AAA Overview Directory

AAA security service

The advantages of AAA

The principles of AAA

Method list

The configuration process

The brief AAA configuration process

Related documents of configuration task

Access control is used to control the users who connect to the router or network access server (NAS), and limit the service kind they can use. It provides authentication, authorization and accounting function, in order to enhance the network security.

AAA security service

AAA is an architecture that uses a consistent method to configure three independent security functions. It provides the modular method to complete the following services: Authentication---- provides the method of identifying users, includes the enquiry of username and password and makes encryption according to the security protocols you select.

Authentication is the method to identify users before accepting their access to the network and network services. You configure AAA authentication through the definition of a named list of authentication methods, and then apply that list to various interfaces. The method list defines the authentication types and their order of execution; any defined authentication method should be applied to a specific interface before it will be performed. The only exception is the default method list (named default). If no other method list is defined, the default method list is automatically applied to all interfaces. The definition of other method list will replace the default method list. For detailed information about all authentication configurations, please refer to “authentication configuration”.

Authorization-------Provides a method of remote access control to restrict the service rights of the users.

AAA authorization functions through a set of attributes of the users. These attributes described what rights are awarded for the users. These attributes are compared to the information in the database for a specific user, and the result is returned to AAA, in order to determine the actual rights of the user. This database can be put on the local access server or router, or on the remote RADIUS or TACACS+ security servers. The remote security servers such as RADIUS and TACACS+ make authorization to the users through their attribute value (AV) pairs, which define the authorized rights. All authorization methods should be defined through AAA. Like authentication, you define an authorization method list first, and then apply it to various interfaces. For detailed information of using AAA to make authorization configuration, please refer to “authorization configuration”.

Accounting-------Provides a kind of method to collect user service information and forward it to the security server. This information can be used for billing, auditing and reporting, like user tag, start and stop time, command executed, the number of data packets and bytes.

Accounting function can not only trace the service users are accessing, but also trace the network resources they are consuming at the mean time. When the accounting function of AAA is activated, the network access server reports the activity of the user to TACACS+ or RADIUS server in the form of accounting. Each account includes account of attribute value pair, and is saved on the security server. These data can be used for network management, customer account list or audit analysis. Like authentication and authorization, it should first define an accounting method list, and then applies this list to various interfaces. For detailed information about using AAA for accounting configuration, please refer to “Account configuration”.

 

The advantages of AAA

AAA provides the following advantages:

l        Flexibility and easy to control

l        Easily update

l        Standardized authentication methods, such as RADIUS, TACACS+

l        Multiple backup systems

 

The principles of AAA

AAA is used to dynamically configure the authentication or authorization type based on every connection (every customer) or every service (for example, IP, IPX or VPDN). It defines the authentication and authorization type by creating method lists, then applying these method lists to specific services or interfaces.

Method list

An authentication method list defines various methods used to identify the users. The administrators can configure one or more protocols in the method list. So, even if the previous authentication method failed, it is guaranteed to have a backed-up authentication method. First, use the listed first method to identify users. If this method receives no response, select the next authentication method in that list; this process will continue until all listed authentication methods are used to guarantee successful authentication, or the resource of the authentication method list are used up, in which case the authentication fails.

NOTE: Only when the previous authentication method makes no response may you try to use the next method to make authentication. As long as authentication fails at any point----- that is to say, the response from the security server or local username database denies the access of the user access-------the authentication process stops and no other authentication methods will be tried.

Figure1 shows a representational AAA network configuration which includes four security servers, R1 and R2 are RADIUS servers, T1 and T2 are TACAC+ servers.

Figure1

Suppose the system administrator decides to apply the same authentication method to all interfaces to identify the connections based on PPP protocol in his/her security scheme: first R1 will be connected for authentication information, then if R1 does not respond, connects R2, if R2 does not respond, connects T1, if T1 does not respond, connects T2, if all designated servers do not respond, the authentication work is forwarded to the local username database of the access server. When the remote user tries to enter the network through dial-up method, the network access server first queries the related authentication information on R1, if the user is legal after authentication, it sends a PASS reply to the network access server, so as to permit the user to access the server. If the reply is FAIL, this user is denied and the dialogue is ended. If R1 does not respond, the network access server will consider it as an ERROR, and queries the related authentication information on R2. This mode continues to function in the remaining methods, until the user is accepted or denied or the dialogue is ended.

NOTE: This item is quite important to remember. A “FAIL” reply is totally different from an “ERROR”. A “FAIL” means that the user does not meet the required standards included in the authentication database to be successfully authenticated. The authentication ends with a “FAIL” reply. An “ERROR” means that this security server does not give response to the authentication query. Only when AAA finds error will it select the next authentication method defined in the authentication method list.  

The configuration process

First, you should decide which type of security scheme you want to implement. You should evaluate the security risks in your network, and set up appropriate methods to prevent unauthorized login and attack.

 

The brief AAA configuration process

After understanding the basic process related to configuration, configuring AAA is relatively easy. Follow the following steps when using AAA to configure security on a router or access server of our company:

l        If you decide to use a security server, first configure security protocol parameters,    such as RADIUS, TACACS+.

l        Use the “AAA authentication” command to define the method list for authentication.

l        If required, apply this method list to a specific interface or line.

l       Use Commandaaa authorization to authorize configuration (optional).。

l       Use Commandaaa accounting to authorize configuration (optional).

Related documents of configuration task

Table 1 illustrates AAA configuration tasks and where to find more materials
Additional configuration of the task
References
Configure local login authentication
Configuring Authentication
Using security server to control login authentication
Configuring Authentication 
Define the method list for authentication
Configuring Authentication 
Apply the method list to specific interfaces or line
Configuring Authentication 
Configure RADIUS protocol parameters
Configuring RADIUS
Configure TACACS_ protocol parameters
Configuring TACACS+

Table 1: task and document