Define AAA Server Authentication Servers

For each authentication server you have installed, you must define that server in the Administration Console so that you can manage it.

For further information on AAA Server deployment, see Server Deployment Scenarios.

Important: Do NOT follow these steps for backup or pool servers. For information on backup and pool servers, see Define a Single Backup Server and Define a Pool of Servers.

Right-click on Servers in the tree in the left pane of the Administration Console.
Select New Server.
Enter a name for the authentication server in the Name field. (The server’s name in the Administration Console can be different from the authentication server’s hostname.)
Important: You cannot change the name of the authentication server later!
Enter the AAA Server authentication server’s IP address in the IP Address field.
Click OK.

The authentication server’s name is displayed in the Administration Console’s tree under Servers, and the Administration Console now displays the server’s configuration information.

The Administration Console creates the server with default configuration information that you might need to modify.

In the Server section of the screen, define the following settings:

Setting	Description
IP Address	This IP Address corresponds to the authentication server’s address defined above. AAA Server uses it during exports from the Administration Console to authentication servers.
Max. Number of Tries	This field specifies the maximum consecutive number of times a user can attempt to authenticate to the server unsuccessfully before the device account is locked. Note: The value is overwritten by the corresponding value defined at group level. If no value is defined at group level, the server value set here applies. The default value is 5.
Max. Number of Threads	This field specifies the maximum number of threads that can run simultaneously on the server. The default value for each listening port (RADIUS, TACACS+ or Import/Export) is 50. You can increase this value according to the authentication rate you require.
Server Shared Secret	The shared secret here MUST match the secret originally set in the AAA Server Configuration. You changed that secret on the server-side, so modify the shared secret here. The default value is ActivPack. Note: The maximum length of the secret is 24 characters and special characters are allowed. Important: The system uses this secret to encrypt all exchanges between authentication servers and the AAA Server Administration Console workstation. You must update this default shared secret to guarantee security.
Administration Port	The administration port MUST match the port set in the AAA Server Configuration (by default, 2034). It is used for administrative tasks, such as export and consolidation. If you changed the port setting in the original Server Configuration screen, change it here to match.
Roaming/Replication Port	If you intend to use this server for roaming, enter the value for the TCP/IP listening port The default value is 2035.
LDAP Settings	Define the settings for the LDAP server whose users are to be authenticated by this AAA Server The system automatically selects Use Default Settings. Under most circumstances, you should leave the default settings in place. If you do not want to use the default settings (for example, you have multiple LDAP directories for architecture and/or performance reasons), clear Use Default Settings and modify the fields as needed: LDAP Server - enter the hostname of the server or its IP address. LDAP Port - the port the AAA Server uses to communicate with the LDAP server. You can leave 389 as the default value or enter a different number. Login DN - enter the DN the AAA Server uses to connect to the LDAP directory (the administrator’s name or other common name (cn)). Login Password - enter the LDAP directory’s password. This is the password created in LDAP to permit access to the directory by AAA Server. Do not use an administrator’s password. Note: The maximum password length is 24 characters. Test: click on this button to check your settings if you changed the defaults.
Strip NT Domain Name	Select this option to remove a prefix/suffix previously configured in RAS The system uses the Strip NT Domain Name to prevent authentication problems with a Microsoft RAS client. In the absence of specific domain settings in the Microsoft RAS client, the Microsoft RAS client inserts the domain name in front of the login
Strip IP Domain Name	Select this option to remove a prefix/suffix previously configured in RAS The system uses the Strip IP Domain Name with realms when your architecture is based on a multiple authentication server backbone. A proxy redirects authentication requests according to the @domain name. The AAA Server removes the <@domain> and validates user identity without changing the architecture.

Note: Optionally, if you intend to use this server for wireless authentication access, you must enable the strip domain options as follows:

For EAP-TLS, select Strip IP Domain Name....
For PEAP-MSCHAP V2, select Strip NT Domain Name....

To specify another IP address for replication or roaming, enter an optional IP Address.

Note: The AAA Servers can have at least two network interfaces, one dedicated to authentication requests and another for replication/roaming.

In the RADIUS section of the screen, define the following settings:

Setting	Description
Authentication Port	Specify the RADIUS Authentication listening port on the server The value must match that on the Access Controller. The default value is 1812.
Accounting Port	Specify the RADIUS Accounting listening port on the server The value must match that on the Access Controller. The default value is 1813.
RADIUS Shared Secret	The RADIUS shared secret must be the same in the Administration Console and the Access Controller The system uses this secret to encrypt information between your NAS and authentication server. The default value is ActivPack. Note: The maximum length of the secret is 120 characters and special characters are allowed.

