Authentication, Authorization, and Accounting (AAA)
Authentication, Authorization, and Accounting (AAA)
Module 7: Authentication,
Authorization, and
Accounting (AAA)
Networking Security v1.0
(NETSEC)
Module Objectives
Module Title: Authentication, Authorization, and Accounting (AAA)
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
AAA Characteristics
Authentication without AAA
The simplest method of remote access
authentication is to configure a login and
password combination on console, vty
lines, and aux ports, as shown in the
figure.
AAA Characteristics
AAA Components
Network and administrative AAA security in the Cisco environment has three functional
components:
• Authentication - Users and administrators must prove their identity before accessing the
network and network resources. Authentication can be established using username and
password combinations, challenge and response questions, token cards, and other
methods. For example: “I am user ‘student’ and I know the password to prove it.”
• Accounting and auditing - Accounting records what the user does, including what is
accessed, the amount of time the resource is accessed, and any changes that were made.
Accounting keeps track of how network resources are used. An example is "User 'student'
accessed host serverXYZ using SSH for 15 minutes." © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
AAA Characteristics
Authentication Modes
Cisco provides two common methods of implementing
AAA services:
AAA Characteristics
Authorization
After users are successfully authenticated against the selected AAA data source, either
local or server-based, they are then authorized for specific network resources, as
shown in the figure.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
AAA Characteristics
Accounting
Accounting is implemented using a AAA server. This service reports usage statistics
back to the ACS server. These statistics can be extracted to create detailed reports
about the configuration of the network.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Configure Local AAA Authentication
Authenticate Administrative Access
The Local AAA Authentication method is similar to using the login local command
with one exception. AAA also provides a way to configure backup methods of
authentication.
Step 1. Add usernames and passwords to the local router database for users that
need administrative access to the router.
Step 2. Enable AAA globally on the router.
Step 3. Configure AAA parameters on the router.
Step 4. Confirm and troubleshoot the AAA configuration.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Command Description
default Uses the listed authentication methods that follow this keyword as the default list of methods when a
user logs in.
list-name Character string used to name the list of authentication methods activated when a user logs in.
method1...[method4] Identifies the list of methods that the AAA authentication process will query in the given sequence. At
least one method must be specified. A maximum of four methods may be specified.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Configure Local AAA Authentication
Authentication Methods (Cont.)
Up to four methods can be defined to authenticate users, providing fallback methods should one
method not be available. To enable local authentication using a preconfigured local database,
use the keyword local or local-case. To specify that a user can authenticate using the enable
password, use the enable keyword.
The table displays common methods that can be specified.
The named list must be explicitly enabled on the line using the login authentication line
configuration command. If a line has a custom authentication method list applied to it, that
method list overrides the default method list for that interface.
When a custom authentication method list is applied to an interface, it is possible to return to the
default method list by using the no authentication login command.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Configure Local AAA Authentication
Fine-Tuning the Authentication Configuration
Additional security can be implemented on the line using the aaa local authentication
attempts max-fail global configuration mode command. This command secures AAA user
accounts by locking out accounts that have excessive failed attempts.
Command Description
number-of-unsuccessful-attempts Number of unsuccessful authentication attempts before a connection
is dropped and the user account is locked.
The locked out user account remains locked until it is manually cleared by an administrator using
the clear aaa local user lockout privileged EXEC mode command.
To display the attributes that are collected for one AAA session, use the show aaa user
command in privileged EXEC mode.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Server-Based AAA Characteristics and Protocols
Compare Local AAA and Server-Based AAA Implementations
One or more AAA servers can be used to manage the user and administrative access needs for
an entire corporate network. AAA server software can create a central user and administrative
access database to which all devices in the network can refer. It may also work with many
external databases, including Active Directory and Lightweight Directory Access Protocol
(LDAP). These databases store user account information and passwords, allowing for central
administration of user accounts. For increased redundancy, multiple servers can be
implemented.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Cisco Identity Services Engine (ISE) is an identity and access control policy platform
that enables enterprises to enforce compliance, enhance infrastructure security, and
streamline their service operations. Cisco ISE combines policy definition, control, and
reporting in one appliance. Cisco ISE defines fair access policies and enforces
compliance for all end devices including BYOD.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Server-Based AAA Characteristics and Protocols
The TACACS+ and RADIUS Protocols
TACACS+ and RADIUS are both authentication protocols that are used to communicate with
AAA servers. As shown in the table, each supports different capabilities and functionality.
