The Authentication, Authorization, and Accounting (AAA) subsystem controls all settings for authenticating remote users to the gateway, as well as the settings for authorizing the gateway to end-user devices. The AAA subsystem is configured within a user’s context.
There are two classes of gateway users:
- Local: These users are defined on a local database that the gateway hosts.
- External: These users are defined in a database that is external to the gateway (such as Active Directory, LDAP/SLDAP, RADIUS, OAuth, or web authentication).
The AAA subsystem supports authentication and authorization of gateway users using a local user database or using an external service.
Note: To configure the gateway for Active Directory, LDAP/SLDAP, RADIUS, OAuth, or an external web service, see Setting up authentication providers for each procedure.
These primary elements constitute the AAA subsystem:
Defines the list of available authentication servers that the AAA subsystem can search for when authenticating remote users to the gateway. (For example, an IT administrator could create an auth-group that only uses a local database for authentication.) An auth-group references an auth provider. An auth-group can also be reordered, which you can specify the order that an authentication server can be contacted and fallback to another server if the first one is not available.
The contents of the auth-group element specify the order in which different auth-provider entries are used for authentication.
Use the auth-group element to configure the certificate enrollment of end-user devices to the gateway. For details about certificate enrollment, see Setting up certificate enrollment with the gateway.
% set aaa auth-group default options...
Blue Cedar Enforce Accelerator: To assign different authentication rules to different groups of users, you can define multiple auth-groups. These authentication rules can include authentication providers, the search order for these authentication providers, authentication methods (certificate only, external validation, and so on), login prompts, and more. You might define different authentication options to apply to different groups of users, for example, employees can use certificate-only authentication, but not contractors or service providers.
Note: There is no "global" group or inheritance. If you do not want to use multiple auth-groups, you can use the built-in group "default" to apply authentication rules. But if you want a rule to apply to all auth-groups, you need to apply that rule to each group individually:
% set aaa auth-group employee-group options... % set aaa auth-group contractor-group options...
The list of available authentication services that the gateway uses for establishing the identity of clients connecting to the gateway and to the identity of the gateway itself. Within the auth-provider subcomponent, you can configure gateway users for the local database (local) and grant additional capabilities to these users as part of a group (such as permitting communication from jailbroken devices to the gateway). These auth-provider entries are referenced from the auth-group element. For details about configuring an auth-provider, see Setting up authentication providers.
- pki (Public Key Infrastructure)
Configures the certificates used for establishing the identity of clients connecting to the gateway and to the identity of the gateway itself. Within the PKI subcomponent, administrative users can also configure policies for verifying the revocation status of certificates. For details about configuring the PKI subcomponent, see Configuring AAA Public Key Infrastructure.
The template for configuring the elements of the AAA subsystem is:
% set aaa
Note: The user-groups in AAA subsystem are the same as those used by the CLI. In other words, the authentication and authorization given to CLI administrators come directly from the AAA's user and group settings.