AAA (Authentication
, Authorization
, and Accounting
) is a framework that allows access to network resources. User identification is the process of authentication and then what resources access is allowed to the user is decided by the authorization. Accounting is used to determine the usage of network resources.
Introduction to AAA
AAA stands for Authentication, Authorization, and Accounting and it is considered a framework that is used to gain access to the resources of the computer, policy enforcement, service invoicing providing critical information, auditing, and for other purposes like administration of the network and procedures related to the security.
Through this process, online valid and specified users are provided access to the resources of the software and the network.
It is also used to regulate and track the network resources user access in a network i.e. IP based.
Authentication
The procedure of user identification is called authentication
. It is used for verification of the user whether the user is valid or not. The user is provided access to the resources of the network with the help of authentication credentials by comparing credentials with the network database stored credentials information. After acceptance of the authentication, the user is provided with access to the internal resources of the network.
Authorization
Following authentication of the user credentials, Authorization
is the process of determining what a specific user is allowed to access and do in a network. Categorization of the user is done to identify the operation type they will perform like a guest or an administrator.
Accounting
Accounting
is the procedure of assessing the use of resources of the system by the user, which involves data received, data sent, and login and logout time. The procedure of the accounting includes the session statistics and use data of the logout, and it is used for controlling the authorization, charging and consumption of the resources.
AAA Implementation
Local Database
For implementing AAA if we want to utilize the switch or router’s local running configuration, first the user is created for authentication and then the authorization privilege levels are assigned to the users.
ACS Server
This is the commonly used method and it is utilized on the AAA in which ACS(Access Control System
) and router configurations are required. The configuration can involve user creation, Authentication, Authorization, and Accounting customized method list creation. The authentication request is sent by the Network Access Server
(NAS) or client to the ACS server and a decision is taken by the server to allow the network
Benefits of Using a Remote AAA Server over Local AAA Services
- Flexibility and access configuration control are increased.
- Remote AAA server also provides us scalability.
- Authentication is done by standard methods like TACACS+ and RADIUS.
- Setup is easy as TACACS+ and RADIUS are deployed already across the enterprise.
AAA Protocols
For the implementation of AAA Authentication
, Authorization, and Accounting two protocols are used commonly. RADIUS and TACACS+ are the protocols that are open standards and these protocols are used by different vendors to ensure security inside the network
Remote Authentication Dial-In User Service (RADIUS)
Remote Authentication Dial-In User Service is abbreviated as RADIUS and it is one of the networking protocols that operate on the ports UDP 1812 and UDP 1645 by which the centralized AAA management is provided to the users who can connect and utilize the Network Access Server(NAS
) like a router, switch and VPN connector. This client/server software or protocol allows communication between the remote access server and central server for performing remote user’s AAA operations. This protocol works on the application layer and for transport layer protocol either uses UDP or can use TCP.
Terminal Access Controller Access-Control System Plus (TACACS+)
Terminal Access Controller Access-Control System Plus is abbreviated as TACACS and it is one of the remote authentication protocols which enables the communication between the remote access server and the authentication server for validating the access of the user on the network. This protocol allows the client to accept the password and the username and then it can pass the query to the authentication server of the TACACS+.
Conclusion
AAA
stands for Authentication, Authorization, and Accounting and it is considered a framework that is used to gain access to the resources of the computer.- Procedure of user identification is called authentication.
- Authorization is the procedure of determining what is allowed to access and do by the specific user in the network premises.
- Accounting is the procedure of assessing the use of resources of the system by the user.
- Flexibility and Scalability are some of the benefits of using a remote AAA server over local AAA services.
- Remote Authentication Dial-In User Service (RADIUS) and Terminal Access Controller Access-Control System Plus (
TACACS+
) are two AAA protocols. - RADIUS protocol allows communication between the remote access server and central server for performing remote user’s AAA operations.
- TACACS+ is the remote authentication protocol that enables the communication between the remote access server and the authentication server for validating the access of the user on the network.