TABLE OF CONTENTS Many network admins are familiar with the concept of AAA: Authentication, Authorization, and Accounting. These components of a logical system control access to resources. Authentication identifies the user, authorization grants or denies that user access to a resource, and accounting records the access (orattempted access).
The IVE integrates seamlessly into many existing AAA schemes, and includes some of its own as well. These include local authentication, LDAP, NIS, ACE, RADIUS, Active Directory/ NT, anonymous, SiteMinder, certificate, and SAML authentication. (Note: SiteMinder, SAML, and certificate authentication require the Advanced License, and are subsequently not supported on the SA 700 platform.) The IVE also allows for dual-factor authentication. Dual-factor authentication is the method of using two different ways of authenticating a user. Users are authenticated through three primary methods:
Something the user knows such as a password or PIN.
Something the user has, such as a hardware token.
Something the user is, such as a fingerprint or other biometric.
Dual-factor authentication must include two of these three methods. The IVE supports ACE and RADIUS server authentication, which can fall under the "something the user has" category. (ACE authentication relies on a hardware token, and many token-based authentication vendors use a RADIUS server on the backend.) The IVE does not support native biometric authentication.
In this chapter, we will discuss Authentication and Authorization/Directory server configuration. Because describing the configuration of the authentication servers themselves could each generate a book of their own, we will limit our discussion to configuring the IVE to...
