Configure the AAA Server

This section describes how to configure the AAA Server so that it can communicate with the AAA Administration Console.

Warning! Never run the AAA Server Configurator when the Microsoft Services Manager Window is open. Make sure the Microsoft Services Manager is closed, not just minimized, before running the AAA Server Configurator.

  1. Select Start, point to Programs > ActivIdentity > AAA, then click Server Configurator.

    • If this is the first installation of the AAA Server, you are prompted for credentials defined during setup.
    • If there is an existing installation, you are prompted for your user name and password.

  2. Provide your credentials or enter a new user name and static password of your choice.

    The AAA Server uses this new static password to encrypt the AAA Authentication Server database encryption key.

    Be sure you do NOT forget this password; otherwise, you will not be able to start or stop the AAA Server after you install and configure it. Keep this static password recorded in a safe place. Use a different password when you log on to the Administration Console.

  3. Click OK to access the AAA Server Configuration tool.

  4. In the AAA Server section of this dialog box, set Port, Secret, UserID and Password as follows:

    1. Port: TCP/IP listening port for exchanges between the AAA Server and the Administration Console. You can accept the default port, 2034, or change it as required.

      2. Important: You must set the same port in the Administration Console as you do in the AAA Authentication server. The AAA Server uses the port in the Authentication server to synchronize the Administration Console database and the Authentication database and to log data for audit purposes.

    2. Secret: You MUST change the default server shared secret to maintain maximum security.

      3. Important: You must set the same secret in the Administration Console as you set in the AAA Authentication server. The AAA Server uses this secret to encrypt exchanges between the AAA Authentication server and the Administration Console.

    3. The AAA Server uses the User ID and Password fields to encrypt the database encryption key. To change one or both of these values, click Change user ID / password.

      Important: The AAA Server uses the User ID and Password fields to start the ODBC connection with the database used by the server. It is strongly recommended that you protect this database access from unauthorized third parties.

    4. Enter and confirm a new password, then click OK.

      The above step automatically changes the username and password required to access the AAA Server Configuration program. Keep the first Administrator’s User ID and Password safe. This is the permanent User ID and Password to use to access the server.

  1. In the DSN ODBC section of the AAA Server Configuration dialog box (shown below), change one or both values. To change one or both the UserID and Password, click Change user ID / password.

     

    1. Change the values as required.
    2. Click OK.

    If you change the database user ID or password in your database management system, remember to use this dialog box to update the settings for the AAA Server.

  2. In the Run AAA Server Service as... section of the AAA Server Configuration dialog box (shown below), leave the fields empty to use the Local System administrator account. Optionally, enter credentials for an alternative account (only if you want the AAA Server service to use a Windows account other than the Local System administrator account).

    Note: If you experience errors while attempting to start the AAA Administrator Console or AAA Service, it is recommended to input an account here with local Administrative rights.

    This account must have sufficient rights to write to the disk, access the databases and run the Services.

  3. If you intend to use a secure connection to the LDAP, under LDAP settings:

    1. Browse to the exported root certificate (a .cer file in base64 format) of the certificate authority that issued the server certificate installed in your directory and used to access your LDAP.
      Important:
      • This certificate must be imported into the AAA Server's Trusted Root Certification Authorities store, as well as any server which will initiate LDAPS communication with the directory server on behalf of AAA Server (for example, if the SKI Connector is running on a separate server, the certificate should also be chainable to root on that server).
      • You must also configure the same certificate in the Administration Console (see Configure the Connection to LDAP) and SKI Connector (see Configure the SKI Connector).
      2. Note: LDAPS with Multiple Domains
      LDAPS will not work for multiple peer domains in the same forest, nor will it work for multiple domains in different forests.

    2. Select Swap the order of LDAP servers... if you are using two LDAP repositories and want to ensure high availability.

      3. Note: In a master/backup or server pool configuration, you should swap the LDAP order on only one of the AAA Servers.

  1. In the Service dependencies section of the AAA Server Configuration dialog box (shown below), select any services the AAA Server requires to perform an automatic startup during a Windows boot. This step is required only if the AAA Server and the database engine hosting the server’s database are on the same machine.

  2. Click Database Encryption to view the current encryption status.

    Note: It is recommended that you always work in encrypted mode. The database decryption mode is deactivated by default and should only be used for debugging. For more information, contact HID Global technical support.

    The encryption status display applies ONLY if the AAA Server and the database engine hosting the server’s database are on the same machine, and you have to ensure that the database engine has started before the AAA authentication service starts. Skip this step if your AAA Server and database are on different machines.

  3. Click Options to set log and trace information and optionally configure EAP.

  4. Click General.

    Note: The Error and Trace log file sizes should ensure that the log is large enough to capture information you might need to review. Set the file size large enough to be useful, but not so large as to impact the AAA Server system performance. Only you can estimate the log file size based on your company organization, the number of people using devices, your security policies and procedures, etc. If you are in doubt, accept the default value until you are more familiar with the system.
    1. Log and traces Path: specify the directory location for the error log file (ActivPackAdminErr.txt) and the debug trace file (ActivPackAdminTra.txt).
    2. Dictionary Path: specify the directory location for the various RADIUS and TACACS+ dictionaries. (The default directory was set during installation.)
    3. Error log Maximum size: set the file size for the error log.
    4. Trace for debug Maximum size: set the maximum size for the debug trace log file.
    5. Select Active trace to activate Error log and Trace for debug.
      You must check this box; otherwise, the system will not write to the error log.
    6. Click OK.
  5. EAP Settings must be configured only if you are using AAA to protect a wireless network. For information on how to configure these settings, see Configure the Wireless Authentication (EAP) Settings.