the security protocol you select, encryption.

  Authentication is the way a user is identified prior to being allowed access to the network and network services. You configure AAA authentication by defining a named list of authentication methods, and then applying that list to various interfaces. The method list defines the types of authentication to be performed and the sequence in which they will be performed. The method list must be applied to a specific interface before any of the defined authentication methods will be performed. The default method list is automatically applied to all interfaces if no other method list is defined. A defined method list overrides the default method list.

• Authorization—Provides the method for remote access control, including one-time authorization or authorization for each service, per-user account list and profile, user group support, and support of IP, IPX, ARA, and Telnet.

  AAA authorization works by assembling a set of attributes that describe what the user is authorized to perform. These attributes are compared to the information contained in a database for a given user and the result is returned to AAA to determine the user's actual capabilities and restrictions. The database can be located locally on the access server or router or it can be hosted remotely on a RADIUS or TACACS+ security server. Remote security servers, such as RADIUS and TACACS+, authorize users for specific rights by associating attribute-value (AV) pairs, which define those rights with the appropriate user. All authorization methods must be defined through AAA.

  As with authentication, you configure AAA authorization by defining a named list of authorization methods, and then applying that list to various interfaces.

• Accounting—Provides the method for collecting and sending security server information used for billing, auditing, and reporting, such as user identities, start and stop times, executed commands (such as PPP), number of packets, and number of bytes.

  Accounting enables you to track the services users are accessing as well as the amount of network resources they are consuming. When AAA accounting is activated, the network access server reports user activity to the RADIUS or TACACS+ security server (depending on which security method you have implemented) in the form of accounting records. Each accounting record is comprised of accounting AV pairs and is stored on the access control server. This data can then be analyzed for network management, client billing, and/or auditing. All accounting methods must be defined through AAA. As with authentication and authorization, you configure AAA accounting by defining a named list of accounting methods, and then applying that list to various interfaces.

In many circumstances, AAA uses protocols such as RADIUS, TACACS+, or Kerberos to administer its security functions. If your device acts as a network access server, AAA is the means through which you establish communication between your network access server and your security server.

1. To enable 802.1x authentication and authorization, set the Dot1x System Auth Control field to Enabled.
2. To apply an authentication method list, choose Method List from the Local Authentication drop-down list, and then choose a method list from the Authentication Method List drop-down list. If you choose Default, the default authentication method is used.
3. To apply an authorization method list, choose Method List from the Local Authorization drop-down list, and then choose a method list from the Authorization Method List drop-down list. If you choose Default, the default authorization method is used.
4. To enable Radius Server Load Balance, set the field to Enabled
5. Click Show Advanced Settings >>> to configure RADIUS attributes.
6. In the Accounting section, choose an appropriate call station ID, call station ID case, MAC-Delimiter, user name case, and user name delimiter.
7. In the Authentication section, choose an appropriate call station ID, call station ID case, and MAC-Delimiter.
8. Click Apply to Device.

1. In the Authentication section, click Add.
2. In the Quick Setup: AAA Authentication window that is displayed, enter a name for your method list.
3. Choose the type of authentication you want to perform before allowing access to the network, in the Type drop-down list.
4. Choose if you want to assign a group of servers as your access server, or if you want to use a local server to authenticate access, from the Group Type drop-down list.
5. To configure a local server to act as a fallback method when servers in the group are unavailable, check the Fallback to local check box.
6. Choose the server groups you want to use to authenticate access to your network, from the Available Server Groups list and click > icon to move them to the Assigned Server Groups list.
7. Click Save & Apply to Device.

