Global Configuration - AAA

The Unified Profile Global Configuration AAA Screen displays all configured Global AAA Profiles and used to create, edit, delete, and assign a Global AAA Profile. AAA Profiles are used to define specific AAA parameters that can be used in an Access Auth Profile or an Captive Portal Profile. This Global AAA Profile can be assigned and automatically applied to all UNP ports which have not been assigned an AAA Profile. In the absence of port template's AAA profile, the Global AAA Profile can be applied on AOS 8.x Switches.

An AAA Profile can be created to configure user access to the network as well as user access to network devices. The following use cases are supported:

Using the UPAM local database for both network/switch authentication and client authentication.
Using the UPAM local database for network/switch authentication (ASA) and an external RADIUS Server for client authentication.
Using an external RADIUS Server for both network/switch authentication (ASA) and client authentication.

The following use case is not supported:

Using an external RADIUS Server for network/switch authentication (ASA) and UPAM local database for client authentication.

Creating a Global AAA Profile

Click on the Add icon to bring up the Create AAA Screen. Enter a profile name in the AAA Name field, then follow the instructions below to configure a profile for Network Access or Switch Access.

User's Access to Network

If necessary, click on "User's Access To Network" to open the configuration window. Configure a profile for network access as described below, then click on the Create button.

Authentication Servers

802.1X - Select a Primary 802.1X Authentication Server for the Profile. You can also select Secondary, Tertiary, and Quaternary Backups, however each must be a different server. You can also click on the click on the "Add New" link to go to the Authentication Servers Application and create a new Server. (The Link takes you to the RADIUS Server Management Screen. You can click on one of the other links to create a different server type (ACE, TACACS+).

Note: For wireless devices, 802.1x Primary and Secondary Server configurations will help you to create 802.1x Authentication Server Group which will be used by Access Auth Profiles (Wireless AAA Server Profiles).
Captive Portal - Select a Primary Captive Portal Server for the Profile. You can also select Secondary, Tertiary, and Quaternary Backups, however each must be a different server. You can also click on the click on the "Add New" link to go to the Authentication Servers Application and create a new Server. (The Link takes you to the RADIUS Server Management Screen. You can click on one of the other links to create a different server type (LDAP, ACE, TACACS+).

Note: Captive Portal Primary and Secondary Server configurations are ignored for wireless devices.
MAC Auth - Select a Primary MAC Authentication Server for the Profile. You can also select Secondary, Tertiary, and Quaternary Backups, however each must be a different server. You can also click on the click on the "Add New" link to go to the Authentication Servers Application and create a new Server. (The Link takes you to the RADIUS Server Management Screen. You can click on one of the other links to create a different server type (LDAP, ACE, TACACS+).

Note: For wireless devices, MAC Primary and Secondary Server configurations will help you to create a MAC Authentication Server Group that will be used by Access Auth Profiles (Wireless AAA Server Profiles).

Accounting Servers

802.1X - Select a Primary 802.1X Accounting Server for the Profile. You can also select Secondary, Tertiary, and Quaternary Backups, however each must be a different server. You can also click on the click on the "Add New" link to go to the RADIUS Server Management Screen and create a new Server.
Captive Portal - Select a Primary Captive Portal Accounting Server for the Profile. You can also select Secondary, Tertiary, and Quaternary Backups, however each must be a different server. You can also click on the click on the "Add New" link to go to the RADIUS Server Management Screen and create a new Server.
MAC Auth - Select a Primary MAC Accounting Server for the Profile. You can also select Secondary, Tertiary, and Quaternary Backups, however each must be a different server. You can also click on the click on the "Add New" link to go to the RADIUS Server Management Screen and create a new Server.

Note: For wireless devices, Accounting Servers will help you to create an Accounting Radius Server Group that will be used in Access Auth Profiles (Wireless AAA Server Profiles). Captive Portal Primary and Secondary Servers are ignored. Wireless Devices only accept Radius servers for Accounting. If you select another type, an error will occur when you try to apply the configuration to Wireless Controllers.

Advanced Settings

Advanced settings are not supported on wireless devices and will be ignored when applied to those devices.

