Cisco Cisco IOS Software Release 12.2(27)SBC
AAA Authorization and Authentication Cache
Information About Implementing Authorization and Authentication Profile Caching
3
Cisco IOS Release 12.2(28)SB
To take advantage of this performance optimization, you need to configure the authentication method
list so that the AAA cache profile is queried first when a user attempts to authenticate to the router. See
the “
list so that the AAA cache profile is queried first when a user attempts to authenticate to the router. See
the “
” section for more information.
Authorization and Authentication Profile Caching as a Failover Mechanism
If, for whatever reason, RADIUS or TACACS+ servers are unable to provide authentication and
authorization responses, network users and administrators can be locked out of the network. The profile
caching feature allows usernames to be authorized without having to complete the authentication phase.
For example, a user by the name of user100@abc.com with a password secretpassword1 could be stored
in a profile cache using the regular expression “.*@abc.com”. Another user by the name of
user101@abc.com with a password of secretpassword2 could also be stored using the same regular
expression, and so on. Because the number of users in the “.*@abc.com” profile could number in the
thousands, it is not feasible to authenticate each user with their personal password. Therefore
authentication is disabled and each user simply accesses authorization profiles from a common Access
Response stored in cache.
authorization responses, network users and administrators can be locked out of the network. The profile
caching feature allows usernames to be authorized without having to complete the authentication phase.
For example, a user by the name of user100@abc.com with a password secretpassword1 could be stored
in a profile cache using the regular expression “.*@abc.com”. Another user by the name of
user101@abc.com with a password of secretpassword2 could also be stored using the same regular
expression, and so on. Because the number of users in the “.*@abc.com” profile could number in the
thousands, it is not feasible to authenticate each user with their personal password. Therefore
authentication is disabled and each user simply accesses authorization profiles from a common Access
Response stored in cache.
The same reasoning applies in cases where higher end security mechanisms such as Challenge
Handshake Authentication Protocol (CHAP), Microsoft Challenge Handshake Authentication Protocol
(MS-CHAP), or Extensible Authentication Protocol (EAP), which all use an encrypted password
between the client and AAA offload server, are used. To allow these unique, secure username and
password profiles to retrieve their authorization profiles, authentication is bypassed.
Handshake Authentication Protocol (CHAP), Microsoft Challenge Handshake Authentication Protocol
(MS-CHAP), or Extensible Authentication Protocol (EAP), which all use an encrypted password
between the client and AAA offload server, are used. To allow these unique, secure username and
password profiles to retrieve their authorization profiles, authentication is bypassed.
To take advantage of this failover capability, you need to configure the authentication and authorization
method list so that the cache server group is queried last when a user attempts to authenticate to the
router. See the “
method list so that the cache server group is queried last when a user attempts to authenticate to the
router. See the “
” section for more
information.
Method Lists in Authorization and Authentication Profile Caching
A method list is a sequential list describing the authentication methods to be queried in order to
authenticate a user. We support methods such as local (use the local Cisco IOS database), none (do
nothing), RADIUS server group, or TACACS+ server group. Typically, more than one method can be
configured into a method list. Cisco IOS software uses the first listed method to authenticate users. If
that method fails to respond, the Cisco IOS software selects the next authentication method listed in the
method list. This process continues until there is successful communication with a listed authentication
method, or until all methods defined in the method list are exhausted.
authenticate a user. We support methods such as local (use the local Cisco IOS database), none (do
nothing), RADIUS server group, or TACACS+ server group. Typically, more than one method can be
configured into a method list. Cisco IOS software uses the first listed method to authenticate users. If
that method fails to respond, the Cisco IOS software selects the next authentication method listed in the
method list. This process continues until there is successful communication with a listed authentication
method, or until all methods defined in the method list are exhausted.
To optimize network performance or provide failover capability using the profile caching feature you
simply change the order of the authentication and authorization methods in the method list. To optimize
network performance, make sure the cache server group appears first in the method list. For failover
capability, the cache server group should appear last in the method list.
simply change the order of the authentication and authorization methods in the method list. To optimize
network performance, make sure the cache server group appears first in the method list. For failover
capability, the cache server group should appear last in the method list.
Authorization and Authentication Profile Caching Guidelines
Because the number of usernames and profiles that can request to be authenticated or authorized at a
given router on a given point of presence (POP) can be quite extensive, it would not be feasible to cache
all of them. Therefore, only usernames and profiles that are commonly used or that share a common
authentication and authorization response should be configured to use caching. Commonly used
usernames such as aolip and aolnet, which are used for America Online (AOL) calls, or preauthentication
dialed number identification service (DNIS) numbers used to connect Public Switched Telephone
given router on a given point of presence (POP) can be quite extensive, it would not be feasible to cache
all of them. Therefore, only usernames and profiles that are commonly used or that share a common
authentication and authorization response should be configured to use caching. Commonly used
usernames such as aolip and aolnet, which are used for America Online (AOL) calls, or preauthentication
dialed number identification service (DNIS) numbers used to connect Public Switched Telephone