1
Configuring AAA
Overview
Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing
network access management. This feature specifies the following security functions:
•
Authentication
—Identifies users and verifies their validity.
•
Authorization
—Grants different users different rights, and controls the users' access to resources
and services. For example, you can permit office users to read and print files and prevent guests
from accessing files on the device.
•
Accounting
—Records network usage details of users, including the service type, start time, and
traffic. This function enables time-based and traffic-based charging and user behavior auditing.
AAA uses a client/server model. The client runs on the access device, or the network access server (NAS),
which authenticates user identities and controls user access. The server maintains user information
centrally. See
Figure 1
AAA network diagram
To access networks or resources beyond the NAS, a user sends its identity information to the NAS. The
NAS transparently passes the user information to AAA servers and waits for the authentication,
authorization, and accounting result. Based on the result, the NAS determines whether to permit or deny
the access request.
AAA has various implementations, including RADIUS, HWTACACS, and LDAP. RADIUS is most often
has one RADIUS server and one HWTACACS server. You can use different
servers to implement different security functions. For example, you can use the HWTACACS server for
authentication and authorization, and use the RADIUS server for accounting.
You can choose the security functions provided by AAA as needed. For example, if your company wants
employees to be authenticated before they access specific resources, you would deploy an
authentication server. If network usage information is needed, you would also configure an accounting
server.
The device performs dynamic password authentication.
Remote user
NAS
RADIUS server
HWTACACS server
Internet
Network