AAA
Authentication, Authorization and Accounting (AAA)
This chapter describes how to configure authentication, authorization and accounting settings on the Switch.
The external servers that perform authentication, authorization and accounting functions are known as AAA servers (S). The Switch supports RADIUS (Remote Authentication Dial-In User Service) and TACACS+ (Terminal Access Controller Access-Control System Plus) as the external authentication, authorization, and accounting server on clients (C).
AAA Server
What You Can Do
• use the RADIUS Server Setup screen (RADIUS Server Setup) to configure your RADIUS server settings.
• Use the TACACS+ Server Setup screen (TACACS+ Server Setup) to configure your TACACS+ authentication settings.
• Use the AAA Setup screen (AAA Setup) to configure authentication, authorization and accounting settings, such as the methods used to authenticate users accessing the Switch and which database the Switch should use first.
What You Need to Know
Authentication is the process of determining who a user is and validating access to the Switch. The Switch can authenticate users who try to log in based on user accounts configured on the Switch itself. The Switch can also use an external authentication server to authenticate a large number of users.
Authorization is the process of determining what a user is allowed to do. Different user accounts may have higher or lower privilege levels associated with them. For example, user A may have the right to create new login accounts on the Switch but user B cannot. The Switch can authorize users based on user accounts configured on the Switch itself or it can use an external server to authorize a large number of users.
Accounting is the process of recording what a user is doing. The Switch can use an external server to track when users log in, log out, execute commands and so on. Accounting can also record system related actions such as boot up and shut down times of the Switch.
Local User Accounts
By storing user profiles locally on the Switch, your Switch is able to authenticate and authorize users without interacting with a network AAA server. However, there is a limit on the number of users you may authenticate in this way.
RADIUS and TACACS+
RADIUS and TACACS+ are security protocols used to authenticate users by means of an external server instead of (or in addition to) an internal device user database that is limited to the memory capacity of the device. In essence, RADIUS and TACACS+ authentication both allow you to validate an unlimited number of users from a central location.
The following table describes some key differences between RADIUS and TACACS+.
RADIUS | TACACS+ | |
|---|---|---|
Transport Protocol | UDP (User Datagram Protocol) | TCP (Transmission Control Protocol) |
Encryption | Encrypts the password sent for authentication. | All communication between the client (the Switch) and the TACACS server is encrypted. |
RADIUS Server Setup
Use this screen to configure your RADIUS server settings. Click SECURITY > AAA > RADIUS Server Setup > RADIUS Server Setup to view the screen as shown.
SECURITY > AAA > RADIUS Server Setup > RADIUS Server Setup
The following table describes the labels in this screen.
label | description |
|---|---|
Authentication Server Use this section to configure your RADIUS authentication settings. | |
Mode | This field is only valid if you configure multiple RADIUS servers. Select index-priority and the Switch tries to authenticate with the first configured RADIUS server, if the RADIUS server does not respond then the Switch tries to authenticate with the second RADIUS server. Select round-robin to alternate between the RADIUS servers that it sends authentication requests to. |
Timeout | Specify the amount of time in seconds that the Switch waits for an authentication request response from the RADIUS server. If you are using two RADIUS servers then the timeout value is divided between the two RADIUS servers. For example, if you set the timeout value to 30 seconds, then the Switch waits for a response from the first RADIUS server for 15 seconds and then tries the second RADIUS server. |
Delete | Check this box if you want to remove an existing RADIUS server entry from the Switch. This entry is deleted when you click Apply. |
Index | This is a read-only number representing a RADIUS server entry. |
IP Address | Enter the IPv4 address of an external RADIUS server. |
UDP Port | The default port of a RADIUS server for authentication is 1812. You need not change this value unless your network administrator instructs you to do so. |
Shared Secret | Specify a password (up to 32 alphanumeric characters except [ ? ], [ | ], [ ' ], [ " ], [ space ], or [ , ]) as the key to be shared between the external RADIUS server and the Switch. This key is not sent over the network. This key must be the same on the external RADIUS server and the Switch. |
Encrypted Shared Secret | This displays the encrypted shared secret in ‘*’ format if you enabled Server Key Encryption in SECURITY > AAA > AAA Setup > AAA Setup.  If you forget the key you set, simply reset the key in the Shared Secret field. If a key is encrypted, it will remain in the encrypted format even if you later disable Server Key Encryption in SECURITY > AAA > AAA Setup > AAA Setup.The shared secret displayed in this field does not present the actual length of the shared secret. |
