The administrator can take an access to a router or a device through console but it is very inconvenient if he is sitting far from the place of that device.So, eventually he has to take remote access to that device.
But as the remote access will be available by using an IP address therefore it is possible that an unauthorised user can take access using that same IP address therefore for security measures, we have to put authentication. Also, the packets exchange between the device should be encrypted so that any other person should not be able to capture that sensitive information. Therefore, a framework called AAA is used to provide that extra level of security.
AAA (Authentication, Authorization, Accounting) –
AAA is a standard based framework used to control who is permitted to use network resources (through authentication), what they are authorised to do (through authorization) and capture the actions performed while accessing the network (through accounting).
- Authentication –
Process by which it can be identified that the user, which want to access the network resources, valid or not by asking some credentials such as username and password. Common methods are to put authentication on console port, AUX port or vty lines.
As a network administrator, we can control how a user is authenticated if someone wants to access the network. Some of these methods include using the local database of that device (router) or sending authentication request to an external server like ACS server. To specify the method to be used for authentication, default or customised authentication method list are used.
- Authorization –
It provide capabilities to enforce policies on network resources after the user has gain access to the network resources through authentication. After the authentication is successful, authorisation can be used to determine that what resources is the user allowed to access and the operations that can be performed.
For example, if a junior network engineer (who should not access all the resources) wants to access the device then the administrator can create a view which will allow particular commands only to be executed by the user (the commands that are allowed in the method list). The administrator can use authorization method list to specify how the user is authorised to network resources i.e through local database pr ACS server.
- Accounting –
It provide means of monitoring and capturing the events done by the user while accessing the network resources.It even monitors how long the user has an access to the network. The administrator can create an accounting method list to specify what should be accounted and to whom the accounting records should be send.
AAA implementation: AAA can be implemented by using the local database of the device or by using an external ACS server.
- local database – If we want to use the local running configuration of the router or switch to implement AAA, we should create users first for authentication and provide privilege levels to user for Authorization.
- ACS server – This is the common method used. An external ACS server is used (can be ACS device or software installed on Vmware) for AAA on which configuration on both router and ACS required. The configuration include creating user, separate customised method list for authentication, Authorisation and Accounting.
The client or Network Access Server (NAS) sends authentication request to ACS server and the server takes the decision to allow the user to access the network resource or not according to the credentials provided by the user.
Note – If the ACS server fails to authenticate, the administrator should mention to use the local database of the device as backup, in the method list, to implement AAA.