AAA Policy

About this task

AAA (Authentication, Authorization, and Accounting) provides the mechanism network administrators define access control within the network.

A controller, service platform or access point can interoperate with external RADIUS and LDAP Servers (AAA Servers) to provide an additonal user database and authentication resource. Each WLAN can maintain its own unique AAA configuration.

AAA provides a modular way of performing the following services:

Authentication — Authentication provides a means for identifying users, including login and password dialog, challenge and response, messaging support and (depending on the security protocol), encryption. Authentication is the technique by which a user is identified before allowed access to the network. Configure AAA authentication by defining a list of authentication methods, and then applying the list to various interfaces. The list defines the authentication schemes performed and their sequence. The list must be applied to an interface before the defined authentication technique is conducted.

Authorization — Authorization occurs immediately after authentication. Authorization is a method for remote access control, including authorization for services and individual user accounts and profiles. Authorization functions through the assembly of attribute sets describing what the user is authorized to perform. These attributes are compared to information contained in a database for a given user and the result is returned to AAA to determine the user's actual capabilities and restrictions. The database could be located locally or be hosted remotely on a RADIUS server. Remote RADIUS servers authorize users by associating attribute-value (AV) pairs with the appropriate user. Each authorization method must be defined through AAA. When AAA authorization is enabled it's applied equally to all interfaces.

Accounting — Accounting is the method for collecting and sending security server information for billing, auditing, and reporting user data; such as start and stop times, executed commands (such as PPP), number of packets, and number of bytes. Accounting enables wireless network administrators to track the services users are accessing and the network resources they are consuming. When accounting is enabled, the network access server reports user activity to a RADIUS security server in the form of accounting records. Each accounting record is comprised of AV pairs and is stored on the access control server. The data can be analyzed for network management, client billing, and/or auditing. Accounting methods must be defined through AAA. When AAA accounting is activated, it's applied equally to all interfaces on the access servers.

To define unique controller, service platform or access point WLAN AAA configurations:

