Getting Started

Once you have finished installing and configuring the AAA Server and its components (see Installing the AAA Server for Remote Access), there are a number of elements you must create in the Administration Console to define systems/services and how to protect them.

Then, you can assign devices to users so that they can authenticate via the AAA Server.

It is recommended that until you are familiar with how all these elements function together, you create them in the order presented in the steps described below.

Configuration Procedures

The procedures listed below are described step-by-step in Managing the ActivID AAA Server. Do not use this overview as a substitute.

  1. Configure LDAP settings in the console so that the AAA authentication server(s) can communicate with your LDAP server.
  2. Define each AAA authentication server to from the console, including backup servers.

  3. Define at least one gate for each AAA authentication server.

    A gate is an entry point to an AAA Server-protected resource and must correspond to access configuration (ports, Authorization and/or Accounting profiles) on the protected resource. Gates enable you to filter how your NAS accesses the AAA Server-protected resources.

  4. Create the LDAP queries that the AAA authentication server(s) use to retrieve LDAP user data.

  5. Define user groups in the AAA Server (your LDAP server continues to manage all user data).

    The AAA Server associates the groups that you create in the AAA Server with your users in the LDAP directory. Your groups might follow the organizational structure you have already set up in your LDAP directory, but you can create groups in any way that is practical for authentication purposes.

  6. Create additional device repositories in the console so that you can logically organize the storage of your imported devices.

    The Administration Console automatically stores all devices at the Device level in the tree displayed in the pane to the left of the console.

  7. Set your RADIUS shared secret.
  8. Create Authorization and Accounting profiles for use at the gate level and/or the group level.

  9. Import devices that have been pre-initialized.

    You can use the AAA Server Administration Console to assign the devices to users later. You can also assign them directly from your LDAP management console.

  10. Create other Administration Console Administrators, Device Managers, Help Desk Users, and Audit Managers, as required. Then assign the initialized devices to them.
Note: For increased security, it is recommended that all Administration Console users use authentication devices rather than static passwords to access the console. Therefore, at this point, you must create another Administrator user for yourself that uses an authentication device (rather than the static password of the initial console Administrator).
Then, log off from the console and log back on as this new Administrator.
If an Audit Manager is created, the Administrator can no longer view the audit logs. However, the Audit Manager can grant the rights to view the audit logs to the Administrator at a later date.

When you have completed all the above steps, users can authenticate to access controllers protected by the AAA Server.

You can use the AAA Server's Help Desk to manage authentication devices (for instance, to resynchronize devices, assign a temporary password when a user forgets his/her device, or to unlock a locked device).