Accounting Server Use this section to configure your RADIUS accounting server settings. | |
Timeout | Specify the amount of time in seconds that the Switch waits for an accounting request response from the RADIUS accounting server. |
Delete | Check this box if you want to remove an existing RADIUS accounting server entry from the Switch. This entry is deleted when you click Apply. |
Index | This is a read-only number representing a RADIUS accounting server entry. |
IP Address | Enter the IPv4 address of an external RADIUS accounting server. |
UDP Port | The default port of a RADIUS accounting server for accounting is 1813. You need not change this value unless your network administrator instructs you to do so. |
Shared Secret | Specify a password (up to 32 alphanumeric characters except [ ? ], [ | ], [ ' ], [ " ], [ space ], or [ , ]) as the key to be shared between the external RADIUS accounting server and the Switch. This key is not sent over the network. This key must be the same on the external RADIUS accounting server and the Switch. |
Encrypted Shared Secret | This displays the encrypted shared secret in ‘*’ format if you enabled Server Key Encryption in SECURITY > AAA > AAA Setup > AAA Setup. If you forget the key you set, simply reset the key in the Shared Secret field. If a key is encrypted, it will remain in the encrypted format even if you later disable Server Key Encryption in SECURITY > AAA > AAA Setup > AAA Setup.The shared secret displayed in this field does not present the actual length of the shared secret. |
Attribute Use this section to define the RADIUS server attribute for its account. | |
NAS-IP-Address | Enter the IP address of the NAS (Network Access Server). |
Apply | Click Apply to save your changes to the Switch’s run-time memory. The Switch loses these changes if it is turned off or loses power, so use the Save link on the top navigation panel to save your changes to the non-volatile memory when you are done configuring. |
Cancel | Click Cancel to begin configuring this screen afresh. |
TACACS+ Server Setup
Use this screen to configure your TACACS+ server settings. Click SECURITY > AAA > TACACS+ Server Setup > TACACS+ Server Setup to view the screen as shown.
SECURITY > AAA > TACACS+ Server Setup > TACACS+ Server Setup
The following table describes the labels in this screen.
label | description |
|---|---|
Authentication Server Use this section to configure your TACACS+ authentication settings. | |
Mode | This field is only valid if you configure multiple TACACS+ servers. Select index-priority and the Switch tries to authenticate with the first configured TACACS+ server, if the TACACS+ server does not respond then the Switch tries to authenticate with the second TACACS+ server. Select round-robin to alternate between the TACACS+ servers that it sends authentication requests to. |
Timeout | Specify the amount of time in seconds that the Switch waits for an authentication request response from the TACACS+ server. If you are using index-priority for your authentication and you are using two TACACS+ servers then the timeout value is divided between the two TACACS+ servers. For example, if you set the timeout value to 30 seconds, then the Switch waits for a response from the first TACACS+ server for 15 seconds and then tries the second TACACS+ server. |
Delete | Check this box if you want to remove an existing TACACS+ server entry from the Switch. This entry is deleted when you click Apply. |
Index | This is a read-only number representing a TACACS+ server entry. |
IP Address | Enter the IP address of an external TACACS+ server in dotted decimal notation. |
TCP Port | The default port of a TACACS+ server for authentication is 49. You need not change this value unless your network administrator instructs you to do so. |
Shared Secret | Specify a password (up to 32 alphanumeric characters except [ ? ], [ | ], [ ' ], [ " ], [ space ], or [ , ]) as the key to be shared between the external TACACS+ server and the Switch. This key is not sent over the network. This key must be the same on the external TACACS+ server and the Switch. |
Encrypted Shared Secret | This displays the encrypted shared secret in ‘*’ format if you enabled Server Key Encryption in SECURITY > AAA > AAA Setup > AAA Setup. If you forget the key you set, simply reset the key in the Shared Secret field. If a key is encrypted, it will remain in the encrypted format even if you later disable Server Key Encryption in SECURITY > AAA > AAA Setup > AAA Setup.The shared secret displayed in this field does not present the actual length of the shared secret. |
Accounting Server Use this section to configure your TACACS+ accounting settings. | |
Timeout | Specify the amount of time in seconds that the Switch waits for an accounting request response from the TACACS+ server. |
Delete | Check this box if you want to remove an existing TACACS+ accounting server entry from the Switch. This entry is deleted when you click Apply. |
