Definition of AAA
The best way to understand AAA is to look at the three components individually. Each is
distinct and has its own responsibility. AAA is now integrated into nearly every situation that
requires access control. Access control can be applied to users, hosts on a network (such as
servers and workstations), networking components (such as routers, switches, VPN
appliances, and firewalls), and other automated devices that require access and that perform
a function. This chapter discusses AAA as it pertains to a user, but you will see how the
principles can apply to many automated functions. The three components of AAA are as
follows:
■ Authentication—The process of validating an identity. The identity that is being
validated could be a user, a computer, a networking component, and so on.
Authentication is by far the most important step. No access is granted until the requestor
has been authenticated. There are three layers of user authentication:
— What the user knows—This normally is a user password or passphrase.
— What a user has—This normally is a user token or badge issued to the user
by whomever has authority over what the user is attempting to access.
— What a user is—This area includes biometrics, such as checking the user’s
fingerprint or retinal scan against a stored image in the database.
Many organizations do not incorporate all three layers of authentication;
however, it is very common to use a minimum of two layers at one time.
■ Authorization—After the user has been authenticated, he or she is granted access rights
to perform specific functions.
518 Chapter 17: Overview of AAA and the Cisco Security Appliance
■ Accounting—After the user is granted access, the accounting function tracks what tasks
the user performs and saves that information in a log that can be reviewed later.
Accountability of users and their actions is an issue that is becoming increasingly
important in the security of enterprise networks.
The three functions of AAA can be performed by a single server or can be divided among
several servers. Most large enterprise networks create a hierarchy of AAA servers, with the
lower-level servers tending to user functions and the upper-level servers working as a central
point for updating and distributing user information.