AAA

Authentication Authorization Accounting

Authentication
 

Verify the user is who he/she claims to be. Authentication techniques

ID Certificate Password Public Secret Key pair May issue additional challenge.

Authorization


 

Check that the user may access the services he/she wishes. Decision based on rules or logic. Check the database for user information.

Accounting
 

Record what the user has done. Include time, amount of data, session statistics, resource utilization etc. Trace the usage of resources
   

Billing Management Planning Auditing

AAA Architecture


Client and servers communicate using any of the AAA protocols

AAA SERVER

AAA CLIENT

AAA Protocols
   

RADIUS Diameter TACACS TACACS+

Configuring AAA Authentication and Authorization

vty Specify AAA new model authentication.  host1(config)#aaa new-model Create an authentication list that specifies the type(s) of authentication methods allowed.  host1(config)#aaa authentication login my_auth_list tacacs+ radius enable (Optional) Specify the privilege level by defining a method list for authentication.  host1(config)aaa authentication enable default tacacs+ radius enable (Optional) Enable authorization, and create an authorization method list.  host1(config)aaa authorization commands 15 boston if-authenticated tacacs+

(Optional) Disable authorization for all Global Configuration commands.  host1(config)#no aaa authorization config-commands

Configuring AAA Authentication and Authorization Contd

Specify the range of vty lines.  host1(config)#line vty 6 10  host1(config-line)# (Optional) Apply an authorization list to a line or a range of vty lines.  host1(config-line)#authorization commands 15 boston Specify the password for the vty lines.  host1(config-line)#password xyz Apply the authentication list to the vty lines you specified on your router.  host1(config-line)#login authentication my_auth_list

Privilege levels.
Privilege Level 0 1 5 10 15 Commands available help, exit , enable and disable user Exec commands +level 0 Privilege Exec , show commands + 1 All except support commands Support +all other commands

RADIUS
 

Remote Authentication Dial in User Service Key Features

Client/Server Model Network Security Flexible Authentication Mechanisms Extensible Protocol

Transport layer protocol - UDP

RADIUS Authentication and Authorization Flow

To help protect your privacy, PowerPoint prevented this external picture from being automatically downloaded. To download and display this picture, click Options in the Message Bar, and then click Enable external content.

RADIUS Packet Format

To help protect your privacy, PowerPoint prevented this external picture from being automatically downloaded. To download and display this picture, click Options in the Message Bar, and then click Enable external content.

RADIUS codes
Code 1 2 3 4 5 11 Assignment Access-Request Access-Accept Access-Reject Accounting-Request Accounting-Response Access-Challenge

Attribute Value Pairs (AVP)

To help protect your privacy, PowerPoint prevented this external picture from being automatically downloaded. To download and display this picture, click Options in the Message Bar, and then click Enable external content.

RADIUS: Basics
Authentication Data Flow
ISP User Database ISP Modem Pool
UserID: bob Password: ge55gep NAS-ID: 207.12.4.1 Select UserID=bob

UserID: bob Password: ge55gep

Access-Accept User-Name=bob [other attributes]

ISP RADIUS Server

Bob password=ge55gep Timeout=3600 [other attributes]

Framed-Address=217.213.21.5

The Internet

User dials modem pool and establishes connection

Internet PPP connection established

RADIUS: Basics
Authentication Data Flow
Acct-Status-Type=Start User-Name=bob Framed-Address=217.213.21.5 ... Acknowledgement Sun May 10 20:47:41 1998 Acct-Status-Type=Start User-Name=bob Framed-Address=217.213.21.5 ...

ISP Modem Pool

ISP RADIUS Server

ISP Accounting Database

The Internet

The Accounting Start Record

Internet PPP connection established

RADIUS: Basics
Authentication Data Flow
Acct-Status-Type=Stop User-Name=bob Acct-Session-Time=1432 ... Acknowledgement Sun May 10 20:50:49 1998 Acct-Status-Type=Stop User-Name=bob Acct-Session-Time=1432 ...

ISP Modem Pool

ISP RADIUS Server

ISP Accounting Database

The Internet User Disconnects Internet PPP connection established

The Accounting Stop Record

Diameter
 

 

 

Reliable transport protocols TCP or SCTP, not UDP Network or transport layer security IPsec or TLS, and is no longer accomplished by a mandatory shared secret. Better roaming support. More easily extended, new commands and attributes can be defined Keep-alive messages are implemented. Larger address space for attribute-value pairs (AVPs) and identifiers (32 bits instead of 8 bits). Uses EAP for Authentication.

RADIUS configuraton