Index | This is a read-only number representing a TACACS+ accounting server entry. |
IP Address | Enter the IP address of an external TACACS+ accounting server in dotted decimal notation. |
TCP Port | The default port of a TACACS+ accounting server is 49. You need not change this value unless your network administrator instructs you to do so. |
Shared Secret | Specify a password (up to 32 alphanumeric characters except [ ? ], [ | ], [ ' ], [ " ], [ space ], or [ , ]) as the key to be shared between the external TACACS+ accounting server and the Switch. This key is not sent over the network. This key must be the same on the external TACACS+ accounting server and the Switch. |
Encrypted Shared Secret | This displays the encrypted shared secret in ‘*’ format if you enabled Server Key Encryption in SECURITY > AAA > AAA Setup > AAA Setup. If you forget the key you set, simply reset the key in the Shared Secret field. If a key is encrypted, it will remain in the encrypted format even if you later disable Server Key Encryption in SECURITY > AAA > AAA Setup > AAA Setup.The shared secret displayed in this field does not present the actual length of the shared secret. |
Apply | Click Apply to save your changes to the Switch’s run-time memory. The Switch loses these changes if it is turned off or loses power, so use the Save link on the top navigation panel to save your changes to the non-volatile memory when you are done configuring. |
Cancel | Click Cancel to begin configuring this screen afresh. |
AAA Setup
Use this screen to configure authentication, authorization and accounting settings on the Switch. Click SECURITY > AAA > AAA Setup > AAA Setup to view the screen as shown.
SECURITY > AAA > AAA Setup > AAA Setup
The following table describes the labels in this screen.
label | description |
|---|---|
Server Key Encryption Use this section to configure server key encryption settings. | |
Active | Enable the switch button to enable server key (shared secret) encryption for RADIUS server and TACACS+ server for security enhancement. The shared secret will be stored on the Switch in an encrypted format and displayed as ‘*’ in the SECURITY > AAA > RADIUS Server Setup > RADIUS Server Setup and SECURITY > AAA > TACACS+ Server Setup > TACACS+ Server Setup screens. |
Authentication Use this section to specify the methods used to authenticate users accessing the Switch. | |
Privilege Enable | These fields specify which database the Switch should use (first, second and third) to authenticate access privilege level for administrator accounts (users for Switch management). Configure the access privilege of accounts through commands (see the Ethernet Switch CLI Reference Guide) for local authentication. The TACACS+ and RADIUS are external servers. Before you specify the priority, make sure you have set up the corresponding database correctly first. You can specify up to three methods for the Switch to authenticate the access privilege level of administrators. The Switch checks the methods in the order you configure them (first Method 1, then Method 2 and finally Method 3). You must configure the settings in the Method 1 field. If you want the Switch to check other sources for access privilege level specify them in Method 2 and Method 3 fields. Select local to have the Switch check the access privilege configured for local authentication. Select radius or tacacs+ to have the Switch check the access privilege through the external servers. |
Login | These fields specify which database the Switch should use (first, second and third) to authenticate administrator accounts (users for Switch management). Configure the local user accounts in the SYSTEM > Logins > Logins screen. The TACACS+ and RADIUS are external servers. Before you specify the priority, make sure you have set up the corresponding database correctly first. You can specify up to three methods for the Switch to authenticate administrator accounts. The Switch checks the methods in the order you configure them (first Method 1, then Method 2 and finally Method 3). You must configure the settings in the Method 1 field. If you want the Switch to check other sources for administrator accounts, specify them in Method 2 and Method 3 fields. Select local to have the Switch check the administrator accounts configured in the SYSTEM > Logins > Logins screen. Select radius to have the Switch check the administrator accounts configured through the RADIUS Server. Select tacacs+ to have the Switch check the administrator accounts configured through the TACACS+ Server. |
Authorization Use this section to configure authorization settings on the Switch. | |
Type | Set whether the Switch provides the following services to a user. • Exec: Allow an administrator which logs into the Switch through Telnet or SSH to have a different access privilege level assigned through the external server. • Dot1x: Allow an IEEE 802.1x client to have different bandwidth limit or VLAN ID assigned through the external server. |
Active | Enable the switch button to activate authorization for a specified event type. |
