- "Do I Know This Already?" Quiz
- Authentication, Authorization, and Accounting
- Remote Authentication Dial-In User Service
- Terminal Access Controller Access Control System Plus
- Encryption Technology Overview
- Certificate Enrollment Protocol
- Extensible Authentication Protocol, Protected EAP, and Temporal Key Integrity Protocol
- Virtual Private Dial-Up Networks (VPDN)
- Foundation Summary
- Q & A
- Scenario: Configuring Cisco Routers for IPSec
- Scenario Answers
Authentication, Authorization, and Accounting
Authentication, authorization, and accounting (AAA, pronounced triple A) provides security to Cisco IOS routers and network devices beyond the simple user authentication available on IOS devices.
AAA provides a method to identify which users are logged into a router and each user's authority level. AAA also provides the capability to monitor user activity and provide accounting information.
In today's IP networks, access to network data is available in a variety of methods, including the following:
- PSTN dialup modems
- ISDN dialup
- Internet access through virtual private networks (VPNs)
The AAA model is defined as follows:
- Authentication— Who are you?
- Authorization— What resources are you permitted to use?
- Accounting— What resources were accessed, at what time, by whom, and what commands were issued?
The three phases ensure that legitimate users are permitted access. A remote user must be authenticated before being permitted access to network resources.
Authentication allows the user to submit a username and password and permits challenges and responses. After the user is authenticated, authorization defines what services or resources in the network users are permitted access to. The operations permitted here can include IOS-privileged EXEC commands. For example, a user might type commands but be permitted to use only certain show and debug commands for which the user is authorized.
Accounting allows the network administrator to log and view what was actually performed (for example, if a Cisco router was reloaded or the configuration was changed). Accounting ensures that an audit will enable network administrators to view what was performed and at what time it was performed. Accounting keeps track of the information needed to audit and report network resource usage. This typically includes the username, the start and stop time of login, and the commands typed by the user.
Figure 4-1 displays a typical secure network scenario.
Figure 4-1 Secure Network Access
The users could be dialup users running async (in this case, PSTN) or using ISDN with Point-to-Point Protocol (PPP). The network access server (NAS) ensures that only authenticated users have access to the secure network; it maintains resources and accounting information.
Authorization tells which resources, or host devices, are authorized to be accessed (such as FTP servers). The NAS implements the AAA protocols and also collects data regarding what network resources were accessed. The NAS can also ensure that devices in the secured network require authentication. For example, the users in Figure 4-1 who are accessing Router R1 require a valid username/password pairing to enter any IOS commands.
The following sections further define what authentication, authorization, and accounting are by discussing a common Cisco IOS router example.
Authentication allows administrators to identify who can connect to a router by including the user's username and password. Normally, when a user connects to a router remotely by Telnet, the user must supply only a password, and the administrator has no way of knowing the user's username. You can, however, configure local usernames and passwords on a Cisco IOS router, but this does not scale well and it is not very secure. Configuring a small set of routers with individual usernames and passwords (IOS syntax username username password password) is fine, but doing so for large networks would be a difficult exercise to manage. Centrally locating the usernames and passwords is a better solution because only a few devices need to be updated and maintained. Also, users are not logged, and their configuration changes are not monitored without further configuration changes made on each individual router.
Example 4-1 displays a sample code snippet of a remote user accessing a AAA-configured Cisco router by Telnet.
Example 4-1. Username/Password Pair Entry
Sydney>telnet San-Fran Trying san-fran (10.99.1.1)... Open User Access Verification Username: drewrocks Password: xxxxxxxx San-Fran>
As you can see in Example 4-1, the user must enter a valid username and password to gain access to the router. Typically, a database containing the valid usernames resides locally on the router or on a remote security server.
Authorization comes into play after authentication. Authorization allows administrators to control the level of access users have after they successfully gain access to the router. Cisco IOS allows certain access levels (called privilege levels) that control which IOS commands the user can issue. For example, a user with a privilege level of 0 cannot issue many IOS commands. There are five commands at privilege level 0: disable, enable, exit, help, and logout. A user with a privilege level of 15 can perform all valid IOS commands. The local database or remote security server can grant the required privilege levels.
Remote security servers, such as RADIUS and TACACS+, authorize users for specific rights by associating attribute-value (AV) pairs, which define those rights with the appropriate user. AAA authorization assembles a set of attributes that describes what the user is authorized to perform. These attributes are compared with the information contained in a database for a given user, and the result is returned to AAA to determine the user's actual permissions and restrictions.
The higher the privilege, the more capabilities a user has with the IOS command set.
Accounting occurs after authentication and authorization have been completed. Accounting allows administrators to collect information about users. Specifically, administrators can track which user logged into which router, which IOS commands a user issued, and how many bytes were transferred during a user's session. For example, accounting enables administrators to monitor which routers have had their configurations changed. Accounting information can be collected by a remote security server.
To display local account information on a Cisco router collecting accounting information, issue the show accounting IOS command. Example 4-2 displays sample output when the command is issued on Router R1. (Note that for Cisco IOS 12.2T and higher, the command has changed to show aaa user all.)
Example 4-2. show accounting Command
R1#show accounting Active Accounted actions on Interface Serial0:1, User jdoe Priv 1 Task ID 15, Network Accounting record, 00:00:18 Elapsed task_id=15 timezone=PDT service=ppp mlp-links-max=4 mlp-links-current=4 protocol=ip addr=18.104.22.168 mlp-sess-id=1 Overall Accounting Traffic Starts Stops Updates Active Drops Exec 0 0 0 0 0 Network 8 4 0 4 0 Connect 0 0 0 0 0 Command 0 0 0 0 0 Rsrc-mgmt 1 0 0 1 0 System 0 0 0 0 0 User creates:21, frees:9, Acctinfo mallocs:15, frees:6 Users freed with accounting unaccounted for:0 Queue length:0
Table 4-1 describes the fields contained in Example 4-2.
Table 4-1. show accounting Fields
The user's ID
The user's privilege level (0-15)
Each accounting session's unique identifier
Type of accounting session
Length of time (hh:mm:ss) for this session type
Rather than maintain a separate database with usernames, passwords, and privilege levels, you can use external security servers to run external security protocols—namely RADIUS and TACACS.
These security server protocols stop unauthorized access to your network. The following sections review these two security protocols.