About AAA Security Services
AAA is an architectural framework for configuring a set of three independent security functions in a consistent manner. AAA provides a modular way of performing the following services:
•Authentication—Authentication provides the method of identifying users, including login and password dialog, challenge and response. Depending on the security protocol set by the user, messaging support, response and challenge can be set.
Authentication is the way a user is identified prior to being allowed access to the network and network services. You configure AAA authentication by defining a named list of authentication methods, and then applying that list to various interfaces. The method list defines the types of authentication to be performed and the sequence in which they will be performed; it must be applied to a specific interface before any of the defined authentication methods will be performed. The only exception is the default method list (which is named "default"). The default method list is automatically applied to all interfaces if no other method list is defined. A defined method list overrides the default method list.
All authentication methods, except for local, line password, and enable authentication, must be defined through AAA. For information about configuring all authentication methods, including those implemented outside of the AAA security services, refer to the chapter "Configuring Authentication."
•Authorization—Provides the method for remote access control, including one-time authorization or authorization for each service, per-user account list and profile, user group support, and support of IP, IPX, ARA, and Telnet.
AAA authorization works by assembling a set of attributes that describe what the user is authorized to perform. These attributes are compared to the information contained in a database for a given user and the result is returned to AAA to determine the user's actual capabilities and restrictions. The database can be located locally on the access server or router or it can be hosted remotely on a RADIUS or TACACS+ security server. Remote security servers, such as RADIUS and TACACS+, authorize users for specific rights by associating attribute-value (AV) pairs, which define those rights with the appropriate user. All authorization methods must be defined through AAA.
As with authentication, you configure AAA authorization by defining a named list of authorization methods, and then applying that list to various interfaces. For information about configuring authorization using AAA, refer to the chapter "Configuring Authorization."
•Accounting—Provides the method for collecting and sending security server information used for billing, auditing, and reporting, such as user identities, start and stop times, executed commands (such as PPP), number of packets, and number of bytes.
Accounting enables you to track the services users are accessing as well as the amount of network resources they are consuming. When AAA accounting is activated, the network access server reports user activity to the RADIUS or TACACS+ security server (depending on which security method you have implemented) in the form of accounting records. Each accounting record is comprised of accounting AV pairs and is stored on the access control server. This data can then be analyzed for network management, client billing, and/or auditing. All accounting methods must be defined through AAA. As with authentication and authorization, you configure AAA accounting by defining a named list of accounting methods, and then applying that list to various interfaces.
In many circumstances, AAA uses protocols such as RADIUS, TACACS+, or Kerberos to administer its security functions. If your router or access server is acting as a network access server, AAA is the means through which you establish communication between your network access server and your RADIUS, TACACS+, or Kerberos security server.
Although AAA is the primary (and recommended) method for access control, Cisco IOS software provides additional features for simple access control that are outside the scope of AAA, such as local username authentication, line password authentication, and enable password authentication. However, these features do not provide the same degree of access control that is possible by using AAA.
References:
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfaaa.html
Yo don. Im junrong =D
ReplyDeleteAfter reading your post, i feel that i learn alot alot more things. Your post is so infomative and educational. It is so interesting and yet does not lack of details.
I espacially like Authentication—Authentication provides the method of identifying users, including login and password dialog, challenge and response. Depending on the security protocol set by the user, messaging support, response and challenge can be set.
Good job on that piece of wonderful work
Hi, Don
ReplyDeleteIt’s a very informative post. I spent quite a lot time looking through it.
Your explanation is very in detail, like explaining the methods of authentication and how authorization works etc.
I learnt something new apart from the lecture and my post. E.g. there are additional features for simple access, such as local username authentication etc.
However, I think it would be better if you add in some pictures or videos so that readers can understand easily.
Anyway, you did a good job! Keep it up! ^ ^
Qiuzi
Hi Don,
ReplyDeleteThis is a very informative and detailed post. You explained it very clearly and make me understand better about each component of Authentication, Authorization and Accounting.
After reading your post about AAA, I had gained a deeper understanding of AAA. For instance, I learned that we could configure the authentication method and apply the list of authentication methods into specific interface. I also learned that the default list of authentication takes place when there is no known method.
I feel that this post enable me to learn something outside from what we could from our lecture. I am looking forward for you upcoming post.
Regards,
Kim Chye
Hi Don,
ReplyDeleteThanks for your super ultra detailed post, I especially like this sentence, "AAA is an architectural framework for configuring a set of three independent security functions in a consistent manner".
This sentence caught my attention and allow me to see the link between a framework and how AAA helps to enhance security features consistently. Keep up the good work.
Cheers,
Zimin