Authentication, Authorization & Accounting

This guide shows how to setup the authentication, authorization and accounting framework for RADIUS and TACACS+ use cases. The framework is also known as the New AAA Model.

Comments
Introduction
AAA in Practice
RADIUS & TACACS+

Introduction

AAA stands for Authentication, Authorization, and Accounting. It is a framework used to control access to computer resources, enforce policies, audit usage, and provide the information necessary to bill for services. This framework is crucial in network security and management, particularly within enterprise environments.

Description
AAA - A framework to control access devices
Authentication - Proof of identity
Authorization - Access to pre-defined privileges and resources
Accounting - A record of user actions and timestamps in log files
Authentication
Purpose: To verify the identity of a user or device attempting to access the network.
Process: When a user tries to log in, the authentication process verifies their credentials (e.g., username and password, biometrics, or certificates).
Methods: Common methods include passwords, PINs, smart cards, biometrics, and digital certificates.
Protocols: Popular protocols for authentication include RADIUS (Remote Authentication Dial-In User Service), TACACS+ (Terminal Access Controller Access-Control System Plus), and LDAP (Lightweight Directory Access Protocol).
Authorization
Purpose: To determine what an authenticated user or device is allowed to do or access.
Process: After authentication, the authorization process checks the user’s permissions and grants or denies access to specific resources or services based on predefined policies.
Methods: Role-based access control (RBAC), attribute-based access control (ABAC), and policy-based access control are common approaches.
Protocols: RADIUS and TACACS+ are also used for authorization, often in conjunction with authentication.
Accounting
Purpose: To track the consumption of network resources by users.
Process: Accounting logs activities such as login/logout times, commands executed, data transferred, and resources accessed.
Methods: Logging and reporting mechanisms that record user activities for auditing and analysis.
Protocols: RADIUS and TACACS+ support accounting functions.

AAA in Practice

Authentication
A user tries to access a network device (router or switch).
The device prompts the user for a username and password.
The device sends these credentials to an AAA server.
The AAA server verifies the credentials against a database.
If valid, the user is authenticated.
Authorization
Once authenticated, the AAA server checks the user’s profile to determine what they are authorized to do.
The server sends authorization information back to the network device.
The device enforces the authorization policies, granting or denying access to specific resources or commands.
Accounting
The network device logs the user’s activities and usage information.
This information is sent to the AAA server.
The server stores these logs for reporting, auditing, and analysis purposes.
Benefits of AAA
Enhanced Security: By ensuring only authorized users can access network resources and tracking their activities.
Centralized Management: Simplifies the management of user access and policies across the network.
Auditing and Compliance: Provides detailed logs of user activities, which are useful for audits and ensuring compliance with regulations.
Scalability: Can be easily scaled to accommodate growing networks and user bases.
Common Use Cases
Enterprise Networks: Controlling employee access to different parts of the network.
ISPs (Internet Service Providers): Managing customer access and billing.
VPNs (Virtual Private Networks): Authenticating remote users and ensuring secure access.
Wi-Fi Networks: Managing user access to public or private Wi-Fi networks.

RADIUS & TACACS+

RADIUS (Remote Authentication Dial-In User Service) is a protocol used to authenticate, authorize, and account for users accessing a network. It is commonly employed for authenticating users in scenarios like Wi-Fi networks, VPNs, and ISPs. RADIUS operates over UDP ports 1812 & 1813 and encrypts only the user password, combining the processes of authentication and authorization in a single step. On the other hand, TACACS+ (Terminal Access Controller Access-Control System Plus) is designed to provide detailed authentication, authorization, and accounting services, particularly for administrative access to network devices such as routers, switches, and firewalls. It uses TCP port 49 and encrypts the entire packet for enhanced security. Unlike RADIUS, TACACS+ separates the authentication, authorization, and accounting processes, allowing for more granular control.

RADIUS
Permit or deny client network access
IETF open standard
UDP port 1812 & 1813
Protocol encrypts only the password field
TACACS+
Permit or deny device administration access
Cisco proprietary protocol
TCP port 49
Protocol encrypts the whole packet payload

Premium Access

Log in or register - Premium members can access all content without restrictions.

Get Premium

0 Comments

Submit a Comment