In: Categories » Electronics and communication » Protocols » AAA Overview
| AAA combines three independent security functions in a modular fashion that allows you to configure access control to your network devices, such as routers and switches. The three modules you will be concerned with in this article are as follows:
These modules are discussed further in the following sections. AuthenticationAuthentication is the method used to identify your user before he or she is allowed access to your network and its services. A simple way of looking at configuring AAA authentication is defining a named list consisting of the authentication methods you want and then applying your defined list to your identified interface(s). You use the method list to define the types of authentication you want to be performed and the sequence in which you want them to be performed. With one exception, the method list named "default," you must apply the method list to a specific interface before any of your defined authentication methods are used. The default method list is automatically applied to any interface you have not applied a method list to. You must define all authentication methods, with the exception of local, line password, and enable authentication, through AAA. When you choose to implement authorization, your users must be authenticated before any authorization can take place. AuthorizationAuthorization is designed to work by assembling a set of attributes you define to determine if a user is authorized to perform a certain task. Your defined attributes are compared to the information stored in the database for a given user. The result (the user's capabilities and restrictions) is returned to AAA. You can define the database locally on the network device or host it remotely on a RADIUS or TACACS+ security server, such as Cisco Secure Access Control Server (ACS). TACACS+ and RADIUS security servers authorize your users for their specific rights by using attribute-value (AV) pairs, which associate their rights with the appropriate user. All authorization methods must be defined through AAA. Just like authentication, you configure AAA authorization through the use of a named list of authorization methods and then apply your defined list to your specific interface(s). AccountingAccounting lets you track the services your users are accessing, as well as the amount of network resources they are consuming. AAA accounting accomplishes this by reporting your user's activity to the RADIUS or TACACS+ security server in the form of accounting records. These accounting records are comprised of accounting AV pairs. They are stored on the ACS for future analysis of network management, client billing, and/or auditing. You must define all the accounting methods through AAA. Much like the previous AAA modules, you configure AAA accounting through the use of named lists defining your accounting methods and then apply that list to your specified interface(s). AAA ProtocolsAAA uses two major security server protocolsTACACS+ and RADIUS. You can use either of these protocols to authenticate a large number of your users, because each creates a database of usernames and passwords. Both protocols share many features, because Cisco Systems modeled the TACACS+ architecture after the existing RADIUS standard. You can implement a TACACS+ or RADIUS server on a UNIX platform or Windows platform. RADIUS is covered in the following RFCs:
TACACS+ is covered by the following Internet Draft and RFC:
AAA Transport ProtocolsJust like any packet that travels across your IP network, both TACACS+ and RADIUS use the TCP/IP stack. This is also one area in which they differ: RADIUS uses the UDP protocol for communications between the client and the security server, whereas TACACS+ uses the TCP protocol. TACACS+ operates over TCP port 49, and RADIUS operates over UDP port 1812 for authentication and UDP port 1813 for accounting. In some RADIUS implementations, you might see RADIUS operate over port 1645 for authentication and port 1646 for accounting. Packet EncryptionOne other area in which RADIUS and TACACS+ differ is their use of encryption. RADIUS encrypts only the user password in a client-to-server access request packet. Other items in the packet, such as username, authorized services, and accounting, are sent across the network in clear text. TACACS+ encrypts the entire packet to the server with the exception of the unencrypted TACACS+ header. This unencrypted header contains a field specifying whether that packet's payload is encrypted. AAA Method ListsYou create a method list by defining a sequential list of authentication methods that you want to use to authenticate a user. Method lists let you define a backup authentication system for authentication in case of a failure by configuring one or more security protocols to be used for authentication. Your network devices will use the first method you list to authenticate users; in the case of a failure, your network devices will use the next authentication method defined in the method list. This process continues until either your user is authenticated through the successful communication with a listed authentication method or the authentication method list is exhausted, in which case authentication fails. Authentication with the next defined authentication method is tried only if there is no response from the previous authentication method. NOTE A FAIL response differs from an ERROR response. A FAIL signals that the user does not meet the defined criteria required to be authenticated. The authentication process stops when a FAIL response is returned. However, an ERROR indicates that the security server has not responded to an authentication query. Because authentication has not been attempted, AAA selects the next authentication method you defined in the authentication method list and reattempts authentication
|
legal disclaimer
1) Our website is not responsible for the information contained by this article as well for any and all copyright infringements by authors and writers. E-articles is a free information resource. If you suspect this article for any copyright infringements, please read the Terms of service and contact us to investigate the problem.
