Email: evarainbow@evarainbow.com

Authentication, Authorization, and Accounting – Cisco Network Security

Authentication, Authorization, and Accounting (AAA) is a protocol used to secure access to a Cisco Nexus device. The AAA model answers three questions:

1. Who is on the network (authentication)?

2. What are they allowed to do on the network (authorization)?

3. What have they been doing on the network (accounting)?

Authentication: Identifies users, including the login and password dialog, challenge and response, messaging support, and encryption. Authentication is the process of 795verifying the identity of the person or device accessing the Cisco NX-OS device, which is based on the user ID and password combination provided by the entity trying to access the Cisco NX-OS device. Cisco NX-OS devices allow you to perform local authentication (using the local lookup database) or remote authentication (using one or more RADIUS or TACACS+ servers).

Authorization: Provides access control. Authorization is the process of assembling a set of attributes that describe what the user is authorized to perform. Authorization in the Cisco NX-OS software is provided by attributes that are downloaded from AAA servers. Remote security servers, such as RADIUS and TACACS+, authorize users for specific rights by associating attribute-value (AV) pairs, which define those rights with the appropriate user.

Accounting: Provides the method for collecting information, logging the information locally, and sending the information to the AAA server for billing, auditing, and reporting. The accounting feature tracks and maintains a log of every management session used to access the Cisco NX-OS device. You can use this information to generate reports for troubleshooting and auditing purposes. You can store accounting logs locally or send them to remote AAA servers.

AAA allows for a granular approach to securing the devices by setting policies for either a group or individual and by allowing the administrator to use different method lists for different access types. For example, the engineer could create a method list for authentication that states the TACACS+ server at 10.10.10.1 should be used for console access and should fall back to the local database. A different method list can be used for the VTY lines stating that a RADIUS server should be used and fall back to the local database. If the default method list is used, it applies to all device access methods. AAA can be used with both RADIUS and TACACS+ servers to provide secure services. There are some noteworthy differences between the two protocols:

1. TACACS+ uses TCP port 49 for communication, whereas RADIUS uses UDP port 1645/1646 or 1812/1813.

2. TACACS+ encrypts the entire contents of the packet. RADIUS encrypts only the password.

3. TACACS+ is more flexible in the protocols that it can support.

4. TACACS+ is Cisco proprietary. RADIUS is defined in RFC 2138 and is an open standard.

Nexus devices support local and remote AAA. Remote AAA services are provided through RADIUS and TACACS+ protocols. Remote services have the following advantages over local AAA services:

It is easier to manage user password lists for each Cisco NX-OS device in the fabric.

AAA servers are already deployed widely across enterprises and can be easily used for AAA services.

You can centrally manage the accounting log for all Cisco NX-OS devices in the fabric.

It is easier to manage user attributes for each Cisco NX-OS device in the fabric than using the local databases on the Cisco NX-OS devices.

You can specify remote AAA servers for authentication, authorization, and accounting using server groups. A server group is a set of remote AAA servers that implement the same AAA protocol. The purpose of a server group is to provide for failover servers in case a remote AAA server fails to respond. If the first remote server in the group fails to respond, the next remote server in the group is tried until one of the servers sends a response. If all the AAA servers in the server group fail to respond, that server group option is considered a failure. If required, you can specify multiple server groups. If the Cisco NX-OS device encounters errors from the servers in the first group, it tries the servers in the next server group.

Configuring AAA on the command line is fairly simple, but the commands can be quite lengthy depending on the optional parameters used within the command set itself.

Leave a Reply

Your email address will not be published. Required fields are marked *