AAA Configuration

The AAA Configuration defines the RADIUS and LDAP configurations that provide the authentication and authorization services to your Extreme Access Control engines. A AAA Configuration can be a basic or advanced configuration. Basic AAA Configurations define the authentication and authorization services for all end-systems connecting to your Extreme Access Control engines Advanced AAA configurations allow you to define different authentication and authorization services for different end users based on end-system to authentication server mappings.

This Help topic provides the following information for accessing and configuring the AAA Configuration:

  NOTE: Users with a AAA configuration using NTLM authentication to a back-end active directory domain whose passwords expire are prompted via windows to change their domain password.

Accessing the AAA Configuration

Use the following steps to edit or change your AAA Configuration.

  1. Use the NAC Manager Edit NAC Configuration toolbar button to open the NAC Configuration window or use the Edit button in the Configuration tab.
  2. In the left-panel tree, select the AAA icon. The AAA Configuration is displayed in the right panel.
  3. If needed, use the AAA Configuration drop-down menu in the right panel to select the configuration you want for your NAC Configuration, or to create a new one.
  4. Use the fields in the right panel to edit or modify the configuration. The fields vary depending on whether you are editing a basic or advanced configuration. See the sections below for a description of each field and option in the panel.
  5. Click Save to save your changes.

Basic AAA Configuration

Basic AAA Configurations define the RADIUS and LDAP configurations for all end-systems connecting to your Extreme Access Control (Access Control) engines.

Click areas in the window for more information.

Authorize Authentication Requests Locally RADIUS Servers LDAP Configuration Local Password Repository Basic AAA Configuration Window

Authenticate Requests Locally
This option lets you specify that MAC authentication requests are handled locally by the Access Control engine. Select this option if all MAC authentication requests are to be authorized, regardless of the MAC authentication password (except MAC (EAP-MD5) which requires a password that is the MAC address). The Accept policy is applied to end-systems that are authorized locally.

Use the drop-down menu to select one or more MAC authentication types:
  • MAC — includes MAC (PAP), MAC (CHAP), MAC (MsCHAP), and MAC (EAP-MD5) authentication types.
  • MAC (PAP) — this is the MAC authentication type used by Extreme Networks wired and wireless devices.
  • MAC (CHAP)
  • MAC (MsCHAP)
  • MAC (EAP-MD5) — this MAC authentication type requires a password, and the password must be the MAC address.
Primary/Backup RADIUS Servers
If your Access Control engines are configured to proxy RADIUS requests to a RADIUS server, use these fields to specify the primary and backup RADIUS servers to use. Use the drop-down menu to select a RADIUS server, add or edit a RADIUS server, or manage your RADIUS servers.
LDAP Configuration
Use this field to specify the LDAP configuration for the LDAP server on your network that you want to use in this AAA configuration. Use the drop-down menu to select an LDAP configuration, add or edit an LDAP configuration, or manage your LDAP configurations.
Local Password Repository
Use this field to specify the local password repository you want for this AAA configuration. NAC Manager supplies a default repository that can be used to define passwords for administrators and sponsors accessing the Registration administration web page and the sponsor administration web page. The default password is Extreme@pp. Use the drop-down menu to select a repository, or add or edit a repository.

Advanced AAA Configuration

Advanced AAA configurations allow you to define different authentication and authorization services for different end users based on end-system to authentication server mappings. Mappings can be based on:

  • authentication type
  • username/user group
  • MAC address/end-system group
  • hostname/hostname group
  • location group
  • authentication method
  • RADIUS user group
  • LDAP user group
    •   NOTE: LDAP User Group is only available with an Authentication Type of Registration.

For example, in a higher education setting, you may want faculty members authenticating to one RADIUS server and students authenticating to another. You can also create mappings specifically for authenticating management login requests, when an administrator logs into a switch's CLI via the console connection, SSH, or Telnet.

Mappings are listed in order of precedence from the top down. If an end-system does not match any of the listed mappings, the RADIUS request is dropped. Because of this, you might want to use the "Any" mapping (that is created automatically when you add a new advanced AAA configuration) as your last mapping in the list.

Click areas in the window for more information.

Authorize Authentication Requests Locally Local Password Repository User to Authentication Mapping Table Move Mappings Add Mapping Edit Mapping Delete Mapping Manage LDAP Policy Mappings Advanced AAA Configuration Window

Authorize Authentication Requests Locally
This option lets you specify that MAC authentication requests will be handled locally by the Extreme Access Control engine. Select this option if all MAC authentication requests are to be authorized, regardless of the MAC authentication password (except MAC (EAP-MD5) which requires a password that is the MAC address). The Accept policy is applied to end-systems that are authorized locally.

Use the drop-down menu to specify a particular type of MAC authentication:
  • MAC - includes MAC (PAP), MAC (CHAP), and MAC (EAP-MD5) authentication types.
  • MAC (PAP) - this is the MAC authentication type used by Extreme Networks wired and wireless devices.
  • MAC (CHAP)
  • MAC (MsCHAP)
  • MAC (EAP-MD5) - this MAC authentication type requires a password, and the password must be the MAC address.
Local Password Repository
Use this field to specify the local password repository you want for this AAA configuration. NAC Manager supplies a default repository that can be used to define passwords for administrators and sponsors accessing the Registration administration web page and the sponsor administration web page. The default password is Extreme@pp. Use the drop-down menu to select a repository, or add or edit a repository.
Join AD Domain
The Join AD Domain selection is only displayed if the AAA configuration has multiple mappings set to LDAP Authentication for an Active Directory domain, with different LDAP configurations specified. Specifying the domain to join is only necessary when multiple Active Directory domains are used but there is not a fully trusted relationship set up between all domains. If there is only a one-way trust set up between some domains you must choose the domain that can authenticate users from all the domains, which is determined by the configuration of a your Active Directory forest. Use the drop-down list to explicitly select which LDAP configuration of the Active Directory domain the Access Control engine joins in order to authenticate users to all Active Directory domains configured for that engine or select Auto Detect to let the Access Control engine determine the domain. Auto Detect starts at the first entry set to LDAP Authentication in the table and attempt to join that domain. If it cannot join that domain, it will go to the next entry that is set to LDAP Authentication and attempt to join that domain, and so on until one succeeds.
User to Authentication Mapping Table
This table lists mappings between groups of users and authentication configurations. The table displays the username to match along with the defined configuration parameters for that mapping. Mappings are listed in order of precedence from the top down. If an end-system does not match any of the listed mappings, the RADIUS request is dropped. Because of this, you might want to use an "Any" mapping as your last mapping in the list. Use the Mappings toolbar buttons to perform actions on the mappings.
Move Mappings Move Mappings Up/Down
Move mappings up and down in the list to determine mapping precedence. Mappings are listed in order of precedence from the top down.
Add New Mapping Add New Mapping
Opens the Add User to Authentication Mapping window where you can define a new mapping.
Edit Mapping Edit Mapping
Opens the Edit User to Authentication Mapping window where you can edit the selected mapping.
Delete Selected Mappings Delete Selected Mappings
Deletes any mappings selected in the table.
Manage LDAP Policy Mappings Manage LDAP Policy Mappings
Opens the Manage LDAP to Policy Mappings window.
Manage AAA Trusted Certificate Authorities Manage AAA Trusted Certificate Authorities
Opens the Update AAA Trusted Certificate Authorities window where you can provide certificate authorities that are trusted to issue client certificates for 802.1x authentication (EAP-TLS, PEAP, or EAP-TTLS), as well as URLs for Certificate Revocation lists that can be used to check for revoked client certificates.

Related Information

For information on related windows:

Top