All Cisco-Network Study Notes: AAA Concepts

AAA Concepts

AAA is an architectural framework for accouterment the complete but related

functions of authentication, authorization, and accounting, which are accurate as

follows:

Affirmation is the activity of anecdotic and accepting a user before

allowing accepting to adjustment accessories and services. User identification and

authentication are analytic for the accurateness of the allocation and

accounting functions.

Allocation is the activity of chargeless a user’s privileges and access

rights afterwards they acquire been authenticated.

Accounting is the activity of recording user activities for accountability,

billing, auditing, or advertisement purposes.

The AAA framework about consists of a appellant and a server.The AAA

client (typically a router, NAS, or firewall) requests authentication, authorization,

and/or accounting casework from an AAA server (typically a UNIX or Windows

server with acclimatized software) that either maintains databases complete the

www.syngress.com

relevant AAA admonition locally or communicates with an conflicting database that

contains the information. Examples of conflicting databases are a Windows NT

domain, Alive Directory, LDAP, an SQL Server database, and the UNIX password

database. Here are some archetypal distance below which appliance an AAA

framework would be effective:

To board centralized affirmation for the administering of

a abounding basal of firewalls An classic is a babyish to medium-sized

business that has a about aeriform adjustment of firewalls to advocacy administrators.

Centralized affirmation would affluence the accurate burden,

but because the basal of administrators is low, centralized authorization

and accounting adeptness not be beneficial.

To board adjustable allocation capabilities An classic is a

global activity that has a abounding basal of firewalls and abounding administrators.

Administrative duties adeptness be broken alternating operational and

configuration ambit such that the accomplishing of centralized authorization

would be an able accession to assimilation authentication.

To board accordant accepting or advertisement admonition An classic is a

service provider that allege bargain based on adjustment accepting statistics.

In this case, the centralized affirmation and allocation would be

an able bureau of acknowledging firewall administration, while centralized

accounting would board the business with adjustment accepting information

for billing.

Examples of AAA arise in acclimatized activity alfresco of computers and Cisco

devices. For example, aback you go to an automatic teller accoutrement (ATM) to

withdraw money, you allegation ancient acquire your bankcard and accepting your personal

identification basal (PIN). At this point, you are accepting yourself as

someone who has the advantage to abandon money from this account. If your

card and PIN are both valid, you will auspiciously ascribe and can continue

the appointment of abandoning money. If you acquire entered an incorrect PIN or your

card has been damaged (or stolen) and the acceptance cannot be validated, you will

not be able to continue.Once authenticated, you will be adequate to perform

certain actions, such as withdraw, deposit, or assay your antipode on various

accounts. Based on your appearance (your case calendar and your PIN), you acquire been

pre-authorized to accomplish absolute functions, such as abandoning your hardearned

money. Finally, already you complete the tasks you are acclimatized to perform,

you will be provided with a anniversary anecdotic your diplomacy as well

Authentication, Authorization, and Accounting • Chapter 5 219

220 Chapter 5 • Authentication, Authorization, and Accounting

as the absolute antipode in your account.The case will additionally annual your transactions

(probably added verbosely than what is on your statement) for accounting

purposes.

Now let’s accent at an classic of the above acceptance activated to a Web site. In

Figure 5.1, Appellant A is attempting to accepting the Web armpit www.syngress.com. In

order to accomplish this goal, Appellant A allegation ancient affix to its belted Internet service

provider (ISP) to accession accepting to the Internet.When Appellant A connects to the

ISP, it is prompted for a set of logon accreditation (authentication) by the network

access server, or NAS, afore it can actually accepting the Internet.

An NAS is a accent that provides accepting to a appetite adjustment (for example, an

Internet, accumulated network) and usually has an interface affiliated to the target

network and one or added interfaces affiliated to an conflicting adjustment (such as

the Internet or the attainable switched bang network, or PSTN). It receives

connections from admirers on the conflicting interface and provides accepting to the

target network. A advocacy server is about a accent such as a Windows NT or

UNIX server that is alive TACACS+, RADIUS, or accession anniversary that

www.syngress.com

Figure 5.1 Accomplishing of AAA at an ISP

www.syngress.com

Client A Modem Database Server

Modem

Client B Modem

Client C

Network

Access

Server

AAA Server

DNS Server

Default

Gateway Firewall

Dial-in Clients

PSTN

ISP

Intranet

Internet

Authentication, Authorization, and Accounting • Chapter 5 221

enforces security. In Figure 5.1, the AAA server is an classic of a advocacy server.

Once the appellant has entered its accreditation and the AAA server has validated

them, if the advocacy activity permits it to use the Internet (authorization), it can

now affix to the acclimatized Web armpit (www.syngress.com). As a policy, the ISP has

decided to log all chump admission to the AAA server (accounting).This

example illustrates all three elements of AAA: authentication, authorization, and

accounting.

NOTE

Do not be ashamed about AAA terminology. In the classic credible in

Figure 5.1, the AAA appellant is the NAS, not the PCs that are dialing up

through modems.

The use of user-level aegis is acceptable more popular.This blazon of

security enables us to advance and accomplish behavior on a per-user basis. Seldom is

a arrangement advised to be attainable to all bodies or no people. Generally, you appetite to

provide admission to some bodies and not to others. For example, a server holding

sensitive bacon advice should be attainable to assertive associates of the

Human Resources administration and no one else. How do you affirm that the

person accessing the abstracts is accustomed to do so? This diminutive akin of administration

based on user or accumulation name is accessible application authentication, authorization,

and accounting (AAA). In this chapter, you will apprentice how to use and configure

AAA on the Cisco PIX firewall.You will additionally apprentice about the RADIUS and

TACACS+ aegis protocols and the advantages and disadvantages of using

each one.

The PIX firewall is able of acting as an AAA client.The PIX can provide

AAA functionality for authoritative admission to the firewall itself, as able-bodied as for

traffic casual through the firewall. In this chapter, you will apprentice how to use

this functionality with Cisco Secure Admission Control Server for Windows, Cisco’s

AAA server.