You probably use Authentication, Authorization, and Accounting (AAA), in some form, every day. But what is AAA in terms of network security? David Davis tells you what you need to know about AAA and the basic configuration for it in the Cisco IOS.
What is AAA?
When it comes to network security, AAA is a requirement. Here is what each of these are used for and why you should care:
- Authentication: Identifies users by login and password using challenge and response methodology before the user even gains access to the network. Depending on your security options, it can also support encryption.
- Authorization: After initial authentication, authorization looks at what that authenticated user has access to do. RADIUS or TACACS+ security servers perform authorization for specific privileges by defining attribute-value (AV) pairs, which would be specific to the individual user rights. In the Cisco IOS, you can define AAA authorization with a named list or authorization method.
- Accounting: The last "A" is for accounting. It provides a way of collecting security information that you can use for billing, auditing, and reporting. You can use accounting to see what users do once they are authenticated and authorized. For example, with accounting, you could get a log of when users logged in and when they logged out.
Why every network admin should care about AAA
Besides passing certification tests like the Cisco CCNA Security, AAA is a critical piece of network infrastructure. AAA is what keeps your network secure by making sure only the right users are authenticated, that those users have access only to the right network resources, and that those users are logged as they go about their business.
How do you configure AAA in the Cisco IOS?
Here are the steps to configuring AAA:
- Enable AAA
- Configure authentication, using RADIUS or TACACS+
- Define the method lists for authentication
- Apply the method lists per line/ per interface
It is important to note that Cisco IOS software attempts authentication with the next-listed authentication method only when there is no response from the previous method. If the security server or user database responds by denying the user access, the authentication process and the user will get a denied user prompt. To configure AAA, use the following statement in global configuration mode:
Router(config)# aaa new-model
From this point, most admins start configuring AAA by setting up authentication.
Here is one example of how to configure login authentication using the enable password.
Perhaps you wanted to apply a method list only to a particular interface or set of interfaces. You would create a method list and then apply it to the interfaces. Here's an example of an authentication method that will be applied only to an interface:
Router(config)# aaa authentication ppp default group radius group tacacs+ local
There are literally hundreds of different ways to configure AAA, including group RADIUS and TACACS+. For more information, see the official Cisco IOS documentation article, "Configuring Authentication."
Can you configure your routers to use Windows Active Directory for Authentication? Yes, you can; see my article "Configure Cisco Routers to Use Active Directory Authentication -- the Router Side" for more information.Conclusion
In this article, we learned what authentication, authorization, and accounting (AAA) is and how it can help you. We learned that AAA is critical to securing your network. After that, we saw an example of how to configure AAA in the Cisco IOS.
To read more about AAA, view Cisco IOS article "Part 1: Authentication, Authorization, and Accounting (AAA)."
Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!