Procedure

  1. Select Configuration → Network → AAA Policy.
    The Authentication, Authorization, and Accounting (AAA) screen displays. This screen lists AAA policies created thus far. Any of these policies can be selected and applied.
    Click to expand in new window
  2. Refer to the following information listed for each existing AAA policy:
    AAA Policy Displays the name assigned to the AAA policy when it was initially created. The name cannot be edited within a listed profile.
    Accounting Packet Type Displays the accounting type set for the AAA policy. Options include:
    • Start Only — Sends a start accounting notice to initiate user accounting.
    • Start/Stop — Sends a start accounting notice at the beginning of a process and a stop notice at the end of a process. The start accounting record is sent in the background. The requested process begins regardless of whether the start accounting notice is received by the accounting server.
    Request Interval Lists each AAA policy's interval used to send a RADIUS accounting request to the RADIUS server.
    NAC Policy Lists the name Network Access Control (NAC) filter used to either include or exclude clients from access.
    Server Pooling Mode The server pooling mode controls how requests are transmitted across RADIUS servers. Selecting Failover results in working down the list of servers if a server is unresponsive and unavailable. The Load Balanced option uses all available servers transmitting requests in round robin.
  3. To configure a new AAA policy, click Add. To modify an existing AAA configuration, select it from amongst those available and click Edit. Existing policies can be copied or renamed as needed.
    Click to expand in new window
  4. Refer to the following RADIUS Authentication details:
    Server Id Displays the numerical server index (1-6) for the accounting server when added to the list available to the access point.
    Server Type Displays the type of AAA server in use as either Host, onboard-self or onboard-controller.
    Host Displays the IP address or hostname of the RADIUS authentication server.
    Port Displays the port on which the RADIUS server listens to traffic within the access point managed network. The port range is 1 - 65,535. The default port is 1812.
    Request Proxy Mode Displays whether a request is transmitted directly through the server or proxied through the Virtual Controller AP or RF Domain manager.
    Request Attempts Displays the number of attempts a client can retransmit a missed frame to the RADIUS server before it times out of the authentication session. The available range is from 1 - 10. The default is 3.
    Request Timeout Displays the time (from 1 - 60) seconds for the re-transmission of request packets. The default is 3 seconds. If this time is exceeded, the authentication session is terminated.
    DSCP Displays the DSCP value as a 6-bit parameter in the header of every IP packet used for packet classification. The valid range is from 0 - 63 with a default of 46.
    NAI Routing Enable Displays NAI routing status. AAA servers identify clients using the NAI. The NAI is a character string in the format of an e-mail address as either user or user@ but it need not be a valid e-mail address or a fully qualified domain name. The NAI can be used either in a specific or generic form. The specific form, which must contain the user portion and may contain the @ portion, identifies a single user. The generic form allows all users to be configured on a single command line. Each user still needs a unique security association, but these associations can be stored on a AAA server. The original purpose of the NAI was to support roaming between dialup ISPs. Using NAI, each ISP need not have all the accounts for all of its roaming partners in a single RADIUS database. RADIUS servers can proxy requests to remote servers for each.
    NAC Enable A green check defines NAC as enabled, while a Red X defines NAC disabled with this AAA policy.
  5. Select a configuration from the table and select Edit, or select Add to create a new RADIUS authentication server configuration. Optionally Delete a configuration as they become obsolete.
    Click to expand in new window
  6. Define the following settings to add or modify AAA RADIUS authentication server configuration:
    Server Id Define the numerical server index (1-6) for the authentication server to differentiate it from others available to the access point‘s AAA policy.
    Server Type Select the type of AAA server as either Host, onboard-self , onboard-controller or onboard-centralized-controller.
    Host Specify the IP address or hostname of the RADIUS authentication server. Hostnames cannot include an underscore character. Select Alias to define the hostname alias once and use the alias character set across different configuration items.
    Port Define or edit the port on which the RADIUS server listens to traffic within then access point managed network. The port range is 1 to 65,535. The default port is 1812.
    Secret Specify the secret used for authentication on the selected RADIUS server. By default the secret will be displayed as asterisks. To show the secret in plain text, check the Show box.
    Request Proxy Mode Select the method of proxy that browsers communicate with the RADIUS authentication server. The mode could either be None, Through Wireless Controller, through-centralized-controller, Through RF Domain Manager, or Through Mint Host.
    Proxy Mint Host Specify a 64 character maximum hostname (or Mint ID) of the Mint device used for proxying requests. Hostnames cannot include an underscore character.
    Request Attempts Specify the number of attempts a client can retransmit a missed frame to the RADIUS server before it times out of the authentication session. The available range is from 1 - 10. The default is 3.
    Request Timeout Specify the time from 1 - 60 seconds for the access point‘s re-transmission of request packets. If this time is exceeded, the authentication session is terminated. The default is 3 seconds.
    Request Timeout Factor Specify the time from 50 - 200 seconds between retry timeouts for the access points‘s re-transmission of request packets. The default is 100.
