Create a Gate

A gate for the AAA Server is a group of Network Access Servers (NAS) is used to simplify administration.

Prerequisites:

Define how many gates and filters you need to create:

  • To filter "NOT requests" by Access Controller IP addresses - define one gate and no filters. This gate is considered as the default gateway and is used if no other gate can handle the request using the filters.
  • To filter all Access Controller requests - define one or more gates with one or more filters each. Upon receipt of a request from an Access Controller, the AAA Server, which knows the client’s IP address, looks through every gate to find the filter corresponding to the correct IP address. If found, it uses the gate with that address. If not, the AAA Server denies the request.
  • To filter specific Access Controller requests - define one or more gates with filters, and one gate with no filter. On receipt of a request from an Access Controller, the AAA Server (which knows the client’s IP address) looks through every gate with a filter to find the corresponding IP address. If found, it uses that gate. If not, the AAA Server uses the gate with no filter.
Note: There can be only one default gate per server and per protocol (RADIUS or TACACS+).
You can mix RADIUS and TACACS+ gates on a single server. Each user can be a member of only one gate. This ensures that they are related to a unique authorization or accounting profile. If your configuration can produce a situation where users may belong to more than one gate due to the LDAP queries that you have configured, AAA interprets the user as belonging to the gate with the highest number of matching attributes.

To use Authorization and Accounting profiles with a gate, you must create them prior to assigning them. You can add Authorization and Accounting profiles to a gate at any time (not just at the time you create gates). See Create a New RADIUS Accounting Profile and Create a New RADIUS Authorization Profile.

  1. In the tree in the left pane of the Administration Console, expand the Servers line.

  2. Right-click on the server to which you want to add a gate, and select New Gate.

    Note: A single server can be both a RADIUS server and a TACACS+ server since they are not running/listening on the same ports.
  3. Enter a name for the gate in the Gate name field. The name can be any string.

  4. Select the option (RADIUS or TACACS+) corresponding to the protocol your Access Controller uses.

    Note: A single server can be both a RADIUS server and a TACACS+ server since they are not running/listening on the same ports.

  5. If you use the RADIUS protocol, then in the Dictionary field, specify the dictionary used on your Access Controller. The default.rad dictionary is the default dictionary specified in the RADIUS RFC.

    Because some hardware providers have enhanced the RADIUS protocol to add their own features, use the dictionary corresponding to your Access Controller. If you have authorized several Access Controllers on the same gate, those controllers must use the same TACACS+ or RADIUS dictionary.

  6. Use the Authorized remote IP names or addresses section of the screen to specify a filter(s) for the gate.

    Only one gate per protocol may have no filter.

    1. Enter the Access Controller name or IP address to filter by in the first field.
    2. Click Add. You can add as many IP addresses as you want.

  7. Optional. In the Default profile section, select default Authorization and Accounting profiles.

    Note: Only profiles using the same dictionaries as the gate display in the list. If you have not yet created the profiles, you can assign these profiles later.

    When a user connects through this gate, if you have not defined Authorization and/or Accounting profiles in the user’s group, then the AAA Server uses the profiles defined here at the gate level instead.

    If you do not define a profile at the user’s group level or gate level, then the AAA Server does not apply a profile.

  8. Click OK.

    The gate’s name is displayed in the Administration Console’s tree under its server. The Administration Console now displays the gate’s configuration information.

    The Administration Console creates the gate with default configuration information that you might have to modify.