Configure AAA to secure a network.
AAA refers to Authentication, Authorization, and Accounting in network security.
Authentication: Users must prove their identity to access network resources.
Authorization: After authentication, the system determines what resources and actions are available to the user.
Accounting: Tracks what the user does after authentication, including time spent on resources and the actions performed.
Basic method: username and password on console, vty, and aux ports.
More secure method: SSH (Secure Shell) which requires both a username and password, with encrypted transmission.
Authentication: Verifying the identity of users.
Authorization: Determining the level of access for authenticated users.
Accounting: Monitoring the usage of network resources by users.
Local AAA Authentication: Uses a local database for authentication.
Server-Based AAA Authentication: Uses a central AAA server (e.g., TACACS+ or RADIUS) to authenticate users.
Add usernames and passwords to the router’s local database.
Enable AAA globally on the router.
Configure AAA parameters on the router.
Verify and troubleshoot the configuration.
Use the aaa authentication login
command to apply authentication to various lines (console, vty, aux).
Up to four authentication methods can be specified, providing fallback options if one method fails.
Custom authentication lists can be configured and applied to specific interfaces using the aaa authentication login
command.
Set the maximum number of failed attempts with the aaa local authentication attempts max-fail
command.
Locked accounts can be cleared using clear aaa local user lockout
.
Server-based AAA provides central management for users and administrative access across multiple devices.
It works with external databases like Active Directory or LDAP for centralized account management.
TACACS+: Cisco-proprietary, supports separate authentication, authorization, and accounting.
RADIUS: Open IETF standard, combines authentication and authorization into a single process.
A platform that combines policy definition, control, and reporting for end devices, including BYOD (Bring Your Own Device).
Globally enable AAA on the router.
Specify the AAA server (e.g., TACACS+ or RADIUS).
Configure the shared secret key for encrypted communication between the router and AAA server.
Configure the AAA authentication method list to refer to the server.
Ensures users have access to the appropriate functions based on their role.
TACACS+: Separates authentication from authorization, offering more granular control.
RADIUS: Does not separate authentication and authorization.
Tracks the actions performed by users, including session duration and accessed resources.
The aaa accounting
command configures accounting for services such as network or exec sessions.
AAA provides a structured framework for managing user access and activity on a network.
Authentication verifies identity.
Authorization controls resource access.
Accounting tracks usage.
Local AAA is suitable for small networks, while Server-Based AAA is ideal for larger, enterprise-level networks.
TACACS+ and RADIUS are the protocols used for communication with AAA servers.
The process for configuring server-based AAA involves enabling AAA, specifying the server, setting encryption keys, and configuring method lists.