Using AAA Security for Networking Equipment
Authentication, Authorization, and Accounting
Distributed security systems that protect networks and network services against unauthorized access are commonly deployed in large enterprises. This ensures control over who can connect to the network and what those users are authorized to do. It also maintains an audit trail of the user activity.
AAA (Authentication, Authorization, Accounting) protocols such as RADIUS (RFC 2865) and TACACS+, which was developed by Cisco, were created to address these issues. The AAA architecture gives legitimate users the ability to access networked assets while limiting unauthorized access.
Cisco’s Secure ACS application, for example, enables AAA protection for network access using the TACACS+ protocol in many large corporate enterprises today. Let us examine the elements in a AAA security scheme.
Authentication
User ID / password schemes on network gear provide a primitive level of security. A limited number of account IDs are configured and managed on each piece of hardware. Anytime an account is added, deleted, or changed, each system must be accessed individually which is costly and creates opportunities for error. In addition, each user has to remember their own ID and password to gain access. With users being overwhelmed with various IDs and passwords in their lives, this can pose a problem. And, since IDs and passwords are sent across the network in the clear, simple tracing equipment will easily capture this information and expose the network to a security risk.
By utilizing a AAA system these problems are eliminated. IDs and passwords are all centralized and existing accounts can be used to access new equipment as the network changes or grows. Processes for updating accounts that already exist eliminates errors and frustration for users. IDs and passwords are encrypted using a proven hashing algorithm. Therefore, your accounts are protected from prying eyes.
To ensure access, redundant primary and secondary authentication servers can also be set up. These can be mixed and matched between server types.
Authorization
After authenticating the user, authorization dictates which resources the user is allowed to access and which operations the user is allowed to perform. Full read/write level “Adminstration” user, as well as a read only “Operator” user, profiles can be configured and controlled from the authentication server. This centralized process eliminates the hassle associated with editing on a “per box” basis.
Accounting
The accounting aspect with AAA servers provides an audit trail of how each user made a connection, which IP address they came from, and how long they stayed connected. This enables administrators to easily review past security and operational access issues.