TACACS+ RADIUS
Functionality Separates AAA according to the AAA Combines authentication and authorization
architecture, allowing modularity of the but separates accounting, allowing less
security server implementation flexibility in implementation than TACACS+
Standard Mostly Cisco supported Open/RFC standard
Transport Protocol TCP UDP
CHAP Bidirectional challenge and response as used Unidirectional challenge and response from
in Challenge Handshake Authentication the RADIUS security server to the RADIUS
Protocol (CHAP) client
Confidentiality Entire packet encrypted Password encrypted
Customization Provides authorization of router commands on Has no option to authorize router commands
a per-user or per-group basis on a per-user or per-group basis
Accounting Limited Extensive
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Server-Based AAA Characteristics and Protocols
RADIUS Authentication
• RADIUS is an open IETF standard AAA protocol
for applications such as network access or IP
mobility. RADIUS works in both local and roaming
situations and is commonly used for accounting
purposes.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Configure Server-Based Authentication
Steps to Configure Server-Based AAA Authentication
Step 1. Globally enable AAA to allow the use of all AAA elements. This step is a
prerequisite for all other AAA commands.
Step 2. Specify the server that will provide AAA services for the router. This can be
a TACACS+ or RADIUS server.
Step 3. Configure the encryption key needed to encrypt the data transfer between
the network device and AAA server.
Step 4. Configure the AAA authentication method list to refer to the TACACS+ or
RADIUS server. For redundancy, it is possible to configure more than one server.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Configure Server-Based Authentication
Authenticate to the AAA Server Configuration Commands (Cont.)
To configure a method list for the default login to authenticate first using a TACACS+ server,
second with a RADIUS server, and finally with a local username database, specify the order with
the aaa authentication login default command, as highlighted in the example.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Another important aspect of authorization is the ability to control user access to specific
services.
By default, TACACS+ establishes a new TCP session for every authorization request,
which can lead to delays when users enter commands. To improve performance, AAA
supports persistent TCP sessions that are configured with the single-connection
tacacs server configuration mode command.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Configure Server-Based Authorization and Accounting
AAA Authorization Configuration
To configure authorization, use the
aaa authorization command, as
shown in the examples below. The
authorization type can specify the
types of commands or services:
• Each session that is established through Cisco Secure ACS can be fully accounted for and
stored on the server.
• Like authentication and authorization method lists, method lists for accounting define the
way accounting is performed and the sequence in which these methods are performed. After
it is enabled, the default accounting method list is automatically applied to all interfaces,
except those that have a user-defined, or custom, accounting method list that has been
explicitly defined.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Configure Server-Based Authorization and Accounting
AAA Accounting Configuration
To configure AAA accounting, use the aaa accounting command that is shown in the figure.
The following three parameters are commonly used aaa accounting keywords:
•network - Runs accounting for all network-related service requests, including PPP.
•exec - Runs accounting for the EXEC shell session.
•connection - Runs accounting on all outbound connections such as SSH and Telnet.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
7.6 Authentication,
Authorization, and Accounting
(AAA) Summary
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
Authentication, Authorization, and Accounting (AAA) Summary
What Did I Learn in this Module? (Cont.)
• There are four basic steps to configuring AAA server-based authentication: (1) globally enabled AAA on
the device; (2) specify the AAA server IP address and protocol; (3) specify the matching encryption key
that will be used by the network device and AAA server; and (4) specify the AAA server or servers in the
method lists.
• The type of authorization is configured with the aaa authorization command.
• The type of accounting is configured with the aaa accounting command.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38