1. In the Authorization section, click Add.
2. In the Quick Setup: AAA Authorization window that is displayed, enter a name for your method list.
3. Choose the type of authorization you want to perform before allowing access to the network, in the Type drop-down list. Valid values are:
   • Network - enables authorization for all network-related service requests (including SLIP, PPP, PPP NCPs, and ARAP)
   • Exec - enables authorization to determine if a user is allowed to run an EXEC shell.
   • Credential-download - enables authorization based on credentials.
4. Choose if you want to assign a group of servers as your access server, or if you want to use a local server to authorize access from the Group Type drop-down list.
5. To configure a local server to act as a fallback method when servers in the group are unavailable, check the Fallback to local check box.
6. Choose the server groups you want to use to authorize access to your network from the Available Server Groups list and click > icon to move them to the Assigned Server Groups list.
7. Click Save & Apply to Device.

1. In the Accounting section, click Add.
2. In the Quick Setup: AAA Accounting window that is displayed, enter a name for your method list.
3. Choose the type of accounting you want to perform before allowing access to the network in the Type drop-down list. Valid values are:
   • Exec - provides accounting records for user EXEC terminal sessions on the network access server, including username, date, start and stop times.
   • Identity
   • Network - enables authorization for all network-related service requests (including SLIP, PPP, PPP NCPs, and ARAP)
   • Commands - provides accounting information about specific, individual EXEC commands associated with a specific privilege level.
4. Choose if you want to assign a group of servers as your access server, or if you want to use a local server to authorize access, from the Type drop-down list.
5. Choose the server groups you want to use to track access to your network, from the Available Server Groups list and click > icon to move them to the Assigned Server Groups list.
6. Click Save & Apply to Device.

1. In the RADIUS section, click Add.
2. In the Create AAA RADIUS Server window that is displayed, enter a name for the server and, and enter the IP address in the IPv4 / IPv6 Server Address field.
3. In the Shared Secret field, enter the shared secret key to be used for authentication between the server and your device. Confirm the shared secret.
4. In the Auth Port and Acct Port fields, enter the RADIUS server’s UDP port numbers. The valid range is 1 to 65535, and the default value is 1812 for authentication and 1813 for accounting.
5. In the Server Timeout field, enter the number of seconds between retransmissions. The valid range is between 1 and 1000 seconds.
6. In the Retry Count field, enter the number of times the device can retry transmission. The valid range is between 0 and 100.
7. If you are configuring a new RADIUS authentication server, choose Enabled from the Support for CoA drop-down list to enable RFC 3576, which is an extension to the RADIUS protocol that allows dynamic changes to a user session, or choose Disabled to disable this feature. RFC 3576 includes support for disconnecting users and changing authorizations applicable to a user session and supports disconnect and change-of-authorization (CoA) messages. Disconnect messages cause a user session to be terminated immediately where CoA messages modify session authorization attributes such as data filters.

8. Check the Set New PAC Key check box to enable PAC options and provide key type and password.

9. Click Save & Apply to Device.

1. In the TACACS+ section, click Add.
2. Enter a name for the server and, and enter the IP address in the IPv4 / IPv6 Server Address field.
3. In the Shared Secret field, enter the shared secret key to be used for authentication between the server and your device. Confirm the shared secret.
4. In the Port field, enter the TACACS+ server’s UDP port number. The valid range is 1 to 65535, and the default value is 49.
5. In the Server Timeout field, enter the number of seconds between retransmissions. The valid range is between 1 and 1000 seconds.
6. Click Save & Apply to Device.

