1. Introduction
managing network access using only the user mode or privilege mode password commands is limited and Does. Instead, using the authentication, Authorization, and Accounting (AAA) protocol provides the N Ecessary framework to enable scalable access security.
2. AAA Overview
Local database authentication can be implemented using one of the following commands:
- username username password password
- username username secret password
The local database method has some limitations:
- The user accounts must is configured locally on each device.
- The local database configuration provides no fallback authentication method
AAA Network security services provide the primary framework to set up access control on a network device.
AAA is a-to-control who is permitted to access a network (authenticate),
What they can does while they is there (authorize),
and to audit what actions they performed while accessing the network (accounting).
It provides a higher degree of scalability than the con, aux, vty and privileged EXEC authentication commands alone.
Network and administrative AAA security in the CISCO environment have several functional components:
- Authentication -Users and administrators must prove that they is who they say they is. Authentication can be established using username and password combinations, challenge and response questions, token cards, and other methods. For example: "I am user ' student '." I know the password to prove that I am user student. "
- Authorization -After the user is authenticated, Authorization services determine which resources the User can access and which operations the user is allowed to perform. An example are "User ' student ' can access host serverxyz using Telnet only."
- Accounting and auditing -Accounting Records What's the user does, including what is accessed, the Amou NT of time the resource is accessed, and any changes that were made. Accounting keeps track of how network resources is used. An example are "User ' student ' accessed host serverxyz using Telnet for minutes."
This concept was similar to the use of a credit card. The credit card identifies who can use it, how much this user can spend, and keeps account for what items the user spent MO Ney on.
3. AAA characteristics
3.1 AAA Authentication
Cisco provides, common methods of implementing AAA services.
- local AAA Authentication- Local AAA uses a local database for authentication.
- server-based AAA Authentication- uses an external database Server resource that leverages RADIUS or tacacs+ protocols.
3.2 AAA Authorization
Authorization is automatic and does not require users to perform additional steps after authentication. Authorization is implemented immediately after the user is authenticated.
3.3 AAA Accounting
Accounting is implemented using a AAA server-based solution. This service reports usage statistics back to the ACS server. These statistics can be extracted to create detailed reports about the configuration of the network.
4. Local AAA Authentication
4.1 Configuring Local AAA Authentication with CLI
Step 1. ADD usernames and passwords to the local router, database for users, need administrative access to the router.
Step 2. Enable AAA globally on the router. Router (config) #aaa New-model
Step 3. Configure AAA parameters on the router.
Step 4. Confirm and troubleshoot the AAA configuration.
4.2 Configuring Local AAA authentication with SDM
5. server-based AAA
Tacacs + and RADIUS is both authentication protocols.
AAA (authentication, Authorization, Accounting)