What is AAA?
It stands for Authentication, Authorization, and Accounting. When it comes to network security, AAA is one of many features a network manager may use. Here is what each of these are used for and why you should care:
- Authentication: Identifies users by login and password using challenge and response methodology before the user even gains access to the network. Depending on your security options, it can also support encryption.
- Authorization: After initial authentication, authorization looks at what that authenticated user has access to do. RADIUS or TACACS+ security servers perform authorization for specific privileges by defining attribute-value (AV) pairs which would be specific to the individual user rights. In the Cisco IOS, you can define AAA authorization with a named list or authorization method.
- Accounting: The last “A” is accounting. It provides a way of collecting security information that you can use for billing, auditing, and reporting. You can use accounting to see what users do once they are authenticated and authorized. For example, with accounting, you would have a log of when the user logged in and when they logged out.
Why every network admin should care about AAA
Besides passing certification tests like the Cisco CCNA Security, AAA is a critical piece of network infrastructure. AAA is what keeps your network secure by making sure only the right users are authenticated, that those users have access only to the right network resources, and that those users are logged as they go about their business.
How do you configure AAA in the Cisco IOS?
Here are the steps to configuring AAA:
- Enable AAA
- Configure authentication, using RADIUS or TACACS+
- Define the method lists for authentication
- Apply the method lists per line/ per interface
It is important to note that Cisco IOS software attempts authentication with the next-listed authentication method only when there is no response from the previous method. If the security server or user database responds by denying the user access-the authentication process and the user will get a denied user prompt. To configure AAA, use the following statement in global configuration mode:
Router(config)# aaa new-model
From this point, most admins start configuring AAA by configuring authentication.
Here is one example of how to configure login authentication using the enable password.
Router(config)# aaa authentication login default enable
Perhaps you wanted to apply a method list only to a particular interface or set of interfaces. You would create a method list and then apply it to the interfaces. Here’s an example of an authentication method that will be applied only to an interface:
Router(config)# aaa authentication ppp default group radius group tacacs+ local
Router(config)# aaa authentication ppp apple group radius group tacacs+ local none
Router(config)# interface async 3
Router(config-if)# ppp authentication chap apple
There are literally hundreds of different ways to configure AAA including group RADIUS and TACACS+. For more information, see the official Cisco IOS documentation article, “Configuring Authentication.”
To read more about AAA, view the Cisco IOS article, “Part 1: Authentication, Authorization, and Accounting (AAA).”