Authentication, Authorization, and Accounting (AAA) Concepts

The AAA protocol provides a scalable framework for implementing and ensuring network access security. Administrators can use this protocol to control who can access network resources and track or audit that access.

AAA Components

AAA security has three functional components:

● Authentication

o Authentication verifies the user’s identity. Users accessing the network must prove who they say they are.

● Authorization

o Authorization enforces user permissions. After authentication, authorization determines which network resources the user can access.

● Accounting and Auditing

o The auditing component is used to track user activity. Accounting records what a user does once authorized on the network. Accounting keeps a record of how network resources are used.

Local vs. Remote Authentication

Local Remote Remote

Manages each device individually Central management

Secures each device individually Central security

Configures users on each device individually Central user configuration

System Access

Access to networks and network devices can be granted locally or remotely. To ensure users are who they say they are, users must declare their identities to gain access. Various methods include usernames, passwords, token cards, security questions, and biometrics. This process is known as authentication. Local and remote access includes login pages, SSH, and Remote Desktop Protocol.

Most modern authentication services use multi-factor authentication.

Local Authentication

Local authentication involves storing users' credentials locally on their devices. The accessed device compares user input to stored data, and if matched, the user obtains access. Various devices support local authentication, such as PCs, switches, routers, firewalls, etc. When a user logs in to a computer, Windows verifies the credentials against the credentials in a local security accounts manager (SAM) database.

Remote Authentication

Remote authentication involves storing user credentials on a remote server for authentication. Devices ask the server to authenticate users based on the user database stored on the server. This method allows for the centralization of stored usernames and passwords. An example of remote authentication would be a PC password being checked against Active Directory in a domain environment.

What Does AAA Do?

AAA is a model that describes how to:

• Authenticate user accounts.

• Control access to resources.

• Audit network activity.

• Ensure policy compliance.

The AAA service is provided by dedicated servers and standard protocols, such as RADIUS and TACACS+.

RADIUS & TACACS+

AAA Protocols

Two common AAA protocols are:

1. Remote Authentication Dial-In User Service (RADIUS)

• Developed as an open standard by the Internet Engineering Task Force (IETF)

• Uses Transport protocol UDP

• Combines authentication and authorization

2. Terminal Access Controller Access-Control System Plus (TACACS+)

• Developed by Cisco

• Cisco’s latest AAA protocol version

• Supported by many vendors

• Uses Transport protocol TCP

• Separates authentication, authorization, and accounting processes

RADIUS Features

Common RADIUS features include:

• Operates on multiple platforms

• It can be standalone or on an existing system

• Integrates with Active Directory

• Allows Cisco routers to authenticate via Microsoft servers

• Suitable for wired and wireless networks

RADIUS is also a common authentication protocol utilized by the 802.1X security protocol.