Note
Secure AAA server communication is only supported on VSP 8600 Series, and only as a demonstration feature. Demonstration features are for lab use only and are not for use in a production environment.The VSP 8600 Series supports IP Security (IPsec) for the AAA server communication. IPsec provides the ability to secure RADIUS and TACACS+ servers against unwanted traffic by filtering on specific network adapters, by allowing or blocking specific protocols and enabling the server to selectively allow traffic from specific source IP addresses.
An AAA server program deals with requests for access to computer resources and provides authentication, authorization, and accounting (AAA) services. The switch communicates with AAA servers using Remote Authorization Dial-in User Service (RADIUS) and Terminal Access Controller Access Control System Plus (TACACS+). It is not sufficient to protect authentication information with only RADIUS or TACACS+.
The following diagram shows the communication between AAA client and AAA server. The IPsec module on the client encrypts the packets to the AAA server and decrypts the packets from the AAA server. Similarly, the IPsec module on the server encrypts or decrypts the packets to or from the client.
To implement secure AAA server communication, the VSP 8600 Series software supports the following:
IPsec with Internet Key Exchange (IKE) protocol for both IPv4 and IPv6.
IPv4 implementation of IPsec is mainly for protocols involved in communication with AAA servers, that is, RADIUS and TACACS+. However, it supports all UDP and TCP protocols.
Digital signature as authentication method for IKE, in addition to the pre-shared key authentication method.
Automatic and manual keying for session establishment. IKE is the default automated key management protocol for IPsec.
IKEv1 and IKEv2 protocol.