Although a strong username/password combination is essential to secure your devices – in real world enterprise environments, we need to ensure that there is a record of:
- Who has connected?
- What they are authorised to do?
- What they have done in their session?
To summarise these concepts, we label them as such:
- Authentication
- Authorisation
- Accounting
Let’s expand on these concepts:
Authentication
Here we can confirm exactly who is connecting to the device by comparing them against a list or database. This list/database can be configured locally on the device, on the AAA server itself or even using a 3rd party server such as Active Directory.
This stage is where the User is authenticated with a username/password combination for example.
Authorisation
Once the User has been authenticated to access the device, the system needs to know what level of privilege this User is entitled to.
Can they make changes to individual settings? How about global settings for the entire device? Or are they limited to just checking the status of the device? This is where authorisation comes in.
Authorisation level is usually determined by a remote security server such as Cisco ACS or Cisco ISE server.
Accounting
Once we have confirmed who is connecting to the device and what they are allowed to do, we need to see what they actually are doing or have done.
For example, this is essential when something has been changed on a device and caused it to malfunction. You will know what was done and how to revert it. This is also an essential feature for auditing purposes.
Accounting allows us to store a log of the commands that were entered and what happened during the session. We can choose to store this locally or on a remote server.
Notes:
It is important to understand that AAA itself isn’t a protocol, it is a method and there exist different protocols which make this a practicality. One of these such protocols is TACACS, where you can read how to configure here.
This is then checked against a TACACS supporting server such as Cisco ACS or Cisco ISE.
If you would like to see how to configure TACACS on a device, click here.
1 Comment. Leave new
Good Explanation, and thanks for the clarification.
Keep up the good work!