    DSCP Specify the DSCP value as a 6-bit parameter in the header of every IP packet used for packet classification. The valid range is between 0 and 63 with a default value of 46.
  7. Set the following Network Access Identifier Routingvalues:
    NAI Routing Enable Select this check box to enable NAI routing. AAA servers identify clients using the NAI. The NAI is a character string in the format of an E-mail address as either user or user@ but it need not be a valid E-mail address or a fully qualified domain name. NAI can be used either in a specific or generic form. The specific form, which must contain the user portion and may contain the @ portion, identifies a single user. Each user still needs a unique security association, but these associations can be stored on a AAA server. The original purpose of NAI was to support roaming between dialup ISPs. Using NAI, each ISP need not have all the accounts for all of its roaming partners in a single RADIUS database. RADIUS servers can proxy requests to remote servers for each user credential.
    Realm Enter the realm name in the field. The name cannot exceed 64 characters. When the access point RADIUS server receives a request for a user name the server references a table of user names. If the user name is known, the server proxies the request to the RADIUS server.
    Realm Type Specify the type of realm that is being used, either Prefix or Suffix.
    Strip Realm Select this option to remove information from the packet when NAI routing is enabled.
  8. Select Ok to save the changes made to this window. Click Exit to close this window.
  9. Select the RADIUS Accounting tab.
    Click to expand in new window
  10. Refer to the following information for each existing AAA server policy to determine whether new RADIUS accounting policies require creation or existing policies require modification:
    Server Id Displays the numerical server index (1-6) for the accounting server assigned when added to the WiNG operating system.
    Host Displays the IP address or hostname of the RADIUS authentication server. Hostnames cannot include an underscore character.
    Port Displays the port on which the RADIUS server listens to traffic within the network. The port range is 1 to 65,535. The default port is 1813.
    Server Type Displays the type of AAA server in use either Host, onboard-self, or onboard-controller.
    Request Attempts Displays the number of attempts a client can retransmit a missed frame to the RADIUS server before it times out of the authentication session. The available range is between 1 and 10 attempts. The default is 3 attempts.
    Request Timeout Displays the time between 1 and 60 seconds for the wireless controller‘s re-transmission of request packets. If this time is exceeded, the authentication session is terminated.
    DSCP Displays the DSCP value as a 6-bit parameter in the header of every IP packet used for packet classification. The valid range is between 0 and 63 with a default value of 34.
    Request Proxy Mode Displays the method of proxy that browsers communicate with the RADIUS authentication server. The mode could either be None, Through Wireless Controller, or Through RF Domain Manager.
    NAI Routing Enable Displays NAI routing status. AAA servers identify clients using the NAI. The NAI is a character string in the format of an e-mail address as either user or user@ but it need not be a valid e-mail address or a fully qualified domain name. The NAI can be used either in a specific or generic form. The specific form, which must contain the user portion and may contain the @ portion, identifies a single user. The generic form allows all users to be configured on a single command line. Each user still needs a unique security association, but these associations can be stored on a AAA server. The original purpose of the NAI was to support roaming between dialup ISPs. Using NAI, each ISP need not have all the accounts for all of its roaming partners in a single RADIUS database. RADIUS servers can proxy requests to remote servers for each.
  11. To edit an existing accounting profile, select the profile then Edit. To add a new Accounting server confguration select Add. Optionally Delete a configuration as they become obsolete.
    Click to expand in new window
  12. Define the following settings to add or modify AAA RADIUS accounting server configuration:
    Server Id Displays the numerical server index (1-6) for the accounting server when added to the list available to the access point.
    Host Specify the IP address or hostname of the RADIUS accounting server. Hostnames cannot include an underscore character. Select Alias to define the hostname alias once and use the alias character set across different configuration items.
    Server Type Define or edit the port on which the RADIUS accounting server listens to traffic within the network. The port range is 1 to 65,535. The default port is 1813.
    Secret Specify the secret (password) used for authentication on the selected RADIUS server. By default the secret is displayed as asterisks. Select the Show option to display the entered secret.
    Request Proxy Mode Select the method of proxy that browsers communicate with the RADIUS authentication server. The mode could either be None, Through Wireless Controller , Through RF Domain Manager ot Through Mint Host.
    Proxy Mint Host Specify a 64 character maximum hostname or the Mint ID of the Mint device used for proxying requests.
    Request Attempts Displays the number of attempts a client can retransmit a missed frame to the RADIUS accounting server before it times out of the authentication session. The available range is 1 - 10 attempts. The default is 3 attempts.
    Request Timeout Specify the time for the access point‘s re-transmission of request packets. The default is 5 seconds. If this time is exceeded, the authentication session is terminated.
    Retry Timeout Factor Specify the interval, in seconds, between two successive re-transmission attempts of request packets. Specify a value from 50 - 200 seconds. The default is 100 seconds.
    DSCP Displays the DSCP value as a 6-bit parameter in the header of every IP packet used for packet classification. The valid range is from 0 - 63 with a default value of 34.
  13. Set the following Network Access Identifier Routing values for the accounting server:
