Authentication
Authorization
Check that the user may access the services he/she wishes. Decision based on rules or logic. Check the database for user information.
Accounting
Record what the user has done. Include time, amount of data, session statistics, resource utilization etc. Trace the usage of resources
AAA Architecture
AAA CLIENT
AAA Protocols
vty Specify AAA new model authentication. host1(config)#aaa new-model Create an authentication list that specifies the type(s) of authentication methods allowed. host1(config)#aaa authentication login my_auth_list tacacs+ radius enable (Optional) Specify the privilege level by defining a method list for authentication. host1(config)aaa authentication enable default tacacs+ radius enable (Optional) Enable authorization, and create an authorization method list. host1(config)aaa authorization commands 15 boston if-authenticated tacacs+
(Optional) Disable authorization for all Global Configuration commands. host1(config)#no aaa authorization config-commands
Specify the range of vty lines. host1(config)#line vty 6 10 host1(config-line)# (Optional) Apply an authorization list to a line or a range of vty lines. host1(config-line)#authorization commands 15 boston Specify the password for the vty lines. host1(config-line)#password xyz Apply the authentication list to the vty lines you specified on your router. host1(config-line)#login authentication my_auth_list
Privilege levels.
Privilege Level 0 1 5 10 15 Commands available help, exit , enable and disable user Exec commands +level 0 Privilege Exec , show commands + 1 All except support commands Support +all other commands
RADIUS
RADIUS codes
Code 1 2 3 4 5 11 Assignment Access-Request Access-Accept Access-Reject Accounting-Request Accounting-Response Access-Challenge
To help protect your privacy, PowerPoint prevented this external picture from being automatically downloaded. To download and display this picture, click Options in the Message Bar, and then click Enable external content.
RADIUS: Basics
Authentication Data Flow
ISP User Database ISP Modem Pool
UserID: bob Password: ge55gep NAS-ID: 207.12.4.1 Select UserID=bob
Framed-Address=217.213.21.5
The Internet
RADIUS: Basics
Authentication Data Flow
Acct-Status-Type=Start User-Name=bob Framed-Address=217.213.21.5 ... Acknowledgement Sun May 10 20:47:41 1998 Acct-Status-Type=Start User-Name=bob Framed-Address=217.213.21.5 ...
The Internet
RADIUS: Basics
Authentication Data Flow
Acct-Status-Type=Stop User-Name=bob Acct-Session-Time=1432 ... Acknowledgement Sun May 10 20:50:49 1998 Acct-Status-Type=Stop User-Name=bob Acct-Session-Time=1432 ...
Diameter
Reliable transport protocols TCP or SCTP, not UDP Network or transport layer security IPsec or TLS, and is no longer accomplished by a mandatory shared secret. Better roaming support. More easily extended, new commands and attributes can be defined Keep-alive messages are implemented. Larger address space for attribute-value pairs (AVPs) and identifiers (32 bits instead of 8 bits). Uses EAP for Authentication.
RADIUS configuraton