Configure the Routing Settings

The AAA Server always searches your LDAP directory first when seeking user data to confirm authentication. The AAA Server permits you to redirect an authentication request to another authentication system. This is helpful if the AAA Server cannot locate a user in the LDAP directory. Conditional routing enables the system to route a user’s request directly to an external RADIUS authentication server (not TACACS+).

Note: Configure this option at the gate level.
  1. Select the gate to be configured.

  2. Click Routing.

     

  3. Select Define External RADIUS Authentication Server to route authentication requests to an external RADIUS server.

    Note: When the AAA Server cannot locate a user, and you have NOT configured external authentication (defined an external RADIUS server), the AAA Server can reject the user outright, or accept the user based on gate authorization. When you define an external RADIUS server, and the AAA Server cannot locate the user, the AAA Server has a third option: to route the user through the external server.
  4. Enter the IP address of the third-party master server and listening port. If necessary, enter the IP address of the third-party slave server and its listening port.

  5. To route accounting requests to the third party server, enter the accounting master and slave listening ports under Accounting.

    To store the accounting log on to the ActivID authentication server, set the accounting port to zero (0).

  6. In the Action to take when User ID... portion of the screen, select the appropriate option for the action the AAA Server should take when it does not find a user in the LDAP directory.

    Authentication:

    • Reject - automatically rejects the user.
    • Route to External Authentication Server - routes the user’s authentication request to the external RADIUS server defined in the top portion of the screen (only available if you select Define external RADIUS Authentication Server).
    • Accept User Based on Gate Authorization Profile - authenticates the user with the gate Authorization profile. This feature enables you to use the two levels of authentication you can set with Cisco® Secure PIX® Firewall.

    Accounting:

    • Discard Accounting - accounting is not applied.
    • Route also Accounting - routes the accounting to the external RADIUS server defined in the top portion of the screen (only available if you select Define external RADIUS Authentication Server).
    • Account locally - accounting is handled locally.
  7. Click OK.
  8. Export data to the server. See Export Data to the AAA Server(s).