Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint
Share this Page URL
Help

Chapter 3. Access Control > Overview of AAA Technology

Overview of AAA Technology

Cisco created the AAA technology framework for configuring three separate features on Cisco devices. According to Cisco, AAA consists of the following components:

  • Authentication— The process of validating the claimed identity of an end user or a device, such as a host, server, switch, router, and so on

  • Authorization— The act of granting access rights to a user, groups of users, a system, or a process

  • Accounting— The methods to establish who or what performed a certain action, such as tracking user connection and logging system users

The AAA architectural framework defines the use of RADIUS and TACACS+ protocols (discussed later in this chapter) for access control. AAA provides flexible, scalable, modular access control of network devices. However, the capability to centrally manage access to all the networking devices is a major advantage of AAA.

To understand the significance of AAA, consider a typical case where a user connects to a network device using the Telnet password, changes configuration, and logs out. There is no record of the time of login, identity of the user, or change in the configuration. By enabling AAA on the device, you can do the following:

  • Control who logs in to the device (authentication)

  • Control what commands the user can use (authorization)

  • Record the changes made by the user (accounting)

A detailed record of user activities, also known as an audit trail, helps in troubleshooting or auditing at a later stage. The audit trails are also helpful in investigating cyber-crimes. In many industries, audit trails can be mandatory because of government regulation. For example, the U.S. Health Insurance Portability and Accountability Act (HIPAA) defines a set of security standards for the healthcare industry. Another advantage of AAA in a multi-administrator site is that you can centrally restrict access to devices when a particular user’s employment is terminated. Otherwise, without AAA, you need to change the authentication information on each device.

The AAA architecture framework defines the following two components:

  • AAA Client— A AAA Client is any network device that is being monitored for authentication, authorization, and accounting. The device should be configured to use the AAA feature. It should also have IP connectivity to the AAA Servers. The client communicates with the AAA Server to verify the access rights for a user.

  • AAA Server— A AAA Server functions as a service running over the Windows or Linux operating system (OS). While the AAA Server is available as application software for various OSs, Windows 2000 and 2003 also feature a built-in AAA Server. The AAA Server responds to the requests made by the AAA Clients. The server uses an internal database to validate the requests made by the AAA Client. Additionally, the database must be populated with the list of all valid AAA Clients. A network can have a single AAA Server for centralized access control. However, deploying multiple AAA Servers provides redundancy.

Figure 3-1 depicts a scenario in which a Cisco router acts as a AAA Client. The netadmin attempts to access the router via telnet or SSH or console. The router queries the AAA Server to validate access control requests.

Figure 3-1. AAA Scenario


The AAA framework is flexible because it supports either of the following two protocols:

  • RADIUS

  • TACACS+

The following sections provide more history, features, and operational details regarding each of these protocols. Readers who are familiar with TACACS+ and RADIUS can skip these sections if they want to.

TACACS+

TACACS+ was developed by Cisco and was proposed as an Internet Engineering Task Force (IETF) draft. TACACS+, a set of client/server software and protocols that provides AAA services, offers the following features:

  • Centralized access control— Provides centralized management of access control services across the network.

  • Modular services— Provides separate and modular authentication, authorization, and accounting services. These services can use a single database, or each service can have its own database to leverage other services that are available on that server or on the network.

  • Encryption— All protocol exchanges between the client and a TACACS+ Server are encrypted. Both the client and the server should be configured with the same encryption key.

  • Reliability— Uses the Transmission Control Protocol (TCP) for a reliable and robust connection between the client and the server. The default TCP port number is 49, although this can be changed.

Although Cisco has submitted TACACS+ to the IETF, it has yet to be approved. This makes it a Cisco-proprietary protocol, with little acceptance outside Cisco.

TACACS+ works within the AAA framework to provide the authentication, authorization, and accounting function. As defined under the AAA framework, TACACS+ consists of two components—the TACACS+ Client and the TACACS+ Server. The TACACS+ Client can be any network device that queries the TACACS+ Server to validate access control requests. The following steps describe the operation of the TACACS+ protocol:

Step 1.
When a user tries to log in to a network device that is working as a TACACS+ Client, the network device prompts the user for username and password information. The network device sends this information back to the TACACS+ Server. The TACACS+ Server responds with one of the following messages to the querying network device:

ACCEPT— The user is successfully authenticated. If needed, the authorization process can start.

REJECT— The authentication process failed for the user.

ERROR— An error occurred during the authentication process. The error can be either in the TACACS+ Server or in the connection between the TACACS+ Server and TACACS+ Client. The network device can use another TACACS+ Server.

CONTINUE— The user is prompted for additional information.

Step 2.
After completing the authentication process, the user can begin the optional authorization process. The TACACS+ Server is contacted again to authorize the commands run by the user. The TACACS+ Server returns an ACCEPT or REJECT authorization response. The ACCEPT response contains additional attributes that provide the EXEC or NETWORK privileges for that user.