MAC Auth

Session Timeout Trust Radius Status - Enables/Disables the Session Timeout Trust Radius option for MAC Authenticated users. If Enabled, the switch will use the Session Timeout attribute received from the Authentication Server in an Accept-Accept message. If Disabled, the switch uses the locally configured timeout interval value (Default = Disabled).
Session Timeout Status - Enables/Disables the Session Timeout option for MAC Authenticated users. If Enabled, the user is automatically logged out of the network based on the configured Session Timeout Interval. (Default = Disabled).
Session Timeout Interval - The Session Timeout value, in seconds. When the Session Timeout value is reached, the authenticated users are logged out and the MAC address for each logged out user device is flushed. Note that when the Session Timeout Interval is changed, the new value does not apply to existing authenticated users until the user is flushed out or when the user is authenticated again (Range = 12000 - 86400, Default = 43200).
Inactivity Timeout Status - Enables/Disables the Inactivity Timeout option for MAC Authenticated users. If Enabled, the user is automatically logged out of the network based on the configured Inactivity Timeout Interval (Default = Disabled).
Inactivity Timeout Interval - The Inactivity Timeout value, in seconds. Make sure the configured value is value greater than the MAC address aging time for the switch. If the Timeout Value is exceeded, the user is not logged out of the network if the MAC address aging time expires before the configured timeout value. Also note that when the Inactivity Timeout Interval is changed, the new value does not apply to existing authenticated users until the user is flushed out or when the user is authenticated again.(Range = 60 - 1200, Default - 600)
Accounting Interim Trust RADIUS Status - Enables/Disables the Accounting Interim Trust Radius option for MAC Authenticated users. If Enabled, the Accounting Interim value received from the RADIUS server overrides the locally configured value. Note that when the Accounting Interim Interval is changed, the new value does not apply to existing authenticated users until the user is flushed out or when the user is authenticated again. (Default = Disabled)
Accounting Interim Interval - The amount of time between each interim accounting update for MAC accounting sessions, in seconds. (Range = 60 - 1200, Default - 600)
Calling Station ID Type -The RADIUS Calling Station ID attribute for MAC accounting sessions (MAC - sets the Calling Station ID to the MAC address of the user. IP - sets the Calling Station ID to the IP address of the user).

802.1X

Re-Authentication Timeout Trust RADIUS Status - Enables/Disables the Session Timeout Trust RADIUS option for 802.1x Authenticated users. If Enabled, the Session-Timeout attribute value received from the RADIUS server overrides the locally configured value for the switch. (Default = Disabled).
Re-Authentication Timeout Status - Enables/Disables the automatic re-authentication of authenticated 802.1X users (Default = Disabled).
Re-Authentication Timeout Interval - The amount of time the switch waits, in seconds, before triggering re-authentication of 802.1X users. Note that when the re-authentication time interval is changed, the new value does not apply to existing authenticated 802.1X users until the user is flushed out or when the user is authenticated again. Any new 802.1X users are re-authenticated based on the current time interval setting. (Range = 600 - 7200, Default = 3600)
Accounting Interim Trust RADIUS Status - Enables/Disables the Accounting Interim Trust RADIUS option for MAC Authenticated users. If Enabled, the Accounting Interim value received from the RADIUS server overrides the locally configured value. Note that when the Accounting Interim Interval is changed, the new value does not apply to existing authenticated users until the user is flushed out or when the user is authenticated again. (Default = Disabled)
Accounting Interim Interval - The amount of time between each interim accounting update for 802.1x accounting sessions, in seconds. (Range = 60 - 1200, Default - 600)
Calling Station ID Type -The RADIUS Calling Station ID attribute for MAC accounting sessions (MAC - sets the Calling Station ID to the MAC address of the user. IP - sets the Calling Station ID to the IP address of the user).

Captive Portal

Session Timeout Trust RADIUS Status - Enables/Disables the Session Timeout Trust RADIUS option for Captive Portal Authenticated users. If Enabled, the switch will use the Session Timeout attribute received from the RADIUS server in an Accept-Accept message. If Disabled, the switch to use the locally configured timeout interval value (Default = Disabled).
Session Timeout Status - Enables/Disables the Session Timeout option for Captive Portal Authenticated users. If Enabled, the user is automatically logged out of the network based on the configured Session Timeout Interval. (Default = Disabled).
Session Timeout Interval - The Session Timeout value, in seconds. When the Session Timeout value is reached, the authenticated users are logged out and the MAC address for each logged out user device is flushed. Note that when the Session Timeout Interval is changed, the new value does not apply to existing authenticated users until the user is flushed out or when the user is authenticated again (Range = 12000 - 86400, Default = 43200).
Inactivity Timeout Status - Enables/Disables the Inactivity Timeout option for Captive Portal Authenticated users. If Enabled, the user is automatically logged out of the network based on the configured Inactivity Timeout Interval (Default = Disabled).
Inactivity Timeout Interval - The Inactivity Timeout value, in seconds. Make sure the configured value is value greater than the MAC address aging time for the switch. If the Timeout Value is exceeded, the user is not logged out of the network if the MAC address aging time expires before the configured timeout value. Also note that when the Inactivity Timeout Interval is changed, the new value does not apply to existing authenticated users until the user is flushed out or when the user is authenticated again. (Range = 60 - 1200, Default - 600)
Accounting Interim Trust RADIUS Status - Enables/Disables the Accounting Interim Trust RADIUS option for Captive Portal Authenticated users. If Enabled, the Accounting Interim value received from the RADIUS server overrides the locally configured value. Note that when the Accounting Interim Interval is changed, the new value does not apply to existing authenticated users until the user is flushed out or when the user is authenticated again. (Default = Disabled)
Accounting Interim Interval - The amount of time between each interim accounting update for Captive Portal accounting sessions, in seconds. (Range = 60 - 1200, Default - 600)
Calling Station ID Type -The RADIUS Calling Station ID attribute for MAC accounting sessions (MAC - sets the Calling Station ID to the MAC address of the user. IP - sets the Calling Station ID to the IP address of the user).

