Being able to login and to gain access to corporate resources is one of the most important part of every company’s IT setup. In this post we will understand concept of AAA, which stands for Authorization, Authentication and Accounting. If users are logging into the network through VPN network or connecting to a command line of a switch, a AAA framework is essential to connect. The first step in using AAA framework is to verify the identity and validity of a user which is called as Authentication.
Let’s take an example – We try to retrieve package from the post-office where we need to produce our identity to prove as intended recipient. In same way, in networking world our identification could be a username and password, an SSL certificate or a combination of these. Without Authentication, an administrator could never control user (or Machine) access to network and related resources. Sometimes authentication and authorization may be confusing to understand as both are closely related.
Authentication is when you are trying to log into Router/Switch or any system using your credentials (username/Password/ RSA token/ Finger Prints) by any authentication method . After system authenticates (access to enter the system is approved/granted) next, it verifies its internal database to see what resources we are permitted to access and what we have requested. If the requested resource matches with what has been permitted, this is what we call authorization. Same way when a user is allowed to view only configuration of devices and not allowed to enter configuration mode.
AAA Framework –
- Identification –
- This is who you claim to be
- Usually your username
- Authentication –
- Prove you are who you say you are
- Password and other authentication factors
- Authorization –
- Based on your identification and authentication, what access do you have?
- Accounting –
- Resources used: Login time, data send and receive and logout
There is various type of Authentication Method, Lets focus on the some commonly used Methods
- Form Username and password but can also be a PIN code or something else
- Smartcard or Physical token
- Physical attribute (a biometric)
- Multi Factor authentication or two factor authentications (combining password authentication and security tokens)
There are several different types of Centralized authentication technologies and protocols available. Some of commonly used protocols are RADIUS and TACACS. Both the protocols provide the communication between your network devices (for access) and AAA servers. Let’s further understand the difference between Radius and Tacacs protocols –