Step 3.
The accounting process can only begin after completion of the authentication and authorization processes. Similar to the authorization process, the accounting process is also optional. The TACACS+ accounting process keeps a log of activities performed by the user. As with the authorization process, the network device sends a REQUEST packet that contains the START RECORD or STOP RECORD response to the TACACS+ Server. The TACACS+ Server returns a RESPONSE packet to acknowledge the request. The START RECORD accounting notice indicates the beginning of the process, while the STOP RECORD response indicates the end of the process.

RADIUS

The RADIUS protocol was originally developed by Livingston Enterprises Inc. and is now part of the IETF-based standard described by RFC 2138 and 2139. Cisco introduced support for RADIUS in Cisco IOS Release 11.1. Similar to TACACS+, a RADIUS Server provides authentication and accounting services to one or more network devices that are acting as RADIUS Clients. A RADIUS Server runs as a service over an OS such as Windows or Linux. The RADIUS Client sends authentication requests to a central RADIUS Server that contains all user authentication and network service access information. Typically, a RADIUS Server is deployed as a dedicated machine that is connected to the network. You can have multiple RADIUS Servers for redundancy.

RADIUS offers the following features:

  • Centralized access control— Provides a centralized management of access control services across the network.

  • Encryption— Unlike TACACS+, RADIUS only encrypts the password. The RADIUS client uses Message Digest 5 (MD5) algorithm to send password to the RADIUS server. The MD5 algorithm produces a message digest or hash of the password. Instead of the password, the hash is sent to ensure that no one can learn the password by eavesdropping on the line.

  • UDP-based protocol— Uses User Datagram Protocol (UDP) ports 1812 and 1645 for authentication and ports 1813 and 1646 for accounting. The use of UDP provides faster performance because the RADIUS protocol includes a built-in mechanism for handling retransmission and timeout issues, thus eliminating the need for TCP.

  • Cisco support— Is supported on all Cisco platforms, but some RADIUS-supported features run only on specific platforms.

  • Industrywide standard— Support by various vendors for AAA implementation make it ideal for networks with multiple-vendor access servers. Because it is a fully open protocol and is distributed in source code format, RADIUS can be modified to work with any security system that is currently on the market.

  • Vendor-specific attributes (VSA)— Allows customization by letting vendors support extended attributes that are unique to their designs.

Tip

For a list of Cisco-specific RADIUS VSAs, refer to the article “RADIUS Attributes” on Cisco.com. The URL is as follows:

http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_user_guide_chapter09186a008023360b.html#wp242440


The operation of RADIUS is similar to that of the TACACS+ protocol. However, during the authentication process, the RADIUS Server responds with one of the following messages to the RADIUS Client:

  • ACCEPT— The user authentication is successful.

  • REJECT— The user authentication has failed. The user is prompted to re-enter a username and password; otherwise, access is denied.

  • CHALLENGE— The RADIUS Server prompts the user for more information.

  • CHANGE PASSWORD— The RADIUS Server requests the user to change the existing password.

The ACCEPT or REJECT response can contain additional data required for authorization.

RADIUS and TACACS+ Comparison

This chapter focuses on the basic functionality of AAA, using RADIUS and TACACS+ protocols, to secure access to the network devices.

While both RADIUS and TACACS+ provide AAA functionality, their industrywide usage pattern is different. TACACS+ is often used for securing access to networking devices such as routers and switches. RADIUS is widely used for controlling access to network resources such as http, ftp, e-mail, and file and print sharing through dial-up or Virtual Private Networks (VPN). In such scenarios, the access devices (called network access servers, or NAS) are configured to query the RADIUS Servers to verify the user’s request to a particular resource. Examples of devices that use RADIUS are as follows:

  • Access routers with a modem pool for remote dial-up

  • Routers with a per-user access list

  • Switches with port security

  • Firewalls with authentication proxies

  • VPN concentrators for remote users

  • WLANs with 802.1X user authentication

  • Wireless application protocol (WAP) devices

Table 3-1 summarizes the main differences between the two popular choices of AAA protocols.

Table 3-1. TACACS+ and RADIUS Comparison
 TACACS+RADIUS
DeveloperCisco.Livingston; it is now an open-protocol standard.
DeploymentCisco.Multiple vendors including Cisco.
PortsTCP 49.UDP 1812, 1813, 1645, 1646.
RFCIETF draft-grant-TACACS.RFC 2865.
EncryptionEntire packet is encrypted, except the header.Only password is encrypted; packet is in clear text.
ModularitySeparates authentication, authorization, and accounting, providing greater control.Authentication and authorization are combined.
Protocol SupportMultiprotocol support.No support for the following: AppleTalk Remote Access (ARA) Protocol, NetBIOS Frame Protocol Control Protocol, Novell Asynchronous Services Interface (NASI), and X.25 PAD connection.
Router CommandsProvides granular control over each router command that can be executed on a per-user or per-group basis.No support for controlling each router command.


  • Safari Books Online
  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint