Secure AAA server communication

Note

DEMO FEATURE - Secure AAA server communication is a demonstration feature on some products. Demonstration features are provided for testing purposes. Demonstration features are for lab use only and are not for use in a production environment. For more information on feature support, see VOSS Feature Support Matrix.

Note

Secure AAA server communication is only supported on VSP 8600 Series. You can use RADsec for RADIUS security on VOSS devices running Release 8.2 or later.

The VSP 8600 Series supports IP Security (IPsec) for the AAA server communication. IPsec provides the ability to secure RADIUS and TACACS+ servers against unwanted traffic by filtering on specific network adapters, by allowing or blocking specific protocols and enabling the server to selectively allow traffic from specific source IP addresses.

An AAA server program deals with requests for access to computer resources and provides authentication, authorization, and accounting (AAA) services. The switch communicates with AAA servers using Remote Authorization Dial-in User Service (RADIUS) and Terminal Access Controller Access Control System Plus (TACACS+). It is not sufficient to protect authentication information with only RADIUS or TACACS+.

The following diagram shows the communication between AAA client and AAA server. The IPsec module on the client encrypts the packets to the AAA server and decrypts the packets from the AAA server. Similarly, the IPsec module on the server encrypts or decrypts the packets to or from the client.