Authentication, Authorization

and Accounting

Dipak Trivedi
Overview of AAA
 A network administrator may allow remote users to
have access through public services based on the
remote-access solutions used.
 The network must be designed to control who is
allowed to connect to it, and what they are allowed to
do once they get connected.
 The network administrator may find it necessary to
configure an accounting system that tracks who logs
in, when they log in, and what they do once they
have logged in.
 Authentication, Authorization, and Accounting (AAA)
security services provide a framework for these kinds
of access control and accounting functions.
AAA
 AAA is an architectural framework for
configuring three different security features:
 Authentication: The process of validating the
claimed identity of an end user.
 Authorization: The act of granting access
rights to a user, groups of users.
 Accounting: The methods to establish who, or
what, performed a certain action, such as
tracking user connection and logging system
users.
Authentication
 User dials into an access server that is
configured with CHAP.
 The access server will prompt the user for a
name and password.
 The access server authenticates the user’s
identity by requiring the username and
password.
 This process of verification to gain access is
called authentication.
 The user may then be able to execute
commands on that server once he has been
successfully authenticated.
Authorization
 The server uses a process called
authorization to determine which commands
and resources should be made available to that
particular user.
 Authorization asks the question, "What

privileges does this user have?"

Accounting
 Finally, the number of login attempts, the
specific commands entered, and other
system events can be logged and time-
stamped by the accounting process.
 Accounting asks the questions, "What did

this user do and when was it done?"

Authentication Advantage
 Authentication can be configured without using AAA,
configure a local username and password database. This
same local database can be used to authenticate users.

 AAA has the following advantages when used for

authentication:
 AAA provides scalability. Typical AAA configurations rely on a
server or group of servers to store usernames and passwords.
This means that local databases do not have to be built and
updated on every network device and access server in the
network.
 AAA supports standardized security protocols, specifically
TACACS+, RADIUS, and Kerberos.
 AAA allows for multiple backup systems. For example, an
access server can be configured to consult a security server
first and a local database second.
Security Protocols
 Hosts use a security protocol to
communicate with a specialized
security server.
 The security server maintains a
password and username database.
 The security server also stores
authorization configurations and
accounting information.
TACACS+ Overview
 A Cisco-proprietary protocol, TACACS+ is not
compatible with TACACS or extended TACACS.
 TACACS+ is a security application used with AAA that
provides centralized validation of users attempting to
gain access to a network access server.
 TACACS+ uses TCP to communicate between a
TACACS+ server and a TACACS+ client.
 TACACS+ separates the functions of authentication,
authorization, and accounting.
 Use TACACS+ to take advantage of all of the features
supported by AAA.
RADIUS Overview
 The RADIUS protocol was developed by Livingston
Enterprises as an authentication and accounting protocol
for use with access servers.
 RADIUS is an open standard and typically uses fewer
CPU cycles.
 RADIUS is a distributed client/server system used
with AAA that secures networks against unauthorized
access.
 This central server contains all user authentication and
network service access information.
 UDP communications between a NAS and a RADIUS
server.
 RADIUS is less memory intensive than the proprietary
TACACS+.
Comparision
Radius Request Flow
TACACS+ Request Flow
Thank You