PyNet Labs- Network Automation Specialists
Black Friday Sale - Up to 30% Off
Hurry Up! It's a Limited Period Offer (T&C Apply)
Black Friday Sale - Up to 30% Off
Hurry Up! It's a Limited Period Offer (T&C Apply)

Authentication, Authorization, and Accounting: An Overview

Last Updated : November 4, 2022
What is AAA in Networking

AAA in networking stands for Authentication, Authorization, and Accounting. It is a set of services that provides more security for accessing network resources. AAA is a requirement, when it comes to network security. In this blog, we will take a look at what is AAA in networking, its commands, protocol, and components.

So, without any further ado, let's start.

What is AAA in Networking?

AAA refers to a framework for intelligently controlling access to computer resources, enforcing policies, auditing usage, and providing the information required to bill for services.

So, here in AAA, we know that every single "A" has its own meaning. Let's take a deep dive into the concept.

Authentication

Authentication refers to authentication, or we can say the verification of the user by having a valid username and password before getting access to any particular service or device.

Authorization

Once the user is authenticated, that user may be authorized for different types of access or activity. Authorization is a process via which we enforce policies for specific users according to the need.

Like here we have -

  • Privileges and restrictions (for specific users)

Accounting

Accounting is defined as keeping track of things done inside the network as the name represents that to keep a log of tracks which can include the total amount of consumed time and data. This information of logs and tracks can be used for audit and reporting.

For example, with accounting, you could get logs and every update when the user logged in and when the user logged out.

NOW, WHY SHOULD WE CARE ABOUT AAA IN NETWORKING?

The answer to this question is simple because AAA is something that is a crucial piece of every infrastructure.

AAA is something through which we can ensure our network is secure by allowing access to specific users with specific policies and complete logs of what user does when they log in upto log out.

AAA Configuration

But before AAA, we also have some terminal lines and password protection,

  1. Console Port - This port is mainly used for local system access, and access can be taken physically via the console terminal.
  2. VTY Lines (Virtual Terminal) - It is used for telnet and SSH configurations.

Now that you have learned What is AAA in Networking, let's move on and understand the components of AAA.

AAA Components

  • Supplicant (End devices which are used for device access like PC, Laptop)
  • Authenticator (Switches, WLAN Controllers these devices don't authenticate, but they simply forward the credential to another device called an authentication server)
  • Authenticate Server (validates the identity of client) - The device that takes user or client credentials and permits or denies network access based on a user database and policies.

These are the three AAA components. Now, it's time to take a look at AAA protocols.

AAA Protocols

  1. TACACS+
  2. RADIUS
TACACS+RADIUS
Cisco proprietary protocol.IETF Open Standard.
Uses TCP port number 49Uses UDP port 1812 for authentication
Majorly used for AAA device access and also used for network access.Uses UDP port 1813 for accounting.
Advance accounting service.It can be used for accessing the network devices.

Another major difference between TACACS+ and RADIUS is that RADIUS needs to return every authorization parameter in one single reply, whereas TACACS+ can request authorization parameters separately and multiple times throughout a session.

For example, a network device, such as a switch or a router, can request a TACACS+ server to individually authorize every command that a user tries to implement after logging in to the device.

Whereas, RADIUS requires those commands to be sent in the starting authentication response, and since there can be a lot of CLI command combinations, a large authorization result list could cause maximum utilization of resources on the network device. This is one of a reason TACACS+ is preferred for network device access.

AAA: Local Database or Server

Local Database -

Here we store the local database, like usernames and passwords that are configured on the router. So, the router authenticates the database locally without any external server.

Server -

The router communicates with a server to authenticate users like it can be TACACS+ or RADIUS.

IOS Privilege Levels (0 to 15)

These privilege levels are used for controlling the access of the commands.

For example – Let's assume a company has three network engineers (L1, L2 & L3). So, every user will have their own limits of commands; the L3 engineer will have entire access to the device, switch, or router, whereas L2 and L1 have limitations like they can't erase the configs and can only troubleshoot or monitor. So that's how these levels are decided for users who will have what type of access.

So, we have a few reserved levels like -

Level 0 – It's the most restricted, and here we can use only a few commands like enable, exit, disable, and logout.

Level 1 (User Level) – Here, only troubleshooting and monitoring are done, also known as user exec mode.

Level 15 (Privilege Level) – This is the highest level where every command is allowed means we have full access to the device.

Level 2 to 14 (Customized Levels) – Used for specific users to give specific access to commands.

AAA Commands

Enable AAA
aaa new-model

Configure method lists
aaa {authentication | authorization | accounting} {default | list name} method 1 method 2…

(Optional) Configure lockout
aaa local authentication attempts max-fail [# of unsuccessful attempts]

These are the AAA Commands. We hope you found everything you were looking for in the "What is AAA in Networking" article. If you find anything that needs updating here, you can let us know in the comment section below.

Here are some more blogs you might like -

Access Control List
What is VLAN?
FHRP Protocol
Quality of Service

AAA is an integral part of PyNet Labs' CCNA and CCNP Training. You can check out all our courses from the "All Courses" menu here or by clicking this link - https://linktr.ee/pynet_labs. Our CCNP ENCOR training is among the highest-rated Cisco training course online, with an average rating of 4.9 out of 5.

What is AAA in Networking FAQs

Question – Is AAA a protocol?

Yes, AAA is a protocol that is used to provide more security for accessing network resources. It allows network administrators to control network access and administer the network devices. It stands for Authentication, Authorization, and Accounting.

Question - What is AAA authentication used for?

AAA authentication is used for the verification of users by having a valid username and password before giving access to any particular service or device. It basically controls who is allowed to access the network resources; if a user is authenticated, then only they are permitted to access the network resources.

Question – What is AAA and TACACS+?

AAA stands for Authentication, Authorization, and Accounting, and TACACS+ is the AAA protocol. TACACS+ was developed by Cisco in 1993 as an open standard protocol. It is mainly used for AAA device access and network access.

Question - What is AAA and RADIUS?

RADIUS is a protocol of AAA (Authentication, Authorization, and Accounting) that manages network access. It is used for accessing network devices and is an IETF Open Standard protocol.

Leave a Reply

Your email address will not be published. Required fields are marked *

linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram