What is AAA?
Security for user access to the network and the ability to dynamically define a user’s profile to gain access to network resources is concerning issue in data communication environment. AAA network security services provide the primary framework through which a network administrator can set up access control on network which is usually the function of a router or access server. It is strongly recommended that network and administrative access security in the Cisco environment is based on a modular architecture that has three functional components: authentication, authorization and accounting.
Authentication: Authentication is the way a user is identified prior to being allowed access to the network and network services. AAA authentication is configured by defining a named list of authentication methods, and then applying that list to various interfaces. The method list defines the types of authentication to be performed and the sequence in which they will be performed; it MUST be applied to a specific interface before any of the defined authentication methods will be performed. All authentication methods, except for local, line password, and enable authentication, MUST be defined through AAA.
Authorization: Authorization provides the method for remote access control, including one-time authorization or authorization for each service, per-user account list and profile, user group support, Telnet etc. AAA authorization works by assembling a set of attributes that describe what the user is authorized to perform. These attributes are compared to the information contained in a database for a given user and the result is returned to AAA to determine the user's actual capabilities and restrictions. The database can be located locally on the access server or router, or it can be hosted remotely on a RADIUS or TACACS+ security server. As with authentication, AAA authorization is configured by defining a named list of authorization methods, and then applying that list to various interfaces.
Accounting: Accounting provides the method for collecting and sending security server information used for billing, auditing, and reporting - user identities, start and stop times, executed commands, number of packets, and number of bytes. Accounting enables tracking of the services users are accessing as well as the amount of network resources they are consuming. With AAA accounting activated, the NAS reports user activity to the RADIUS or TACACS+ security server in the form of accounting records. Each accounting record is comprised of accounting AV pairs and is stored on the access control server. This data can then be analyzed for network management, client billing, and/or auditing. All accounting methods must be defined through AAA. Accounting is configured by defining a named list of accounting methods, and then applying that list to various interfaces.
What is RADIUS?
RADIUS is an access server that uses AAA protocol. It is a system of distributed security that secures remote access to networks and network services against unauthorized access. RADIUS comprises three components: a protocol with a frame format that utilizes User Datagram Protocol (UDP)/IP, server and client.
A network access server (NAS) operates as a client of RADIUS. The client is responsible for passing user information to designated RADIUS servers, and then acting on the response that is returned. RADIUS servers are responsible for receiving user connection requests, authenticating the user, and returning all configuration information necessary for the client to deliver service to the user. The RADIUS servers can act as proxy clients to other kinds of authentication servers.
Authentication and Authorization checking are bundled together. When the client device requests authentication from the server, the server replies with both authentication attributes and authorization attributes. These functions cannot be performed separately. The accounting features of the RADIUS protocol can be used independently of RADIUS authentication or authorization. RADIUS encrypts only the password in the access-request packet. The remainder of the packet is unencrypted.
What is TACACS+?
TACACS+ stands for Terminal Access Control Access Control Server. TACACS+ is some enhancement to the TACACS application. The main goal of TACACS+ is to provide a centralized database against which to perform Authentication, Authorization, and Accounting (AAA).
TACACS+ uses a client server model approach. The server is questioned by the client and the server in turn reply by stating whether the user passed or failed the authentication. It is important to note that the client is not the user or the user's machine, but rather the device that is trying to determine if the user should be allowed entry into the network (typically a router or a firewall). TACACS+ uses TCP as the transport protocol –the default port is 49. If required, the server can be configured to listen on other ports. TACACS+ is similar to RADIUS (Remote Access Dial In User Server) with a few key differences.
All three AAA functions (authentication, authorization, and accounting) can be used independently. Therefore, one method such as Kerberos can be used for authentication, and a separate method such as TACACS+ can be used for authorization. While TACACS+ can use usernames and passwords it can also use other mechanisms such as "one time" passwords that prevent hackers from accessing system.
Both TACACS+ and RADIUS use a shared secret key to provide encryption. TACACS+ encrypts entire payload when communicating and the user's password between the client and the server. TACACS+ uses MD5 hash function in its encryption and decryption algorithm.
