AAA in Computer Networking Explained

AAA stands for Authentication, Authorization, and Accounting. It is a three-layer security model. Computer networks use it to secure and monitor the usage of their resources. It enables systematic access security both locally and remotely. It works within the remote client system and the security server to secure access. It uses standardized methods to verify the identity of users before granting them access to the network. It also keeps a record of user activity on the enterprise systems. It manages and monitors access to network devices such as routers, switches, and firewalls.

How does AAA security work?

AAA security model works in the following three steps:-

  • Authentication: Verifying the user's identity
  • Authorization: Determining the user's permissions
  • Accounting: Recording the user's activities

Authentication

Authentication works in the first step. It validates the credentials presented by the user. It maintains a user database. It uses the database to authenticate users. For example, when a user logs on with a username and password, it verifies that information against the user database. If the information matches, it grants the access.

The user database is not limited only to usernames and passwords. It can store many other more secure things the system or network can use to authenticate users. For example, it can save biometrics and encrypted hash values that are more secure than traditional usernames and passwords.

Authorization

Authorization works in the second step. It defines the actions the authorized user can take. It works on the object level. You can configure different actions on the same object for users. For example, you can allow one user to read and write a particular file while another to read. You can allow certain users to change their system settings, such as time and IP configurations.

Accounting

Accounting works in the third step. It logs user activities. Administrators use the logs to track and monitor the usage of resources. They can also use logs as evidence to hold users accountable for their actions. If a network provides resource-based services, it can use accounting to generate invoices based on usage.

aaa in networking

Cisco AAA for CCNA

AAA is a universal security model. Almost all companies and vendors use it to secure their resources. Cisco also uses and supports this model in its devices.

For example, a network administrator can employ various methods to control a user's access to a switch and router. Initially, he can configure basic passwords to secure the console and VTY lines. By default, the console line provides access to all levels. However, routers and switches allow administrators to secure global configuration mode by enabling secret passwords. Based on how much right the administrator wants to give to the user to the device, the administrator can configure or share the password.

If the administrator wants to give full access to the user on the device, he can share both passwords. If he wants to grant limited access to the user on the device, he can share only the console or VTY line password. With this password, the user will gain access only to the privileged exec mode.

However, using individual usernames and passwords on each switch can be cumbersome. A more scalable solution is to use centralized AAA functions, which are standardized, resilient, and flexible. For instance, a centralized authentication server can maintain a database of users and their passwords and policies for authorizing user activities.

Additionally, AAA servers can support multifactor user credentials for enhanced security. Cisco's Identity Services Engine (ISE) platform is an example of a system that implements AAA services.

ComputerNetworkingNotes CCNA Study Guide AAA in Computer Networking Explained