AAA Servers

AAA Server Overview

Overview

AAA stands for authentication, authorization, and accounting. An AAA server is a database that stores user credentials—username and password—and, in some cases, group information or other user attributes. The authentication results and group or user attribute information are used by access management framework policy for decisions.

In the access management framework, the sign-in page, realm, and AAA server configurations are associated. They determine user access and user role. A user submits credentials through a sign-in page, which specifies a realm, which is associated with a AAA server. If the access request meets the realm’s authentication policy, the system forwards the user’s credentials to the associated authentication server. The authentication server’s job is to verify the user’s identity. After verifying the user, the authentication server sends approval. If the realm also uses the server as a directory/attribute server, the AAA server sends the user’s group information or other user attribute information. The access management framework then evaluates the realm’s role-mapping rules to determine the user roles that apply to the session.

The access management framework supports the following types of AAA servers:

Local—You can create special purpose local databases to manually create user accounts, manage guest user access, permit anonymous access, or manage access based on digital certificates or MAC addresses.
External (standards-based)—You can integrate standards-based LDAP and RADIUS servers with the access management framework. In addition to using the backend server for authentication, you can use LDAP group and RADIUS attribute information in role-mapping rules.
External (other)—You can integrate compatible versions of popular third-party AAA servers with the access management framework. In addition to using the backend server for authentication, you can use Active Directory group information. In addition, you can use MDM device attributes in role mapping rules.

The following table is a reference of the AAA servers supported in IPS deployments.

	IPS
Local	Local Authentication Server Overview Certificate Server Overview MAC Address Authentication Server Overview *Special features to manage guest users. Anonymous Server Overview SAML Server Overview Access Control with SAML Server
External (standards-based)	LDAP Server Overview RADIUS Server Overview OAuth Servers Overview
External (other)	Active Directory Feature Support RSA Authentication Manager Overview SQL Auth Server Overview ACE Server Overview

IPS

Local

Local Authentication Server Overview

Certificate Server Overview

MAC Address Authentication Server Overview

*Special features to manage guest users.

Anonymous Server Overview

SAML Server Overview

Access Control with SAML Server

External (standards-based)

LDAP Server Overview

RADIUS Server Overview

OAuth Servers Overview

External (other)

Active Directory Feature Support

RSA Authentication Manager Overview

SQL Auth Server Overview

ACE Server Overview

Authentication Protocols Used by AAA Servers

Policy Secure supports multiple authentication protocols. The following authentication servers require the protocols listed:

Local authentication servers—If the passwords are stored as hashed values, the protocols available are PAP and MS-CHAP v1 with or without EAP. If the passwords are stored as clear text, CHAP and MD5-Challenge are also available.
Active directory—The protocols available for inner authentication are PAP, MSCHAP and MS-CHAP v2, with or without EAP.
LDAP—CHAP, EAP-MD5-Challenge, MS-CHAP v1, and MS-CHAP v2 protocols can be used with an LDAP authentication server only if the administration password is in clear text. By default, challenge response protocols are disabled for LDAP servers. Use these protocols only with noninteractive devices (for example, phones), as password management is not possible if these protocols are used for authentication.