Understanding AAA

Share on:

The wonderful AAA which in the Cisco world means, Authentication, Authorization, and Accounting but what does that really mean? In today's post that's what we are going to be talking about. What is AAA and what are the benefits of using it along with what is it? The first "A" of AAA is Authentication which provides the method of identifying users, including login and password dialog, challenge and response, messaging support, and, depending on the security protocol you select, encryption. The second "A" of AAA is Authorization which provides the method for remote access control, including one-time authorization or authorization for each service, per-user account list and profile, user group support, and support of IP, IPX, ARA, and Telnet. The third and last "A" of AAA is Accounting which provides the method for collecting and sending security server information used for billing, auditing, and reporting, such as user identities, start and stop times, executed commands (such as PPP), number of packets, and number of bytes. In a real world scenario I like to think of AAA has a police officer or a security guard that is blocking access to a building, they first want to make sure that they know who you are and you give the correct credentials that prove to them you are who you say you are. Once they have verified who you are they will want to check if you are authorized to enter the blocked building once they have approved you to have access they will be able to track or keep a record that you accessed the building. That is the same type of idea that the router or switch will do. Months ago I talked about TACACS Plus and RADIUS these are both used to control access to the network. (See the post TACACS Plus and RADIUS) You could say these services are the security guards or police officers. By using AAA it provides the following benefits:

  • Increased flexibility and control of access configuration
  • Scalability
  • Standardized authentication methods, such as RADIUS, TACACS+, and Kerberos
  • Multiple backup systems

When you apply AAA to a network you now have full control of each network device that supports AAA. The user database is stored on the RADIUS or TACACS+ server, so instead of configuring and putting passwords and usernames for each network device once you configure a username and password on a AAA server it now can get access to each network resource. You can also give that user certain privileges by specifying if that user can access that device. AAA is like Active Directory in the Windows Server environment. You can do a lot of configuration and really lock down your network infrastructure. AAA is not just for routers and switches in IT environments. This type of service can be used VPNs and regular users that use network resources. That's what I have for AAA if you want to find more information about it go to Cisco.com and like always I hope this information was informative and if you have an idea for any ICND1 or ICND2 material let me know by issuing a comment below.