AAA Overview Directory
The
brief AAA configuration process
Related
documents of configuration task
Access control is used to control the users who connect to the router or network access server (NAS), and limit the service kind they can use. It provides authentication, authorization and accounting function, in order to enhance the network security.
AAA is an architecture that uses a consistent method to configure three independent security functions. It provides the modular method to complete the following services: Authentication---- provides the method of identifying users, includes the enquiry of username and password and makes encryption according to the security protocols you select.
Authentication is the method to identify users before
accepting their access to the network and network services. You configure AAA
authentication through the definition of a named list of authentication methods,
and then apply that list to various interfaces. The method list defines the
authentication types and their order of execution; any defined authentication
method should be applied to a specific interface before it will be performed.
The only exception is the default method list (named default). If no other
method list is defined, the default method list is automatically applied to all
interfaces. The definition of other method list will replace the default method
list. For detailed information about all authentication configurations, please
refer to “authentication configuration”.
Authorization-------Provides
a method of remote access control to restrict the service rights of the users.
AAA authorization functions through a set of attributes
of the users. These attributes described what rights are awarded for the users.
These attributes are compared to the information in the database for a specific
user, and the result is returned to AAA, in order to determine the actual rights
of the user. This database can be put on the local access server or router, or
on the remote RADIUS or TACACS+ security servers. The remote security servers
such as RADIUS and TACACS+ make authorization to the users through their
attribute value (AV) pairs, which define the authorized rights. All
authorization methods should be defined through AAA. Like authentication, you
define an authorization method list first, and then apply it to various
interfaces. For detailed information of using AAA to make authorization
configuration, please refer to “authorization configuration”.
Accounting-------Provides
a kind of method to collect user service information and forward it to the
security server. This information can be used for billing, auditing and
reporting, like user tag, start and stop time, command executed, the number of
data packets and bytes.
Accounting
function can not only trace the service users are accessing, but also trace the
network resources they are consuming at the mean time. When the accounting
function of AAA is activated, the network access server reports the activity of
the user to TACACS+ or RADIUS server in the form of accounting. Each account
includes account of attribute value pair, and is saved on the security server.
These data can be used for network management, customer account list or audit
analysis. Like authentication and authorization, it should first define an
accounting method list, and then applies this list to various interfaces. For
detailed information about using AAA for accounting configuration, please refer
to “Account configuration”.
AAA provides the following advantages:
l
Flexibility and easy to control
l Easily update
l Standardized authentication methods, such as RADIUS, TACACS+
l Multiple backup systems
AAA is used to dynamically configure the authentication or authorization type based on every connection (every customer) or every service (for example, IP, IPX or VPDN). It defines the authentication and authorization type by creating method lists, then applying these method lists to specific services or interfaces.
An authentication method list defines various methods used to identify the users. The administrators can configure one or more protocols in the method list. So, even if the previous authentication method failed, it is guaranteed to have a backed-up authentication method. First, use the listed first method to identify users. If this method receives no response, select the next authentication method in that list; this process will continue until all listed authentication methods are used to guarantee successful authentication, or the resource of the authentication method list are used up, in which case the authentication fails.
NOTE: Only when the previous authentication method makes no response may you try to use the next method to make authentication. As long as authentication fails at any point----- that is to say, the response from the security server or local username database denies the access of the user access-------the authentication process stops and no other authentication methods will be tried.
Figure1 shows a representational AAA network configuration which includes four security servers, R1 and R2 are RADIUS servers, T1 and T2 are TACAC+ servers.
Figure1
Suppose the system administrator decides to apply the same authentication method to all interfaces to identify the connections based on PPP protocol in his/her security scheme: first R1 will be connected for authentication information, then if R1 does not respond, connects R2, if R2 does not respond, connects T1, if T1 does not respond, connects T2, if all designated servers do not respond, the authentication work is forwarded to the local username database of the access server. When the remote user tries to enter the network through dial-up method, the network access server first queries the related authentication information on R1, if the user is legal after authentication, it sends a PASS reply to the network access server, so as to permit the user to access the server. If the reply is FAIL, this user is denied and the dialogue is ended. If R1 does not respond, the network access server will consider it as an ERROR, and queries the related authentication information on R2. This mode continues to function in the remaining methods, until the user is accepted or denied or the dialogue is ended.
NOTE: This item is quite important to remember. A “FAIL” reply is totally different from an “ERROR”. A “FAIL” means that the user does not meet the required standards included in the authentication database to be successfully authenticated. The authentication ends with a “FAIL” reply. An “ERROR” means that this security server does not give response to the authentication query. Only when AAA finds error will it select the next authentication method defined in the authentication method list.
The brief AAA
configuration process
After understanding the basic process related to configuration, configuring AAA is relatively easy. Follow the following steps when using AAA to configure security on a router or access server of our company:
l If you decide to use a security server, first configure security protocol parameters, such as RADIUS, TACACS+.
l Use the “AAA authentication” command to define the method list for authentication.
l If required, apply this method list to a specific interface or line.
l Use Commandaaa authorization to authorize configuration (optional).。
l Use
Commandaaa accounting to authorize configuration (optional).
Related
documents of configuration task
Table 1 illustrates AAA configuration tasks and where to find more materials
Table 1: task and document