Configure AAA

Configure AAA

Information About AAA

You can now forward Cisco Spaces: Connector authentications to a remote Authentication, Authorization, and Accounting (AAA) server (and bypass local authentication). You can use the command line to configure AAA. AAA-authenticated users can access the Connector Web UI with the same access rights as the dnasadmin user. Once you activate AAA on the Connector, you can no longer use the dnasadmin user to log in to the Connector.


Note
You can use the dnasadmin user to access the Web UI in the following scenarios:

  • If you have configured AAA incorrectly.

  • If you are unable to reach the AAA server.

Note

With CSCvt29826, AAA with IPSec is not compatible with a certificate is generated on a Connector of key type Elliptic Curve Digital Signature Algorithm (ECDSA) that is generated with the connectorctl generatecert command.

The communication between Connector and the AAA server is through Remote Authentication Dial-In User Service (RADIUS).

You can choose to encrypt the UDP traffic using the IPSec Protocol. The supported IPSec authentication types are pubkey and PSK.

For the pubkey authentication type, provide a CA certificate file of AAA Server (PEM format).

For the PSK authentication type, choose to autogenerate the PSK or provide PSK configured in AAA server.

Configure AAA

Before you begin

  • To enable IP Security using Pubkey authentication type, copy the CA Certificate of the AAA server to the directory location /home/dnasadmin and rename the certificate as radiusca.pem.

SUMMARY STEPS

  1. connectorctl aaa enable
  2. connectorctl aaa edit
  3. On the Connector Web UI, check the AAA status in the AAA Status field

DETAILED STEPS

Step 1

connectorctl aaa enable

Example:

[cmxadmin@cmxnew-01 ~]$ connectorctl aaa enable
Do you want to configure AAA Server? [yes/no] [yes]:
Enter AAA Server Host IP : 10.22.244.114
Enter AAA Server Port  [1812]:
Enter AAA Server's shared secret key :
Repeat for confirmation:
Do you want to enable IPSec? (y/n) [n]:

AAA Server configured successfully
Connection to AAA Server Successful. AAA Settings are correct.
[cmxadmin@cmxnew-01 ~]$

Enable AAA.

Step 2

connectorctl aaa edit

Example:

This example configures AAA with IP Security with Pubkey Authentication type.

Example:

[cmxadmin@cmxnew-01 ~]$ connectorctl aaa edit
Do you want to CHANGE AAA Server settings? [yes/no] [yes]:
Enter AAA Server Host IP  [10.22.244.114]:
Enter AAA Server Port  [1812]:
Enter AAA Server's shared secret key :
Repeat for confirmation:
Do you want to enable IPSec? (y/n) [n]: y
Enter AAA Server's DNS name : aaa-srv-01
Select IPSec Auth Type: (pubkey/psk) [pubkey]:
AAA Server's CA Certificate file : radiusca.pem

AAA Server configured successfully
Connection to AAA Server Successful. AAA Settings are correct.
IPSec is Enabled
IPSec Status:
Security Associations (1 up, 0 connecting):
         aaa[1]: ESTABLISHED 0 seconds ago, 10.22.244.100[cmxnew-01]...10.22.244.114[aaa-srv-01]
         aaa{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c6c620cb_i c06dcc78_o
         aaa{1}:   10.22.244.100/32 === 10.22.244.114/32

Example:

This example configures AAA with IP Security with PSK Authentication type, providing the PSK value from the RADIUS server. 
[cmxadmin@cmxnew-01 ~]$ connectorctl aaa edit
Do you want to CHANGE AAA Server settings? [yes/no] [yes]:
Enter AAA Server Host IP  [10.22.244.114]:
Enter AAA Server Port  [1812]:
Enter AAA Server's shared secret key :
Repeat for confirmation:
Do you want to enable IPSec? (y/n) [y]:
Enter AAA Server's DNS name  [aaa-srv-01]:
Select IPSec Auth Type: (pubkey/psk) [pubkey]: psk
Do you want to auto-generate ('a') OR provide ('p') PSK from Radius Server ? [a]: p
Enter PSK from Radius Server : 7dBoZXAkhadFMsyJ8e9HsBxdajnUPcxS

AAA Server configured successfully
Connection to AAA Server Successful. AAA Settings are correct.
IPSec is Enabled
IPSec Status:
Security Associations (1 up, 0 connecting):
         aaa[1]: ESTABLISHED 1 second ago, 10.22.244.100[cmxnew-01]...10.22.244.114[aaa-srv-01]
         aaa{1}:  INSTALLED, TRANSPORT, reqid 1, ESP SPIs: c59d3960_i cf338432_o
         aaa{1}:   10.22.244.100/32 === 10.22.244.114/32
         aaa{2}:  INSTALLED, TRANSPORT, reqid 1, ESP SPIs: c75d414b_i c7e495e2_o
         aaa{2}:   10.22.244.100/32 === 10.22.244.114/32

Example:

This example configures AAA with IP Security with PSK Authentication type and autogenerating a new PSK value.
[cmxadmin@connector-01 ~]$ connectorctl aaa edit
[cmxadmin@connector-01 ~]$ connectorctl aaa edit
Do you want to CHANGE AAA Server settings? [yes/no] [yes]:
Enter AAA Server Host IP  [10.22.244.114]:
Enter AAA Server Port  [1812]:
Enter AAA Server's shared secret key :
Repeat for confirmation:
Do you want to enable IPSec? (y/n) [y]:
Enter AAA Server's DNS name  [aaa-srv-01]:
Select IPSec Auth Type: (pubkey/psk) [psk]:
Do you want to auto-generate ('a') OR provide ('p') PSK from Radius Server ? [a]: a
Generated PSK value = 3AhBgueQQ6YBkKMwqIr6jyxIuG9ekw8g

AAA Server configured successfully
Connection to AAA Server Successful. AAA Settings are correct.
IPSec is Enabled
IPSec Status:
Security Associations (0 up, 0 connecting):
  no match
The IP Security status indicates zero security associations indicating that the IP Security tunnel isn't yet established successfully. You can verify the same a few seconds later using the connectorctl aaa show command and comparing the PSK values. 
[cmxadmin@connector-01 ~]$ connectorctl aaa show
AAA Server is Enabled
AAA Server IP: 10.22.244.114
AAA Server Port: 1812
Shared Secret: **<<masked>>**

IPSec is Enabled
AAA Server DNS: aaa-srv-01
IPSec Auth type: psk
IPSec PSK: 3AhBgueQQ6YBkKMwqIr6jyxIuG9ekw8g
IPSec Status:
Security Associations (1 up, 0 connecting):
         aaa[3]: ESTABLISHED 20 seconds ago, 10.22.244.100[connector-01]...10.22.244.114[aaa-srv-01]
         aaa{3}:  INSTALLED, TRANSPORT, reqid 1, ESP SPIs: ca4688d1_i c24be7d9_o
         aaa{3}:   10.22.244.100/32 === 10.22.244.114/32
Connection to AAA Server Successful. AAA Settings are correct.

Edit an existing AAA configuration.

Step 3

On the Connector Web UI, check the AAA status in the AAA Status field

Figure 1. AAA Enabled with IP Security and PubKey
Figure 2. AAA Enabled without IP Security
AAA is enabled.

What to do next

You can disable AAA using the connectorctl aaa disable command. If you have IPSec enabled , you can choose to restart the IPSec tunnel using the connectorctl aaa restart command, if necessary