Implementing Authentication, Authorization, and Accounting – AAA
What is AAA?

Authentication, authorization, and accounting (AAA) network security services provide the primary framework through which access control is set up on a switch. AAA is an architectural framework for configuring a set of three independent security functions in a consistent manner. AAA provides a modular way of performing these services:

  • Authentication – Provides the method of identifying users, including login and password dialog, challenge and response, messaging support and, depending on the security protocol, encryption.

Authentication is the way in which a user is identified prior to being allowed access to the network and network services. AAA authentication is configured by defining a named list of authentication methods, and then applying that list to various interfaces. The method list defines the types of authentication to be performed and the sequence in which they will be performed; it must be applied to a specific interface before any of the defined authentication methods will be performed. The only exception is the default method list (which is named "default"). The default method list is automatically applied to all interfaces if no other method list is defined. A defined method list overrides the default method list.

All authentication methods must be defined through AAA, with the exception of local, line password, and enable authentication.

  • Authorization – Provides the method for remote access control, including one-time authorization, or authorization for each service, per-user account list and profile, user group support, and support of IP, Internetwork Packet Exchange (IPX), AppleTalk Remote Access (ARA), and Telnet.

AAA authorization works by assembling a set of attributes that describe what the user is authorized to perform, such as access to different parts of the network. These attributes are compared to the information contained in a database for a given user, and the result is returned to AAA to determine the actual capabilities and restrictions of the user. The database can be located locally on the multilayer switch, or it can be hosted remotely on a RADIUS or TACACS+ security server. Remote security servers, such as RADIUS and TACACS+, authorize users for specific rights by associating attribute-value pairs, which associate those rights with the appropriate user. All authorization methods must be defined through AAA.

As with authentication, configure AAA authorization by defining a named list of authorization methods, and then applying that list to various interfaces.

  • Accounting – Provides a method for collecting and sending security server information used for billing, auditing, and reporting. This is information such as user identities, start and stop times, executed commands (such as PPP), number of packets, and number of bytes. Security experts can use the information gained from accounting to audit and improve security.

In many circumstances, AAA uses protocols such as RADIUS, TACACS+, or 802.1X to administer its security functions. If the switch is acting as a network access server, AAA is the means through which a switch establishes communication between the network access server and the RADIUS, TACACS+, or 802.1X security server.