Configuring the ActivID AAA Server

The AAA Server authentication solution consists of several elements that you must create and configure according to your required deployment.

Element	Description
Server	A server listens to authentication, authorization and accounting requests coming from the Access Controllers (such as routers, remote access servers, or firewalls) on the RADIUS and TACACS+ ports.
Gate	A gate’s main role is to filter the requests according to the Access Controllers’ IP address.
Profile	A profile is a list of parameters (sets of attributes or attribute/value pairs) that determines user authentication and device policies – including policies on PINs, unlocking PINs, and authenticating. The AAA Server checks Authorization profiles as users request access, then either checks data or sends data back to the Access Controller. When a user attempts a connection, an Authorization profile specifies what data to check or send back to the Access Controller. The AAA Server stores Accounting profiles on the AAA Server for the purpose of keeping records concerning connections (on a single authentication server or on multiple servers). An Accounting profile defines connection data that the Access Controller returns and which the AAA Server can log.
Query	A query is the primary way in which the AAA Server identifies your users and which device they are assigned. It enables the AAA Server to search your LDAP directory for the users that belong in the specified group.
Group	A user group is a logical grouping within the AAA Server that enables the AAA Server to efficiently manage user authentication. A group specifies how a set of users may authenticate to a resource(s) protected by the AAA Server, including which gate(s) they may use to access a resource. The AAA Server uses the LDAP query you’ve assigned to the group, as well as any additional filter you’ve defined for the group, to search your LDAP directory for the users that belong in the group. User groups in the AAA Server can mirror the user groups you have already created in your LDAP directory or not, as needed for authentication purposes. Users can belong to only one group in AAA. (Remember that a user group is only a logical grouping within the AAA Server. You continue to manage your users in your LDAP directory.)
Device repository	A device repository is a logical store of authentication devices (smart cards, tokens and USB keys). When you import pre-initialized devices, the AAA Server automatically stores authentication devices in the root device folder. You can create additional repositories in the root directory for storing devices, instead of the AAA Server automatically storing all devices in the root. Whether you have a large user database or a relatively small one, it’s easier to manage devices if you store them in an organized way. Some general categories to consider are: Partners, Employees, Customers, Suppliers. Device-specific categories (for example, smart cards, type of token). Mirror of your company structure (for example, by department) or by region (for example, Asia Pacific), or by physical location of authentication servers (for example, London, Paris, New York).

Topics in this section

Each configuration task listed in this table consists of multiple actions.

The tasks are presented in the order in which you should handle them when you first configure the AAA Server.

After you are familiar with the AAA Server, you can handle the tasks in any order as long as prerequisites are met.

Tasks	Actions
Configuring the AAA Server	Configure the AAA Server
	Start or Stop the AAA Server
	Access the Administration Console
	Configure the Connection to LDAP
	Configure the LDAP Settings for Write Access
Configuring the authentication servers	Define AAA Server Authentication Servers
	Define a Single Backup Server OR Define a Pool of Servers
	Set Up Roaming
	Activate Cache for Callback or Multilink
Managing dictionaries	Update Dictionaries
Configuring profiles	Create a New RADIUS Authorization Profile
	Create a New RADIUS Accounting Profile
	Add an Attribute as ‘Send After’ or ‘Check Before’
	Add a ‘Conditional Send After’ attribute
	Edit a ‘Send After’ or ‘Check Before’ Attribute
	Remove Existing Attributes from ‘Send After’ or ‘Check Before’
	Update Dictionaries
Configuring gates	Create a Gate
	Configure a Gate
	Configure the Routing Settings
Configuring groups	Create an LDAP Query
	Create a Group Using LDAP Queries and Filters OR Map Existing LDAP Groups to the AAA Server
	Set Up Roaming
	Assign User Groups to a Gate
Configuring Administrative users	Create and Manage Administration Users

	Set Help Desk Parameters (Not for use with ActivID CMS)
Configuring the Security Settings	Configure the Operator Read Rights
	Set the Mini Token PIN Policy
	Set the SMS PIN Policy (Not for use with ActivID CMS)
	Configure the Temporary Password Policy
	Configure the Synchronous Authentication Counter
Configuring SMS Authentication	Configure the SMS Gateway (Not for use with ActivID CMS)
	Configure the SMS Backup Authentication Settings



Configuring wireless authentication	Configure the Wireless Authentication (EAP) Settings
Configuring wireless authentication	Configure the Gate Wireless (EAP) Settings
Manage audit services	Enable Audit Services