1
Configuring AAA
AAA overview
Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing
network access management. It can provide the following security functions:
• Authentication—Identifies users and determines whether a user is valid.
• Authorization—Grants different users different rights and controls their access to resources and
services. For example, a user who has successfully logged in to the switch can be granted read and
print permissions to the files on the switch.
• Accounting—Records all user network service usage information, including the service type, start
time, and traffic. The accounting function not only provides the information required for charging,
but also allows for network security surveillance.
AAA usually uses a client/server model. The client runs on the network access server (NAS), which is
also referred to as the access device. The server maintains user information centrally. In an AAA network,
a NAS is a server for users but a client for the AAA servers. See Figure 1.
Figure 1 Network diagram
When a user tries to log in to the NAS, use network resources, or access other networks, the NAS
authenticates the user. The NAS can transparently pass the user's authentication, authorization, and
accounting information to the servers. The RADIUS and HWTACACS protocols define how a NAS and
a remote server exchange user information between them.
In the network shown in Figure 1, ther
e is a RADIUS server and an HWTACACS server. You can choose
different servers for different security functions. For example, you can use the HWTACACS server for
authentication and authorization, and the RADIUS server for accounting.
You can choose the three security functions provided by AAA as needed. For example, if your company
only wants employees to be authenticated before they access specific resources, configure an
authentication server. If network usage information is needed, you must also configure an accounting
server.
To Next Page
Loading...
Need help?
General