Configure AAA
Information About AAA
You can now forward Cisco Spaces: Connector authentications to a remote Authentication, Authorization, and Accounting (AAA) server (and bypass local authentication). You can use the command line to configure AAA. AAA-authenticated users can access the Connector Web UI with the same access rights as the dnasadmin user. Once you activate AAA on the Connector, you can no longer use the dnasadmin user to log in to the Connector.
![]() Note |
You can use the dnasadmin user to access the Web UI in the following scenarios:
|
![]() Note |
With CSCvt29826, AAA with IPSec is not compatible with a certificate is generated on a Connector of key type Elliptic Curve Digital Signature Algorithm (ECDSA) that is generated with the connectorctl generatecert command. |
The communication between Connector and the AAA server is through Remote Authentication Dial-In User Service (RADIUS).
You can choose to encrypt the UDP traffic using the IPSec Protocol. The supported IPSec authentication types are pubkey and PSK.
For the pubkey authentication type, provide a CA certificate file of AAA Server (PEM format).
For the PSK authentication type, choose to autogenerate the PSK or provide PSK configured in AAA server.
Configure AAA
Before you begin
-
To enable IP Security using Pubkey authentication type, copy the CA Certificate of the AAA server to the directory location /home/dnasadmin and rename the certificate as radiusca.pem.
SUMMARY STEPS
- connectorctl aaa enable
- connectorctl aaa edit
- On the connector Web UI, check the AAA status in the AAA Status field
DETAILED STEPS
Step 1 |
connectorctl aaa enable Example:
Enable AAA. |
Step 2 |
connectorctl aaa edit Example:Example:
Example:
Example: The IP Security status indicates zero security associations indicating that the IP Security tunnel isn't yet established successfully.
You can verify the same a few seconds later using the connectorctl aaa show command and comparing the PSK values.
Edit an existing AAA configuration. |
Step 3 |
On the connector Web UI, check the AAA status in the AAA Status field ![]() ![]() |