Authentication, authorization, and accounting (AAA) network
security services provide the primary framework through which access control is
set up on a switch. AAA is an architectural framework for configuring a set of
three independent security functions in a consistent manner. AAA provides a
modular way of performing these services:
-
Authentication – Provides the method of identifying users, including
login and password dialog, challenge and response, messaging support and,
depending on the security protocol, encryption.
Authentication is the way in which a user is identified prior to being
allowed access to the network and network services. AAA authentication is
configured by defining a named list of authentication methods, and then
applying that list to various interfaces. The method list defines the types of
authentication to be performed and the sequence in which they will be
performed; it must be applied to a specific interface before any of the defined
authentication methods will be performed. The only exception is the default
method list (which is named "default"). The default method list is
automatically applied to all interfaces if no other method list is defined. A
defined method list overrides the default method list.
All authentication
methods must be defined through AAA, with the exception of local, line
password, and enable authentication.
-
Authorization – Provides the method for remote access control,
including one-time authorization, or authorization for each service, per-user
account list and profile, user group support, and support of IP, Internetwork
Packet Exchange (IPX), AppleTalk Remote Access (ARA), and Telnet.
AAA authorization works by assembling a set of attributes that describe
what the user is authorized to perform, such as access to different parts of
the network. These attributes are compared to the information contained in a
database for a given user, and the result is returned to AAA to determine the
actual capabilities and restrictions of the user. The database can be located
locally on the multilayer switch, or it can be hosted remotely on a RADIUS or
TACACS+ security server. Remote security servers, such as RADIUS and TACACS+,
authorize users for specific rights by associating attribute-value pairs, which
associate those rights with the appropriate user. All authorization methods
must be defined through AAA.
As with authentication, configure AAA
authorization by defining a named list of authorization methods, and then
applying that list to various interfaces.
-
Accounting – Provides a method for collecting and sending security
server information used for billing, auditing, and reporting. This is
information such as user identities, start and stop times, executed commands
(such as PPP), number of packets, and number of bytes. Security experts can use
the information gained from accounting to audit and improve security.
In many circumstances, AAA uses protocols such as RADIUS, TACACS+, or
802.1X to administer its security functions. If the switch is acting as a
network access server, AAA is the means through which a switch establishes
communication between the network access server and the RADIUS, TACACS+, or
802.1X security server.