Cisco AAA Configuration
The understanding of security is becoming a knowledge requirement for everyone working on networks, from the entry level network associate to the senior level network engineer. This article reviews the function of Authentication, Authorization and Accounting (AAA) security functionality and shows some basic configurations which can be used.
The first thing that must be understood is what each of the different A’s in AAA stands for and how they can improve the security of the network.
Cisco defines Authentication, the first A in AAA, as providing ”the method of identifying users, including login and password dialog, challenge and response, messaging support, and, depending on the security protocol you select, encryption.” Simply stated, authentication is used to ensure that the person attempting to use the device or service is authorized to use it according to the credentials configured.
Authorization, as defined by Cisco, “provides the method for remote access control, including one-time authorization or authorization for each service, per-user account list and profile, user group support, and support of IP, Internetwork Packet Exchange (IPX), AppleTalk Remote Access (ARA), and Telnet.”
Authorization is typically used as the next layer of security on a device. For example, while a specific user may have the permissions to use a device, they may not be allowed to perform service affecting commands like reload, or configure the device at all. Authentication is used to configure the specific actions a user (or group of users) is allowed to perform on a device.
Accounting is the third A, and as Cisco explains, “Accounting provides the method for collecting and sending security server information used for billing, auditing, and reporting, such as user identities, start and stop times, executed commands (such as PPP), number of packets, and number of bytes.”
The accounting functionality can be used for a number of different purposes; from a security perspective, it is often used to monitor the specific commands which are performed on the devices. This way, should anyone attempt commands that are not allowed, a record will be created. This functionality can also be used to provide a traceable record of what happened before a specific event. For example, if multiple people were working on a device and then the device became unreachable, the record could be used to track what command was issued at the time the device specifically had problems. As seen in Cisco’s definition, it can also be used for billing purposes to log the amount of packets or traffic forwarded through a device.