Setting

Description

Authentication Port

Specify the RADIUS Authentication listening port on the server

The value must match that on the Access Controller.

The default value is 1812.

Accounting Port

Specify the RADIUS Accounting listening port on the server

The value must match that on the Access Controller.

The default value is 1813.

RADIUS Shared Secret

The RADIUS shared secret must be the same in the Administration Console and the Access Controller

The system uses this secret to encrypt information between your NAS and authentication server.

The default value is ActivPack.

Note: The maximum length of the secret is 120 characters and special characters are allowed.

In the TACACS+ section of the screen, define the following settings:

Setting	Description
Port	Specify the listening port on the TACACS+ server. The value must be the same in the Administration Console and the Access Controller. The default value is 49.
TACACS+ Shared Secret	The TACACS+ shared secret must be the same in the Administration Console and the Access Controller. The system uses this secret to encrypt all exchanges between your NAS and authentication server. The TACACS+ secret can be different from the RADIUS secret. The default value is ActivPack. Note: The maximum length of the secret is 120 characters and special characters are allowed.

Setting

Description

Port

Specify the listening port on the TACACS+ server.

The value must be the same in the Administration Console and the Access Controller.

The default value is 49.

TACACS+ Shared Secret

The TACACS+ shared secret must be the same in the Administration Console and the Access Controller.

The system uses this secret to encrypt all exchanges between your NAS and authentication server. The TACACS+ secret can be different from the RADIUS secret.

The default value is ActivPack.

Note: The maximum length of the secret is 120 characters and special characters are allowed.

In the Priority section of the screen, set the thread priority for all Authentication, Authorization, and Accounting functions (the AAA field), and for all Import/Export functions.

The default for both is Medium.

To improve performance, select the "High" option in the AAA field so that authentication takes precedence over importing and exporting.

Note: To increase the level of priority for authentication services, open the Windows Services Manager and set the AAA Server Service v6 (or above) AAA to high. The system uses the base priority level of all executable threads to determine which thread gets the next slice of CPU time. Every thread has a base priority level determined by the thread's priority value and the priority class of its process. Windows Services schedules threads in a round-robin fashion at each priority level, and only when there are no executable threads at a higher level (the service level) does scheduling of threads at a lower level (server configuration) take place.
Click Save to save changes to the authentication server configuration.

You can use the Restore button to restore the settings to their last saved values. The AAA Server stores the entire screen at once. Whether you change one value or several at a time, after you save a new value(s), the Restore function can restore only back to the previously stored screen.

Click Events to specify the e-mail address of a person or service to contact if a problem occurs on the server.

Note: To activate the SMTP Server and E-mail Fields, you must first select one or more Events for which to generate alerts.

Select event(s) that will generate alerts. This activates the remaining fields.

Enter the following as required:

Field	Description
SMTP Server	Enter the hostname of your email server and corresponding port
E-mail to Contact	Enter an e-mail address to which you want alerts sent
E-mail From	Enter a From e-mail address to use for the alert messages
Mobile (SMS)	Enter a mobile telephone number to which you want alerts sent

The Test button sends a test message to the nominated email account.

Select the option(s) corresponding to the events for which you want to send alert messages:
- Database Error -database problems.
- LDAP Error - directory problems.
- Login Error after .... - if a user reaches the maximum number of unsuccessful tries permitted.
- Start and Stop Service - each time the AAA Server service is started or stopped.
- Connection problems between Servers - connection problems between the AAA Servers.
The authentication server can keep a trace of the authentication and accounting data received:
- The authentication log contains information on authentication - user name, state (success or failure), date, time and type of connection
- The accounting log information depends on the accounting profile defined at the user group or gate level
  
  If you did not assign an accounting profile to a group or gate, the log does not store accounting data.
To set this option, specify the kind of trace you want for each log:
- None - keep no trace
- AAA Server Database - keep traces in a database and consolidate data from authentication servers to the administration database
  Consolidation works only with servers that have logged data in the AAA Server database.
- Standard File - keep traces in a flat file
  The information remains on the authentication server, and you cannot consolidate it from the Administration Console. You can load these ASCII files into Microsoft Excel or any other log reporting tool for generating reports. If you decide to use flat file logging, system performance slows down. The file names are:
  
  ActivPackAhLogMMDD.txt for the authentication log
  ActivPackAcLogMMDD.txt for the accounting log
  
  Where MM = month and DD = day.

Click OK to return to the main server configuration window and export the changes (see Export Data to the AAA Server(s)).