Authentication Authorization and Accounting

Authentication, authorization, and accounting (AAA, pronounced triple A) provides security to Cisco IOS routers and network devices beyond the simple user authentication available on IOS devices.

AAA provides a method to identify which users are logged into a router and each user's authority level. AAA also provides the capability to monitor user activity and provide accounting information.

In today's IP networks, access to network data is available in a variety of methods, including the following:

■ PSTN dialup modems

■ Internet access through virtual private networks (VPNs) The AAA model is defined as follows:

■ Authorization—What resources are you permitted to use?

■ Accounting—What resources were accessed, at what time, by whom, and what commands were issued?

The three phases ensure that legitimate users are permitted access. A remote user must be authenticated before being permitted access to network resources.

Authentication allows the user to submit a username and password and permits challenges and responses. After the user is authenticated, authorization defines what services or resources in the network users are permitted access to. The operations permitted here can include IOS-privileged EXEC commands. For example, a user might type commands but be permitted to use only certain show and debug commands for which the user is authorized.

Accounting allows the network administrator to log and view what was actually performed (for example, if a Cisco router was reloaded or the configuration was changed). Accounting ensures that an audit will enable network administrators to view what was performed and at what time it was performed. Accounting keeps track of the information needed to audit and report network resource usage. This typically includes the username, the start and stop time of login, and the commands typed by the user.

NOTE To start AAA on a Cisco router, issue the following IOS command: aaa new-model

Figure 4-1 displays a typical secure network scenario.

Figure 4-1 Secure Network Access

Figure 4-1 Secure Network Access

The users could be dialup users running async (in this case, PSTN) or using ISDN with Point-to-Point Protocol (PPP). The network access server (NAS) ensures that only authenticated users have access to the secure network; it maintains resources and accounting information.

Authorization tells which resources, or host devices, are authorized to be accessed (such as FTP servers). The NAS implements the AAA protocols and also collects data regarding what network resources were accessed. The NAS can also ensure that devices in the secured network require authentication. For example, the users in Figure 4-1 who are accessing Router R1 require a valid username/password pairing to enter any IOS commands.

The following sections further define what authentication, authorization, and accounting are by discussing a common Cisco IOS router example.

Was this article helpful?

0 0

Post a comment