User's Manual
84
Standardized authentication methods, such as RADIUS, TACACS+, and Kerberos
Multiple backup systems
8.1.3 AAA Principles
AAA is designed to enable you to dynamically configure the type of authentication and authorization you want
on a per-line (per-user) or per-service (for example, IP, IPX, or VPDN) basis. You define the type of
authentication and authorization you want by creating method lists, then applying those method lists to specific
services or interfaces.
8.1.4 AAA Method List
To configure AAA, define a named method list first and then apply it to the concrete service or interface. This
method list defines the running AAA type and their running sequence. Any defined method list must be applied
to a concrete interface or service before running. The only exception is the default method list. The default
method list is automatically applied to all interfaces or services. Unless the interface applies other method list
explicitly, the method list will replace the default method list.
A method list is a sequential list that defines the authentication methods used to authenticate a user. In AAA
method list you can specify one or more security protocols. Thus, it provides with a backup authentication
system, in case the initial method is failed. Our SWITCH software uses the first method listed to authenticate
users; if that method does not respond, the software selects the next authentication method in the method list.
This process continues until there is successful communication with a listed authentication method or the
authentication method list is exhausted, in which case authentication fails.
It is important to notice that the SWITCH software attempts authentication with the next listed authentication
method only when there is no response from the previous method. If authentication fails at any point in this
cycle—meaning that the security server or local user name database responds by denying the user access—
the authentication process stops and no other authentication methods are attempted.
The following figures shows a typical AAA network configuration that includes four security servers: R1 and R2
are RADIUS servers, and T1 and T2 are TACACS+ servers. Take the authentication as an example to
demonstrate the relation between AAA service and AAA method list.
Figure 8-1 Typical AAA Network Configuration
In this example, default is the name of the method list, including the protocol in the method list and the request