What is AAA (Authorization, Authentication and Accounting)

By | June 1, 2013

AAA  stands Authentication , Authorization and Accounting and is used for network security.

So let us go through each one of them:

Authentication:  Authentication means “Who you are” . For example authentication of username & Password for a user.

Authorization:  Authorization means “Are you authorized to Access and what can you access “. For example , a network admin will have privilege/authorization to execute all commands while as a network operator will have privilege/authorization for few commands only.

Accounting : Accounting means “What you did, when you did, where you did and how long you did any activity” For example, we want to track the network operators activities like what commands they executed on router/switch etc, at what time did a network operator logged into the device etc.

AAA Protocols:

There are two main protocols user in AAA called TACACS+ and RADIUS.

Terminal Access Controller Access Control System (TACACS+):

TACACS+ is a remote authentication protocol which provides separate authentication, authorization and accounting services . It is used to provide access control for Network devices using a centralized authentication server like Cisco ACS.

It uses TCP port number 49.

Remote Authentication Dial In User Service (RADIUS):

It is a client server protocol for AAA and runs in application layer and using UDP at transport layer. RADIUS provides centralized authentication, authorization and accounting services.

Implementing AAA:

Cisco ACS server or engine is used for  authenticate , authorize and accounting purposes for users logging into a network device.

The process is as under:

  1. User establishes a connection with a network device through telnet or SSH.
  2. Network device prompts user for username and password.
  3. Once the user puts his credentials , Network device passes the same info to ACS server.
  4. Cisco ACS authenticates the user and as soon the user executes any command, the commands are authorized against the configured policy for the user. Also all commands are logged in ACS server for that particular device and user in the session.

Configuring  AAA:

Before configuring AAA, it is always recommended to create a backup local user in a network device.

Lab_Switch(config)#username admin privilege 15 password cisco

Enable AAA globally on Lab_Switch/switch

Lab_Switch(config)#aaa new-model

Configure the TACACS Servers:

Lab_Switch(config)# Tacacs-server host 10.192.168.100 key AcsS3cur3

Configure a method list to instruct the Router/switch to use AAA for authentication , authorization and accounting:

Lab_Switch(config)# aaa authentication login default group tacacs+ local
Lab_Switch(config)# aaa authorization exec default group tacacs+ local
Lab_Switch(config)aaa accounting exec default start-stop group tacacs+
Lab_Switch(config)aaa accounting commands 1 default start-stop group tacacs+
Lab_Switch(config)aaa accounting commands 15 default start-stop group tacacs+

Enable AAA on console and VTY lines:

Lab_Switch(config)# line console 0
Lab_Switch(config-line)#authorization commands 1 default
Lab_Switch(config-line)authorization commands 15 default
Lab_Switch(config-line)authorization exec default
Lab_Switch(config-line)accounting commands 1 default
Lab_Switch(config-line)accounting commands 15 default
Lab_Switch(config-line)login authentication default

Lab_Switch(config)# line vty 0 15
Lab_Switch(config-line)#authorization commands 1 default
Lab_Switch(config-line)authorization commands 15 default
Lab_Switch(config-line)authorization exec default
Lab_Switch(config-line)accounting commands 1 default
Lab_Switch(config-line)accounting commands 15 default
Lab_Switch(config-line)login authentication default

Troubleshooting AAA

To troubleshoot authentication issues, use below command

Router1# debug AAA Authentication

To troubleshoot authorization issues, use below command

Router1# debug AAA Authorization

 To troubleshoot accounting issues, use below command

Router1# debug AAA Accounting 

2 thoughts on “What is AAA (Authorization, Authentication and Accounting)

  1. Barry Lopes

    Hello,
    Good Article,
    If possible could you please explain me why do we need separate ACS device when all this functions are possible on Cisco router.

    1. TechGeek Post author

      Hi Barry,

      Thanks for the comment. Now to your question, a simple example can a router keep track of the commands for all of your network engineers which they execute on a particular network device.

Comments are closed.