AAA stands Authentication , Authorization and Accounting and is used for network security.
So let us go through each one of them:
Authentication: Authentication means “Who you are” . For example authentication of username & Password for a user.
Authorization: Authorization means “Are you authorized to Access and what can you access “. For example , a network admin will have privilege/authorization to execute all commands while as a network operator will have privilege/authorization for few commands only.
Accounting : Accounting means “What you did, when you did, where you did and how long you did any activity” For example, we want to track the network operators activities like what commands they executed on router/switch etc, at what time did a network operator logged into the device etc.
There are two main protocols user in AAA called TACACS+ and RADIUS.
Terminal Access Controller Access Control System (TACACS+):
TACACS+ is a remote authentication protocol which provides separate authentication, authorization and accounting services . It is used to provide access control for Network devices using a centralized authentication server like Cisco ACS.
It uses TCP port number 49.
Remote Authentication Dial In User Service (RADIUS):
It is a client server protocol for AAA and runs in application layer and using UDP at transport layer. RADIUS provides centralized authentication, authorization and accounting services.
Cisco ACS server or engine is used for authenticate , authorize and accounting purposes for users logging into a network device.
The process is as under:
User establishes a connection with a network device through telnet or SSH.
Network device prompts user for username and password.
Once the user puts his credentials , Network device passes the same info to ACS server.
Cisco ACS authenticates the user and as soon the user executes any command, the commands are authorized against the configured policy for the user. Also all commands are logged in ACS server for that particular device and user in the session.
Before configuring AAA, it is always recommended to create a backup local user in a network device.