Console | Select this to allow an administrator which logs in the Switch through the console port to have different access privilege level assigned through the external server. |
Method | Select whether you want to use radius or tacacs+ for authorization of specific types of events. RADIUS is the only method for IEEE 802.1x authorization. |
Accounting Use this section to configure accounting settings on the Switch. | |
Update Period | This is the amount of time in minutes before the Switch sends an update to the accounting server. This is only valid if you select the start-stop option for the Exec or Dot1x entries. |
Type | The Switch supports the following types of events to be sent to the accounting servers: • System – Configure the Switch to send information when the following system events occur: system boots up, system shuts down, system accounting is enabled, system accounting is disabled. • Exec – Configure the Switch to send information when an administrator logs in and logs out through the console port, telnet or SSH. • Dot1x – Configure the Switch to send information when an IEEE 802.1x client begins a session (authenticates through the Switch), ends a session as well as interim updates of a session. • Commands – Configure the Switch to send information when commands of specified privilege level and higher are executed on the Switch. |
Active | Enable the switch button to activate accounting for a specified event type. |
Broadcast | Select this to have the Switch send accounting information to all configured accounting servers at the same time. If you do not select this and you have two accounting servers set up, then the Switch sends information to the first accounting server and if it does not get a response from the accounting server then it tries the second accounting server. |
Mode | The Switch supports two modes of recording login events. Select: • start-stop – to have the Switch send information to the accounting server when a user begins a session, during a user’s session (if it lasts past the Update Period), and when a user ends a session. • stop-only – to have the Switch send information to the accounting server only when a user ends a session. |
Method | Select whether you want to use radius or tacacs+ for accounting of specific types of events. tacacs+ is the only method for recording Commands type of event. |
Privilege | This field is only configurable for Commands type of event. Select the threshold command privilege level for which the Switch should send accounting information. The Switch will send accounting information when commands at the level you specify and higher are executed on the Switch. |
Apply | Click Apply to save your changes to the Switch’s run-time memory. The Switch loses these changes if it is turned off or loses power, so use the Save link on the top navigation panel to save your changes to the non-volatile memory when you are done configuring. |
Cancel | Click Cancel to begin configuring this screen afresh. |
Technical Reference
This section provides technical background information on the topics discussed in this chapter.
Vendor Specific Attribute
RFC 2865 standard specifies a method for sending vendor-specific information between a RADIUS server and a network access device (for example, the Switch). A company can create Vendor Specific Attributes (VSAs) to expand the functionality of a RADIUS server.
The Switch supports VSAs that allow you to perform the following actions based on user authentication:
• Limit bandwidth on incoming or outgoing traffic for the port the user connects to.
• Assign account privilege levels for the authenticated user.
The VSAs are composed of the following:
• Vendor-ID: An identification number assigned to the company by the IANA (Internet Assigned Numbers Authority). Zyxel’s vendor ID is 890.
• Vendor-Type: A vendor specified attribute, identifying the setting you want to modify.
• Vendor-data: A value you want to assign to the setting.
Refer to the documentation that comes with your RADIUS server on how to configure VSAs for users authenticating through the RADIUS server.The following table describes the VSAs supported on the Switch. Note that these attributes only work when you enable authorization (see AAA Setup).
Function | attribute |
|---|---|
Privilege Assignment | Vendor-ID = 890 Vendor-Type = 3 Vendor-Data = "shell:priv-lvl=N" or Vendor-ID = 9 (CISCO) Vendor-Type = 1 (CISCO-AVPAIR) Vendor-Data = "shell:priv-lvl=N" where N is a privilege level (from 0 to 14). If you set the privilege level of a login account differently on the RADIUS servers and the Switch, the user is assigned a privilege level from the database (RADIUS or local) the Switch uses first for user authentication. |
Tunnel Protocol Attribute
You can configure tunnel protocol attributes on the RADIUS server (refer to your RADIUS server documentation) to assign a port on the Switch to a VLAN based on IEEE 802.1x authentication. The port VLAN settings are fixed and untagged. This will also set the port’s VID. The following table describes the values you need to configure. Note that these attributes only work when you enable authorization (see AAA Setup).