2) The E-articles directory team is not responsible for inaccuracies, falsehoods, or any other types of misinformation this tutorial may contain and will not be liable for any loss or damage suffered by a user through the user's reliance on the information gained here. Please read the Terms of service
Useful tools and features
If you like this article (tutorial), please link to it from your web page using the information above. Linking to this page, this is the only way to help us improve our service, the same time providing your visitors with a way to improve their online experience.
related articles
Although momentum is building for a standardized protocol for instant messaging, interoperability among IM applications continues to be vexed by unresolved business and security issues. Recently, the Internet Engineering Task Force (IETF)-sponsored protocol that would be a key to interoperability was criticized for being insecure by IM software vendors such as AOL Time Warner Inc. and IBM’s Lotus Software. The Lotus-AOL test used a variation of Simple Implementation Protocol (SIP) known as SIP for Instant Messaging ...
2. Detecting Unauthorized 802.11 Cards and Access Points
The first goal is detection. Can we tell when someone powers on a card within range of the local network? This can be done with off-the-shelf components and free software. The Cisco Aironet driver included with the more recent Linux kernels supports "RF Monitor" mode, which permits promiscuous monitoring of 802.11 packets - specifically, monitoring raw 802.11 frames to detect if there are any telltale frames broadcast by a rogue access point or card. As outlined in the original 802.11 specification, ther...
3. The HTTP Request and Response Codes
The HTTP protocol can be likened to a conversation based on a series of questions and answers, which we refer to respectively as HTTP requests and HTTP responses. The contents of HTTP requests and responses are easy to read and understand, being near to plain English in their syntax. This section examines the structure of these requests and responses, along with a few examples of the sorts of data they may contain. The HTTP Request After opening a connection to the intended serv...
4. INFRASTRUCTURE PROTOCOLS AND APPLICATIONS
H.323 H.323 defines packet standards for terminal equipment and services for multimedia communications over local and wide area networks communicating with systems connected to telephony networks such as ISDN. The initial version of this standard came from the International Telecommunications Union (ITU) in June 1996. It defines communication over IP-based local area networks (LANs). A later version (v2), adopted in January 1998, extended it over wide are...
5. Wireless IN Services
The IN protocols and concepts can be used to implement enhanced wireless services rapidly and to have these services available across serving areas in an untethered wireless network. Some of these services are listed below: Voice-Based User Identification. This service employs a form of automatic speech recognition to validate the identity of the speaker. Access to services can then be restricted to the user whose voice (phrase) has been used to train the recognition device. Voice-Based Featur...
6. Wireless LAN and Personal Area Network
The Wireless Internet is not just wireless communications across town or the country. It is also local—sometimes in a home or office building. Wireless LANs are just becoming popular with economically priced wireless Ethernet equipment. Standards such as IEEE 802.11, HiperLAN2, and Home RF are leading the way to untethered communications in-building or outside over small areas. Another important development is the Personal Area Network, also known as Bluetooth. Let’s take a look at each of th...
7. The Domain Concept
The solution to all of these problems is the network domain. In a domain, you only have a single name and password, which gets you into every shared PC and printer on the network. Everyone's account information resides on a central computer called a domain controllera computer so important, it's usually locked away in a closet or a data-center room. A domain controller keeps track of who is allowed to log on, who is logged on, and what each person is allowed to do on the network. When you log onto the domain with your PC,...
8. Duplexing Techniques in Wireless communication systems
Wireless communication systems have evolved through several stages of multiple-access control. The foremost controllable resource has always been the frequency spectrum. Other resources such as time, code, and space were initially manipulated in a very precarious and, therefore, ineffective manner. The early systems operated in the simplex mode in the forward link. Halfduplex systems soon appeared, in which forward link and reverse link shared the same channel. Access control was performed on a push-to-talk basis wit...
9. Wireless Networks (WiFi or 802.11)
Millions of people, have embraced the flexibility of a networking system that involves no wires at alla cordless networking technology called WiFi or 802.11 ("eight-oh-two dot eleven"). (Your Macintosh friends probably call the same thing AirPort, because that's what Apple calls it.) To get onto a wireless network, your PC needs a WiFi transmitter. Almost every laptop sold today has WiFi built in. You can also add it to a desktop in the form of a wireless card or USB adapter; either way, you gain a little antenna. Once...