AAA(Authentication, Authorization, Accounting)
1. Introduction
Managing network access using only the user mode or privilege mode password commands is limited and does not scale well. Instead, using the Authentication, Authorization, and Accounting (AAA) protocol provides the necessary framework to enable scalable access security.
2. AAA Overview
local database authentication can be implemented using one of the following commands:
- username username password password
- username username secret password
The local database method has some limitations:
- The user accounts must be configured locally on each device.
- the local database configuration provides no fallback authentication method
AAA network security services provide the primary framework to set up access control on a network device.
AAA is a way to control who is permitted to access a network (authenticate),
what they can do while they are there (authorize),
and to audit what actions they performed while accessing the network (accounting).
It provides a higher degree of scalability than the con, aux, vty and privileged EXEC authentication commands alone.
Network and administrative AAA security in the Cisco environment has several functional components:
- Authentication - Users and administrators must prove that they are who they say they are. Authentication can be established using username and password combinations, challenge and response questions, token cards, and other methods. For example: “I am user ‘student’. I know the password to prove that I am user student.”
- Authorization - After the user is authenticated, authorization services determine which resources the user can access and which operations the user is allowed to perform. An example is “User ‘student’ can access host serverXYZ using Telnet only.”
- Accounting and auditing - Accounting records what the user does, including what is accessed, the amount of time the resource is accessed, and any changes that were made. Accounting keeps track of how network resources are used. An example is “User ‘student’ accessed host serverXYZ using Telnet for 15 minutes.”
This concept is similar to the use of a credit card. The credit card identifies who can use it, how much that user can spend, and keeps account of what items the user spent money on.
3. AAA Characteristics
3.1 AAA authentication
Cisco provides two common methods of implementing AAA services.
- local AAA Authentication - Local AAA uses a local database for authentication.
- Server-Based AAA Authentication - uses an external database server resource that leverages RADIUS or TACACS+ protocols.
3.2 AAA Authorization
Authorization is automatic and does not require users to perform additional steps after authentication. Authorization is implemented immediately after the user is authenticated.
3.3 AAA Accounting
Accounting is implemented using an AAA server-based solution. This service reports usage statistics back to the ACS server. These statistics can be extracted to create detailed reports about the configuration of the network.
4. Local AAA Authentication
4.1 Configuring Local AAA Authentication with CLI
Step 1. Add usernames and passwords to the local router database for users that need administrative access to the router.
Step 2. Enable AAA globally on the router. // Router(config)#aaa new-model
Step 3. Configure AAA parameters on the router.
Step 4. Confirm and troubleshoot the AAA configuration.
4.2 Configuring Local AAA Authentication with SDM
5. Server-Based AAA
TACACS+ and RADIUS are both authentication protocols.