Function | attribute |
|---|---|
VLAN Assignment | Tunnel-Type = VLAN(13) Tunnel-Medium-Type = 802(6) Tunnel-Private-Group-ID = VLAN ID You must also create a VLAN with the specified VID on the Switch.The bolded values in this table are fixed values as defined in RFC 3580. |
Supported RADIUS Attributes
Remote Authentication Dial-In User Service (RADIUS) attributes are data used to define specific authentication elements in a user profile, which is stored on the RADIUS server. This section lists the RADIUS attributes supported by the Switch.
Refer to RFC 2865 for more information about RADIUS attributes used for authentication.
Refer to RFC 2866 and RFC 2869 for RADIUS attributes used for accounting.
This section lists the attributes used by authentication functions on the Switch. In cases where the attribute has a specific format associated with it, the format is specified.
Attributes Used for Authentication
The following sections list the attributes sent from the Switch to the RADIUS server when performing authentication.
Attributes Used for Authenticating Privilege Access
User-Name
– The format of the User-Name attribute is $enab#$, where # is the privilege level (1 – 14).
User-Password
NAS-Identifier
NAS-IP-Address
Attributes Used to Login Users
User-Name
User-Password
NAS-Identifier
NAS-IP-Address
Attributes Used by the IEEE 802.1x Authentication
User-Name
NAS-Identifier
NAS-IP-Address
NAS-Port
NAS-Port-Type
– This value is set to Ethernet(15) on the Switch.
Calling-Station-Id
Frame-MTU
EAP-Message
State
Message-Authenticator
Attributes Used for Accounting
The following sections list the attributes sent from the Switch to the RADIUS server when performing authentication.
Attributes Used for Accounting System Events
NAS-IP-Address
NAS-Identifier
Acct-Status-Type
Acct-Session-ID
– The format of Acct-Session-Id is date+time+8-digit sequential number, for example, 2007041917210300000001. (date: 2007/04/19, time: 17:21:03, serial number: 00000001)
Acct-Delay-Time
Attributes Used for Accounting Exec Events
The attributes are listed in the following table along with the time that they are sent (the difference between Console and Telnet/SSH Exec events is that the Telnet/SSH events utilize the Calling-Station-Id attribute):
Attribute | start | interim-update | stop |
|---|---|---|---|
User-Name | | | |
NAS-Identifier | | | |
NAS-IP-Address | | | |
Service-Type | | | |
Acct-Status-Type | | | |
Acct-Delay-Time | | | |
Acct-Session-Id | | | |
Acct-Authentic | | | |
Acct-Session-Time | | | |
Acct-Terminate-Cause | |
Attribute | start | interim-update | stop |
|---|---|---|---|
User-Name | | | |
NAS-Identifier | | | |
NAS-IP-Address | | | |
Service-Type | | | |
Calling-Station-Id | | | |
Acct-Status-Type | | | |
Acct-Delay-Time | | | |
Acct-Session-Id | | | |
Acct-Authentic | | | |
Acct-Session-Time | | | |
Acct-Terminate-Cause | |
Attributes Used for Accounting IEEE 802.1x Events
The attributes are listed in the following table along with the time of the session they are sent:
Attribute | start | interim-update | stop |
|---|---|---|---|
User-Name | | | |
NAS-IP-Address | | | |
NAS-Port | | | |
Class | | | |
Called-Station-Id | | | |
Calling-Station-Id | | | |
NAS-Identifier | | | |
NAS-Port-Type | | | |
Acct-Status-Type | | | |
Acct-Delay-Time | | | |
Acct-Session-Id | | | |
Acct-Authentic | | | |
Acct-Input-Octets | | | |
Acct-Output-Octets | | | |
Acct-Session-Time | | | |
Acct-Input-Packets | | | |
Acct-Output-Packets | | | |
Acct-Terminate-Cause | | ||
Acct-Input-Gigawords | | | |
Acct-Output-Gigawords | | |