1. In the LDAP section, click Add.
2. Enter a name for the server and enter the IP address in the IPv4 / IPv6 Server Address field.
3. In the Port Number field, enter the LDAP server’s UDP port number. The valid range is 1 to 65535, and the default value is 389.
4. From the Simple Bind drop-down list, choose Anonymous or Authenticated to specify the local authentication bind method for the LDAP server. The Anonymous method allows anonymous access to the LDAP server. The Authenticated method requires that a username and password be entered to secure access. The default value is Anonymous.
5. If you chose Authenticated in the previous step, follow these steps:
   1. In the Bind User name field, enter a username to be used for local authentication to the LDAP server. The username can contain up to 80 characters. If the username starts with “cn=” (in lowercase letters), the controller assumes that the username includes the entire LDAP database path and does not append the user base DN. This designation allows the authenticated bind user to be outside the user base DN.
   2. In the Bind Password field, enter a password. Confirm the bind password.
6. In the User Base DN field, enter the distinguished name (DN) of the subtree in the LDAP server that contains a list of all the users. For example, ou=organizational unit, .ou=next organizational unit, and o=corporation.com. If the tree containing users is the base DN, type. o=corporation.com, or dc=corporation, dc=com.
7. In the User Attribute field, enter the name of the attribute in the user record that contains the username. You can obtain this attribute from your directory server.
8. In the User Object Type field, enter the value of the LDAP objectType attribute that identifies the record as a user. Often, user records have several values for the objectType attribute, some of which are unique to the user and some of which are shared with other object types.
9. In the Server Timeout field, enter the number of seconds between retransmissions. The valid range is between 1 and 1000 seconds.
10. If you enable Secure Mode, select a Trustpoint Name to configure a CA trustpoint on your device.
11. Click Save & Apply to Device.

1. In the RADIUS section, click Add.
2. In the Create AAA RADIUS Server Group window that is displayed, enter a name for the RADIUS server group.
3. From the MAC-Delimiter drop-down list, choose the delimiter to be used in the MAC addresses that are sent to the RADIUS servers.
4. From the MAC Filtering drop-down list, choose a value based on which to filter MAC addresses.
5. To configure dead time for the server group and direct AAA traffic to alternative groups of servers that have different operational characteristics, in the Dead-Time field, enter the amount of time, in minutes, after which a server is assumed to be dead.
6. Choose the servers that you want to include in the server group from the Available Servers list and move them to the Assigned Servers list.
7. Click Save & Apply to Device.

1. In the TACACS+ section, click Add.
2. In the Create AAA TACACS Server Group window that is displayed, enter a name for the TACACS+ server group.
3. Choose the servers that you want to include in the server group from the Available Servers list and move them to the Assigned Servers list.
4. Click Save & Apply to Device.

1. In the LDAP section, click Add.
2. In the Create AAA LDAP Server Group window that is displayed, enter a name for the LDAP server group.
3. Choose the servers that you want to include in the server group from the Available Servers list and move them to the Assigned Servers list.
4. Click Save & Apply to Device.

1. In the RADIUS Fallback section, enter the time after which the server should attempt retransmission, in the Retransmit Count field.
2. In the Timeout Interval field, enter the number of seconds between retransmissions. The valid range is between 1 and 1000 seconds.
3. In the Dead Time field, enter the amount of time, in minutes, after which a server is assumed to be dead.
4. Click Apply to Device.

1. In the Attribute List Name section, click Add.
2. In the Add Attribute List window that is displayed, enter a name for the attribute list and click Add.
3. Specify the Attribute Type and Attribute Value, and click Save.
4. Click Save & Apply to Device.

MAC Address

1. In the MAC Address section, click Add.
2. Enter the MAC address you want to use.
3. From the Attribute List Name drop-down list, choose an attribute name.
4. Click Save & Apply to Device.

Serial Number

1. In the Serial Number section, click Add.
2. Enter the serial number you want to use.
3. From the Attribute List Name drop-down list, choose an attribute name.
4. Click Save & Apply to Device.

Note: Click Select File to select a CSV file and then click Open. Once done, click Upload File.

1. In the AP Policy section, enable the Authorize APs against MAC and Authorize APs against Serial Number options using the sliders.

2. From the Authorization Method List drop-down, choose an authorization method.

3. Click Apply to Device

1. In the Password Policy section, click Add.

2. Enter the policy name, minimum length, maximum length, upper count, lower count, numeric count, special count, and character changes.

3. From the Validity drop-down list, choose the type as either Never Expires or User Defined. If you choose the User Defined option, enter the year, month, day, hour, minutes, and seconds.

4. Click Save & Apply to Device