Security for user access to the network and the ability to dynamically define a user’s profile to gain access to network resources is concerning issue in data communication environment. AAA network security services provide the primary framework through which a network administrator can set up access control on network which is usually the function of a router or access server. It is strongly recommended that network and administrative access security in the Cisco environment is based on a modular architecture that has three functional components: authentication, authorization and accounting.
Authentication: Authentication is the way a user is identified prior to being allowed access to the network and network services. AAA authentication is configured by defining a named list of authentication methods, and then applying that list to various interfaces. The method list defines the types of authentication to be performed and the sequence in which they will be performed; it MUST be applied to a specific interface before any of the defined authentication methods will be performed. All authentication methods, except for local, line password, and enable authentication, MUST be defined through AAA.
Authorization: Authorization provides the method for remote access control, including one-time authorization or authorization for each service, per-user account list and profile, user group support, Telnet etc. AAA authorization works by assembling a set of attributes that describe what the user is authorized to perform. These attributes are compared to the information contained in a database for a given user and the result is returned to AAA to determine the user's actual capabilities and restrictions. The database can be located locally on the access server or router, or it can be hosted remotely on a RADIUS or TACACS+ security server. As with authentication, AAA authorization is configured by defining a named list of authorization methods, and then applying that list to various interfaces.
Accounting: Accounting provides the method for collecting and sending security server information used for billing, auditing, and reporting - user identities, start and stop times, executed commands, number of packets, and number of bytes. Accounting enables tracking of the services users are accessing as well as the amount of network resources they are consuming. With AAA accounting activated, the NAS reports user activity to the RADIUS or TACACS+ security server in the form of accounting records. Each accounting record is comprised of accounting AV pairs and is stored on the access control server. This data can then be analyzed for network management, client billing, and/or auditing. All accounting methods must be defined through AAA. Accounting is configured by defining a named list of accounting methods, and then applying that list to various interfaces.
What is RADIUS?
RADIUS is an access server that uses AAA protocol. It is a system of distributed security that secures remote access to networks and network services against unauthorized access. RADIUS comprises three components: a protocol with a frame format that utilizes User Datagram Protocol (UDP)/IP, server and client.
A network access server (NAS) operates as a client of RADIUS. The client is responsible for passing user information to designated RADIUS servers, and then acting on the response that is returned. RADIUS servers are responsible for receiving user connection requests, authenticating the user, and returning all configuration information necessary for the client to deliver service to the user. The RADIUS servers can act as proxy clients to other kinds of authentication servers.
Authentication and Authorization checking are bundled together. When the client device requests authentication from the server, the server replies with both authentication attributes and authorization attributes. These functions cannot be performed separately. The accounting features of the RADIUS protocol can be used independently of RADIUS authentication or authorization. RADIUS encrypts only the password in the access-request packet. The remainder of the packet is unencrypted.
What is TACACS+?
TACACS+ stands for Terminal Access Control Access Control Server. TACACS+ is some enhancement to the TACACS application. The main goal of TACACS+ is to provide a centralized database against which to perform Authentication, Authorization, and Accounting (AAA).
TACACS+ uses a client server model approach. The server is questioned by the client and the server in turn reply by stating whether the user passed or failed the authentication. It is important to note that the client is not the user or the user's machine, but rather the device that is trying to determine if the user should be allowed entry into the network (typically a router or a firewall). TACACS+ uses TCP as the transport protocol –the default port is 49. If required, the server can be configured to listen on other ports. TACACS+ is similar to RADIUS (Remote Access Dial In User Server) with a few key differences.
All three AAA functions (authentication, authorization, and accounting) can be used independently. Therefore, one method such as Kerberos can be used for authentication, and a separate method such as TACACS+ can be used for authorization. While TACACS+ can use usernames and passwords it can also use other mechanisms such as "one time" passwords that prevent hackers from accessing system.
Both TACACS+ and RADIUS use a shared secret key to provide encryption. TACACS+ encrypts entire payload when communicating and the user's password between the client and the server. TACACS+ uses MD5 hash function in its encryption and decryption algorithm.