Feature |
Product |
Release introduced |
---|---|---|
For configuration details, see VOSS User Guide. |
||
Internet Key Exchange (IKE) v2 Note:
VOSS Releases 6.0 and 6.0.1 do not support this feature. |
5520 Series |
VOSS 8.2.5 |
VSP 4450 Series |
VOSS 5.1.2 |
|
VSP 4900 Series |
VOSS 8.1 |
|
VSP 7200 Series |
VOSS 5.1.2 |
|
VSP 7400 Series |
VOSS 8.0 |
|
VSP 8200 Series |
VOSS 5.1.2 |
|
VSP 8400 Series |
VOSS 5.1.2 |
|
VSP 8600 Series |
VSP 8600 8.0 demonstration feature |
|
XA1400 Series |
VOSS 8.0.50 |
Note
DEMO FEATURE - Secure AAA server communication is a demonstration feature on some products. Demonstration features are provided for testing purposes. Demonstration features are for lab use only and are not for use in a production environment. For more information on feature support, see VOSS Feature Support Matrix.
Note
Secure AAA server communication is only supported on VSP 8600 Series. You can use RADsec for RADIUS security on VOSS devices running Release 8.2 or later.The VSP 8600 Series supports IP Security (IPsec) for the AAA server communication. IPsec provides the ability to secure RADIUS and TACACS+ servers against unwanted traffic by filtering on specific network adapters, by allowing or blocking specific protocols and enabling the server to selectively allow traffic from specific source IP addresses.
An AAA server program deals with requests for access to computer resources and provides authentication, authorization, and accounting (AAA) services. The switch communicates with AAA servers using Remote Authorization Dial-in User Service (RADIUS) and Terminal Access Controller Access Control System Plus (TACACS+). It is not sufficient to protect authentication information with only RADIUS or TACACS+.
The following diagram shows the communication between AAA client and AAA server. The IPsec module on the client encrypts the packets to the AAA server and decrypts the packets from the AAA server. Similarly, the IPsec module on the server encrypts or decrypts the packets to or from the client.
IPsec with Internet Key Exchange (IKE) protocol for both IPv4 and IPv6.
IPv4 implementation of IPsec, is mainly for protocols involved in communication with AAA servers, that is, RADIUS and TACACS+. However, it supports all UDP and TCP protocols.
Digital signature as authentication method for IKE, in addition to the pre-shared key authentication method.
Automatic and manual keying for session establishment. IKE is the default automated key management protocol for IPsec.
IKEv1 and IKEv2 protocol.