Foundation Topics Authentication Authorization and Accounting AAA

Authentication, authorization, and accounting, (pronounced triple A) provides security to Cisco IOS routers and network devices beyond the simple user authentication available on IOS devices.

AAA provides a method to identify which users are logged into a router and each user's authority level. AAA also provides the capability to monitor user activity and provide accounting information.

In today's IP networks, access to network data is available in a variety of methods, including the following:

• PSTN Dialup modems

• Access through the Internet through virtual private networks (VPNs) The AAA model is defined as follows:

• Authorization—What resources are you permitted to use?

• Accounting—What resources were accessed, what time, by whom were they used, and what commands were issued?

The three phases ensure that legitimate users are permitted access. A remote user must be authenticated before being permitted access to network resources.

Authentication allows the user to submit a username and password and permit challenges and responses. After the user is authenticated, authorization defines what services or resources in the network are permitted access. The operations permitted here can include IOS privileged exec commands. For example, a user might type commands but be permitted to type only certain show and debug commands, which are being authorized.

Accounting allows the network administrator to log and view what was actually performed (for example, if a Cisco router was reloaded or the configuration was changed). Accounting ensures that an audit will allow network administrators the ability to view what was performed and at what time it was performed. Accounting keeps track of auditing and reporting network resource usage information. This typically includes the username, the start and stop time of login, and the commands typed by the user.

NOTE To start AAA on a Cisco router, issue the following IOS command: aaa new-model

On a PIX Firewall, the command syntax is as follows: aaa-server

Figure 5-1 displays a typical secure network scenario.

Figure 5-1 Secure Network Access

Figure 5-1 Secure Network Access

The users could be dialup users running Async (in this case PSTN) or using ISDN with Point-to-Point Protocol (PPP). The Network Access Server (NAS) ensures that only authenticated users have access to the secure network; it maintains resources and accounting information.

Authorization tells which resources, or host devices, are authorized to be accessed (such as FTP servers). The NAS implements the AAA protocols and also collects data regarding what network resources were accessed. The NAS can also ensure that devices in the secured network require authentication. For example, the users in Figure 5-1 who are accessing Router R1 will require a valid username/password pairing to enter any IOS commands.

The following sections further define what authentication, authorization, and accounting are by discussing a common Cisco IOS router example.

0 0

Post a comment