RADIUS

NAS Port ID - The RADIUS client NAS-Port attribute for authentication and accounting sessions. A text string (up to 31 characters) is used to define a NAS-Port identifier
for the NAS-Port attribute. "Default" sets the NAS-Port attribute value to the chassis/slot/port of the user. The NAS-Port attribute value specified with this command is used in Account-Request messages and in Accounting-Request messages.
NAS ID - The RADIUS client NAS-Identifier attribute for authentication and accounting sessions. A text string (up to 31 characters) is used to identify the switch (RADIUS
client) in the NAS-Identifier attribute. "Default" sets the NAS-Identifier attribute to the system name of the switch. The NAS-Identifier attribute value specified with this command is used in both Account-Request and Accounting-Request messages.
Username Delimiter - The delimiter character used to separate fields within a RADIUS Server User Name.
Password Delimiter - The delimiter character used to separate fields within a RADIUS Server Password.
Calling Station Delimiter - The delimiter character used to separate fields within a Calling Station ID.
Called Station Delimiter - The delimiter character used to separate fields within a Called Station ID.
Username Case - Indicates if the RADIUS Server User Name must be in Upper Case or Lower Case.
Password Case - Indicates if the RADIUS Server Password must be in Upper Case or Lower Case.
Calling Station ID Case - Indicates if the Calling Station ID must be in Upper Case or Lower Case.
Called Station ID Case - Indicates if the Called Station ID must be in Upper Case or Lower Case.

User's Access to Switches

If necessary, click on "User's Access To Switches" to open the configuration window. Select the Authentication Server(s) for the different types of switch access, and select an Accounting Server. If necessary, click on the "Add New" link to go to the RADIUS Server Management Screen and create a new Authentication Server. You can also select a UPAM RADIUS Server for Authentication and Accounting.

Authentication Servers
- Default Authentication - Configures Authenticated Switch Access for any port using any service (e.g., Telnet, SSH, FTP). .
- Telnet Authentication - Configures Authenticated Switch Access for any port used for Telnet.
- SSH Authentication - Configures Authenticated Switch Access for any port used for Secure Shell.
- HTTP Authentication - Configures Authenticated Switch Access for any port used for Web-based management.
- FTP Authentication - Configures Authenticated Switch Access for any port used for FTP.
- Console Authentication - Configures Authenticated Switch Access through the console port.
Accounting Server
- Session Accounting - Configures an Accounting Server for authenticated switch sessions. Accounting servers keep track of network resources (e.g., time, packets, bytes) and user activity.

UPAM RADIUS Server Use Cases

An AAA Profile can be created to configure user access to the network, as well as user access to network devices. The following use cases are supported for UPAM Radius Server.

Use Case	Database for ASA	Database for 802.1X/ MAC Authentication	Setting to be Used in UPAM - Authentication Access Policy Page	Sample Policy That Could Be Used in UPAM - Authentication Access Policy Page
UPAM for Network/Switch Authentication/Client Authentication	UPAM DB	UPAM DB	Enable ASA	No explicit Access Policy needed for ASA Any other Access Policy as required for 802.1x/MAC
UPAM for Network/Switch Authentication (ASA), External RADIUS for Client Authentication.	UPAM DB	External RADIUS DB (UPAM acts as Proxy to External RADIUS Server)	Enable ASA	No explicit Access Policy needed for ASA For 802.1x - Network Type = Wired + Authentication Type = 802.1X For MAC - Network Type = Wired + Authentication Type = MAC
External RADIUS for Network/Switch Authentication (ASA), UPAM for Client Authentication	Use Case Not Supported	Use Case Not Supported	Use Case Not Supported	Use Case Not Supported
External RADIUS for both Network/Switch Auth (ASA) and Client Authentication	Use Case Not Supported	Use Case Not Supported	Use Case Not Supported	Use Case Not Supported

Editing a Global AAA Profile

Select the profile in the AAA Screen and click on the Edit icon to bring up the Edit AAA Screen. Edit the fields as described above then click on the Apply button.

Note: You cannot edit the Profile Name.

Assigning a Global AAA Profile

When you click the Apply To Devices button, the Assign AAA Screen appears. Click on on the Devices ADD button to select devices. The device(s) will appear in the List of Selected Devices. If necessary, click on the Devices EDIT button to add/remove devices from the list. When you are finished, click on the Apply button.

Deleting a Global AAA Profile

Select the profile in the AAA Screen, click on the Delete icon, then click OK at the confirmation prompt.