    NAI Routing Enable Check to enable NAI routing. AAA servers identify clients using the NAI. The NAI is a character string in the format of an e-mail address as either user or user@ but it need not be a valid e-mail address or a fully qualified domain name. The NAI can be used either in a specific or generic form. The specific form, which must contain the user portion and may contain the @ portion, identifies a single user. The generic form allows all users in a given or without a to be configured on a single command line. Each user still needs a unique security association, but these associations can be stored on a AAA server. The original purpose of the NAI was to support roaming between dialup ISPs. Using NAI, each ISP need not have all the accounts for all of its roaming partners in a single RADIUS database. RADIUS accounting servers can proxy requests to remote servers for each.
    Realm Enter the realm name. The name cannot exceed 64 characters. When the access point‘s RADIUS server receives a request for a user name, the server references a table of user names. If the user name is known, the server proxies the request to the RADIUS server.
    Realm Type Specify whether the Prefix or Suffix of the username is matched to the realm.
    Strip Realm Check strip to remove information from the packet when NAI routing is enabled.
  14. Select Ok to save the changes made to this window. Click Exit to close this window.
  15. Select the Settings tab.
    Click to expand in new window
  16. Set the following RADIUS server configuration parameters:
    Protocol for MAC, Captive-Portal Authentication Set the authentication protocol when the server is used for any non-EAP authentication. Options include Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP) , MSPAP and MSCHAPV2. The default setting is PAP.
    Accounting Packet Type Set the type of RADIUS Accounting Request packets generated. Options include Stop Only, Start/Stop and Start/Interim/Stop. The default setting is Start/Stop.
    Request Interval Set the periodicity of the interim accounting requests to 1 hour, 1 - 60 minutes or 60 - 3600 seconds. The default is 30 minutes.
    Accounting Server Preference Select the server preference for RADIUS accounting. The options include:
    • Prefer Same Authentication Server Host — Uses the authentication server host name as the host used for RADIUS accounting. This is the default setting.
    • Prefer Same Authentication Server Index — Uses the same index as the authentication server for RADIUS accounting.
    • Select Accounting Server Independently — Allows users to specify a RADIUS accounting server separate from the RADIUS authentication server.
    Format Select the format of the MAC address used in the RADIUS accounting packets.
    Case Lists whether the MAC address is sent using uppercase or lowercase letters. The default setting is uppercase.
    Attributes Lists whether the format specified applies only to the user name/password in mac-auth or for all attributes that include a MAC address, such as callingstation-id or called-station-id.
    Server Pooling Mode Controls how requests are transmitted across RADIUS servers. The options are: Failover and Load Balanced. Failover implies traversing the list of servers if any server is unresponsive. Load Balanced uses all servers in a round-robin fashion. The default setting is Failover.
    Client Attempts Defines the number of times (1 - 10) an EAP request is transmitted to a client before giving up. The default setting is 3.
    Request Timeout Set the amount of time after which an EAP request to a client is retried. The default setting is 3 seconds.
    ID Request Timeout Define the amount of time (1 - 60 seconds) after which an EAP ID Request to a client is retried. The default setting is 30 seconds
    Retransmission Scale Factor Set the scaling of the retransmission attempts. Timeout at each attempt is a function of the request timeout factor and client attempts number. 100 (default setting) implies a constant timeout at each retry; smaller values indicate more aggressive (shorter) timeouts, larger numbers set more conservative (longer) timeouts on each successive attempt.
    Cisco VSA Audit Session Id Set a vendor specific attribute (VSA) to allow CISCO‘s Identity Services Engine (ISE) to validate a requesting client‘s network compliance, such as the validity of virus definition files (antivirus software or definition files for an anti-spyware software application). This setting is disabled by default.
    Accounting Delay Time Select this option to enable the support of an accounting delay time attribute within accounting requests. This setting is disabled
    Accounting Multi Session Id Select this option to enable the support of an accounting multi session ID attribute. This setting is disabled by default.
    Chargeable User Id Select this option to enable the support of chargeable user identity. This setting is disabled by default.
    Add Framed IP Address Select this option to add an IP address attribute to access requests. This setting is disabled by default.
    Framed MTU Set the framed MTU attribute (from 100 - 1500) used in access requests. The default setting is 1400.
    RFC5580 Location Information Select a support option for the RFC5580 location attribute. Options include None, include-always and server-requested. The default setting is None.
    RFC5580 Operator Name Provide a 63 character maximum RFC5580 operator name.
    Service-Type Set the service type attribute value. Options include framed (default setting) and login.
    NAS IPv6 Address Select this option to provide support for NAS IPv6 formatted addresses when not proxying. This setting is disabled by default
    Proxy NAS Identifier Select a RADIUS attribute NAS identifier when proxying through the controller or RF Domain manager. Options include originator (default setting) or proxier.
    Proxy NAS IPv6/IPv4 Address Sets the RADIUS attribute NAS IP address and NAS IPv4 address behavior when proxying through the controller or RF Domain manager. Options include None and proxier (default setting).
  17. Select OK to save the updates to the AAA configuration. Select Reset to revert to the last saved configuration.