AAA Policy

Authentication, Authorization, and Accounting (AAA) provides the mechanism network administrators define access control within the network.

A controller, service platform or access point can interoperate with external RADIUS and LDAP Servers (AAA Servers) to provide an additonal user database and authentication resource. Each WLAN can maintain its own unique AAA configuration.

AAA provides a modular way of performing the following services:

Authentication — Authentication provides a means for identifying users, including login and password dialog, challenge and response, messaging support and (depending on the security protocol), encryption. Authentication is the technique by which a user is identified before allowed access to the network. Configure AAA authentication by defining a list of authentication methods, and then applying the list to various interfaces. The list defines the authentication schemes performed and their sequence. The list must be applied to an interface before the defined authentication technique is conducted.

Authorization — Authorization occurs immediately after authentication. Authorization is a method for remote access control, including authorization for services and individual user accounts and profiles. Authorization functions through the assembly of attribute sets describing what the user is authorized to perform. These attributes are compared to information contained in a database for a given user and the result is returned to AAA to determine the user's actual capabilities and restrictions. The database could be located locally or be hosted remotely on a RADIUS server. Remote RADIUS servers authorize users by associating attribute-value (AV) pairs with the appropriate user. Each authorization method must be defined through AAA. When AAA authorization is enabled it's applied equally to all interfaces.

Accounting — Accounting is the method for collecting and sending security server information for billing, auditing, and reporting user data; such as start and stop times, executed commands (such as PPP), number of packets, and number of bytes. Accounting enables wireless network administrators to track the services users are accessing and the network resources they are consuming. When accounting is enabled, the network access server reports user activity to a RADIUS security server in the form of accounting records. Each accounting record is comprised of AV pairs and is stored on the access control server. The data can be analyzed for network management, client billing, and/or auditing. Accounting methods must be defined through AAA. When AAA accounting is activated, it's applied equally to all interfaces on the access servers.

To define unique controller, service platform or access point WLAN AAA configurations:

1. Select Configuration > Network > AAA Policy to display existing AAA policies.

   The Authentication, Authorization, and Accounting (AAA) screen lists those AAA policies created thus far. Any of these policies can be selected and applied.

   

2. Refer to the following for each existing AAA policy:

   AAA Policy	Displays the name assigned to the AAA policy when it was initially created. The name cannot be edited within a listed profile.
   Accounting Packet Type	Displays the accounting type set for the AAA policy. Options include: Start Only - Sends a start accounting notice to initiate user accounting. Start/Stop - Sends a start accounting notice at the beginning of a process and a stop notice at the end of a process. The start accounting record is sent in the background. The requested process begins regardless of whether the start accounting notice is received by the accounting server.
   Request Interval	Lists each AAA policy's interval used to send a RADIUS accounting request to the RADIUS server.
   NAC Policy	Lists the name Network Access Control (NAC) filter used to either include or exclude clients from access.
   Server Pooling Mode	The server pooling mode controls how requests are transmitted across RADIUS servers. Selecting Failover results in working down the list of servers if a server is unresponsive and unavailable. The Load Balanced option uses all available servers transmitting requests in round robin.

3. To configure a new AAA policy, click the Add button. To modify an existing AAA configuration, select it from amongst those available and select the Edit button.