Security
18
System Management Guide
3HE 11018 AAAC TQZZA Edition: 01
3.1 Authentication, Authorization, and
Accounting
This chapter describes authentication, authorization, and accounting (AAA) used to
monitor and control network access on the 7705 SAR. Network security is based on
a multi-step process. The first step, authentication, validates a user’s name and
password. The second step is authorization, which allows the user to access and
execute commands at various command levels based on profiles assigned to the
user.
The third step, accounting, keeps track of the activity of a user who has accessed the
network. The type of accounting information recorded can include a history of the
commands executed, the amount of time spent in the session, the services
accessed, and the data transfer size during the session. The accounting data can
then be used to analyze trends, and also for billing and auditing purposes.
You can configure the 7705 SAR to use local, Remote Authentication Dial In User
Service (RADIUS), or Terminal Access Controller Access Control System Plus
(TACACS+) security to validate users who attempt to access the router by console,
Telnet, SSH, SFTP, SCP, or FTP. You can select the authentication order that
determines the authentication method to try first, second, and third.
The 7705 SAR supports the following security features:
• RADIUS can be used for authentication, authorization, and accounting
• TACACS+ can be used for authentication, authorization, and accounting
• local security can be implemented for authentication and authorization
Figure 1 depicts end-user access requests sent to a RADIUS server. After validating
the user names and passwords, the RADIUS server returns an access accept
message to the users on ALU-1 and ALU-2. The user name and password from
ALU-3 could not be authenticated, thus access was denied.
To Next Page
Loading...
