About the AAA Server for Remote Access

The ActivID AAA Server is a strong RADIUS, TACACS+ and IEEE 802.1x authentication server that maps to your LDAP directory to provide strong user authentication services for a wide range of access points.

AAA stands for:

  • Authentication - accepts or rejects user authentication requests based on stored credentials and/or one-time passwords.
  • Authorization - controls user access based on the appropriate attributes transmitted to the network remote access point (VPN, firewall, router etc.,).
  • Accounting - stores information concerning user activity while connected remotely (connection times, data transfers etc.,).

The key advantage to using the AAA Server for Remote Access is that you can continue to manage your users through your LDAP directory without requiring LDAP schema extensions.

Users authenticate through the AAA Server for Remote Access with smart cards, hardware and software tokens, USB keys, mobile devices, PDAs, (and optionally, with static or static LDAP passwords).

A secure remote access solution, the AAA Server for Remote Access enables you to protect the following network access methods:

  • Web access
  • Remote access via dial-up
  • Remote access via VPN
  • Remote desktop environments (Windows and Citrix)
  • SSL VPN
  • Wireless LAN access

RADIUS vs TACACS+

AAA Server for Remote Access supports two network access protocols:

  • Remote Authentication Dial In User Service (RADIUS)
  • Terminal Access Controller Access-Control System Plus (TACACS+) (proprietary to Cisco®)

To compare the two:

  • RADIUS uses UDP, whereas TACACS+ uses TCP.
  • RADIUS combines the authentication and authorization operations, whereas TACACS+ handles them separately.

AAA Gates

AAA gates are associated to one specific AAA Server for Remote Access and define settings for one or more physical RADIUS/TACACS+ clients:

  • The protocol (RADIUS/TACACS+) of the clients
  • The IP address(es) of the authorized RADIUS/TACACS+ clients
  • The shared secret to communicate with RADIUS/TACACS+ clients
  • The RADIUS/TACACS+ dictionary
  • The Authorization and Accounting profiles

You can define AAA virtual gates to filter and handle differently the authentication requests according to the type of network access point. Therefore, a web server authentication request can be handled differently than a firewall authentication request.

The AAA Server for Remote Access centralizes and validates all requests for authentication coming through different gates on firewalls, remote access servers, routers, and the web.

AAA Databases

The AAA Server for Remote Access solution has two databases:

  • AAA Administration database - AAA operators use the AAA consoles to access the Administration database to create, edit and delete items (gates, user groups, queries, assignments, etc.,)
  • AAA Server for Remote Access database(s) - AAA operators export all the changes made to the AAA Server for Remote Access(s), which in turn, commits all the changes to the AAA Server for Remote Access database(s)