Skip to content

AAA Basics (Part 1 of 2) – Introduction

November 22, 2011

Prerequisite knowledge: CCNA level

AAA is a commonly used concept which is designed to ease user management and security. AAA isn’t a technology but is a framework or concept. It is comprised of:

  • Authentication: A security system wouldn’t be worth its weight in dust if it can’t decide who is accessing a system. An authorized user will login with a username and password.
  • Authorization: Once the user is in, what are they allowed to do? Are they allowed to only run show commands, do they have complete access to every command on the system, or somewhere in between?
  • Accounting: While the first two A’s state what someone permitted to do, accounting watches what that user does. Picture it as a security camera. It won’t physically stop you from doing anything, but it may come in handy if an event requiring investigation occurs.

AAA is an industry standard concept. As most things in the computer industry, there are components involved.

Authentication cannot happen without a database of usernames and passwords. This database can either be stored locally on the device or centrally on a server. Commercial server applications include, but are not limited to, Cisco ACS or Active Directory. RADIUS is an industry standard protocol, endorsed by the IETF, allowing interoperability with the NAS. Cisco’s proprietary alternative to RADIUS is TACACS+. Implementing both are covered in this tutorial. An important point is RADIUS and TACACS+ aren’t products themselves; instead, they are the protocol which facilitates communication between a device and an authentication server. Cisco’s offering is Cisco ACS while Microsoft has the very popular Active Directory. TACACS+ is only supported on Cisco ACS. Open source alternatives for a RADIUS server do exist such as FreeRADIUS.

Beyond product availability, there are a few differences between RADIUS and TACACS+. Here is a comparison:

Transport protocol UDP1 TCP
Encryption Encrypts only password Encrypts entire body
Authentication and Authorization Treats them as one Separates for better flexibility
Protocol support Doesn’t support AppleTalk Remote Access, NetBIOS FPC, NASI, or X.25 PAD Supports protocols RADIUS doesn’t
Privilege Control Doesn’t support router privilege levels Granular to the per-group or per-user level

1 Error checking and retransmission are implemented in the RADIUS protocol

This tutorial will show you how to have either one work with a Cisco router for authentication. Keep an eye out for future posts on authorization and accounting.

Continue to Implementing local, RADIUS, and TACACS+ authentication


From → Tutorial

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s