8.1 Authentication, Authorization, and Accounting (AAA)

Triple A (AAA) provides a modular framework for the three key security functions in any network environment. These three functions are: Authentication, Authorization, and Accounting.

8.1.1 Authentication

Authentication is the process of identifying of the user that is attempting to access a networking device, such as an end station, or a router. This is usually performed by means of logon credentials which is provided by the user. Logon credentials consist of two parts: user identification and proof of identity. A user name or email address is usually used for user identification, while passwords are usually used as proof of identity.

8.1.1.1 Line Authentication

The most common form of authentication on a router is line authentication, which uses different passwords to authenticate users depending on the line they are using to connect to the router. However, line authentication is limited because all users must use the same password to authenticate. Generally, line authentication is acceptable in environments that have few administrators and few routers. However, when an administrator leaves the group, all passwords on all routers should be changed to ensure continued security.

8.1.1.2 Local Authentication

Local authentication provides increased security and allows for greater accountability and more exacting control on a local router. With local authentication, each user has a separate usernames and passwords, which is stored locally in the router configuration and allows for additional password protection and logging. Because each user must be created on each router, the administration of local authentication can be a time consuming task if there are a large number of routers or users.

To use local authentication, you must configure the router to use local list of users when authenticating. You can do this by using the login local command. Once a user has been authenticated, you can use the show users command to monitor the user's actions.

8.1.1.3 Remote Security Servers

A remote security server, which is also called an authentication server, provides centralized management of usernames and passwords. All usernames and password are stored centrally on the remote security server. When a user attempts to authenticate to a router, the router passes the username and password information to the remote security server. The security server then compares the user credentials with the user database to determine if the user should be permitted access to the router. This greatly reduces the administrative effort required to manage user authentication.

Cisco routers support three types of security servers: RADIUS, TACACS+, and Kerberos.

Remote Authentication Dial-In User Service (RADIUS), which was developed by the Internet Engineering Task Force (IETF) and comprises of a set of authentication server and client protocols that provide security to networks against unauthorized access. RADIUS uses a client/server architecture with the router typically representing the client, and a Windows NT or UNIX server running the RADIUS software representing the server.

The RADIUS authentication process has three stages: first, the user is prompted for a username and password; second, the username and encrypted password are sent over the network to the RADIUS server; and third, the RADIUS server will replies with an Accept if the user has been successfully authenticated, a Reject if the username and/or password are invalid, a Challenge if the RADIUS server requests additional information, or a Change Password if the user's password needs to be changed.

Terminal Access Controller Access Control System (TACACS+), which is defined in RFC 29765, is a Cisco development of the TACACS protocol that is specifically designed to interact with Cisco's AAA and similar to RADIUS. The TACACS server handles the full implementation of AAA features: Authentication includes messaging support in addition to login and password functions, Authorization enables explicit control over user capabilities, and Accounting supplies detailed information about user activities.

TACACS+ is can be enabled by using the aaa commands. TACACS+ makes provision for individual and modular authentication, authorization, and accounting facilities and allows a single access control server, the TACACS+ daemon, to supply authentication, authorization, and accounting services separately.

The Kerberos protocol was designed by the Massachusetts Institute of Technology (MIT), and provides strong authentication for client/server applications by using secret key cryptography based on the Data Encryption Standard (DES) cryptographic algorithm. Kerberos maintains a database of its clients and their confidential keys. The confidential key is known exclusively to Kerberos and the client it belongs to. The password is encrypted for users. Network services necessitating authentication enlist with Kerberos. Kerberos can generate messages that persuade one client that another is really who it professes to be. Kerberos can also distribute provisional private keys, known as session keys to two clients exclusively. These two clients can use the session key to encrypt messages.

Kerberos can be used like RADIUS or TACACS+ for authenticating a user. Once a user is authenticated with Kerberos, an admission ticket is granted. The ticket will allow the user to access other resources on the network without resubmitting the password across the network. These tickets have a limited life span, and upon expiration they require renewal to access resources again.

8.1.2 Authorization

Access to a system or network resources is controlled through authorization, which specifies the level of access that the user can have on the system. This is usually implemented only after the user has been successfully authenticated by the router. On a Cisco router, authorization is controlled through default modes, privilege levels, and security servers.

8.1.2.1 User Modes

Cisco routers support three default privilege modes: user mode; privileged mode; and command mode, however, command mode is an extension of privileged mode.

  • User Mode allows the user to display system information, perform basic tests, and change terminal settings. User Mode also allows for telnet, ping, and some other fundamental commands. However, viewing the configuration file and configuration changes and using debug commands are not allowed.

  • Privileged Mode, which is also known as Enable mode, provides the user with full access as every command is available to the user. The enable command is used to reach this mode. In this mode, the user can display system settings and status, enter into Configuration mode, and run debug commands.

  • Command Mode is entered by issuing the configure terminal command in Privileged mode. Configuration mode can be used to configure interfaces, routers, and lines, which are known as subcommand mode.

These user modes are useful for controlling authorization, but do not provide the level of granularity that is often required.

8.1.2.2 Privilege Levels

The privilege levels on a Cisco router range from 0 to 15, with privilege level 0 being the most restrictive and privilege level 15 being the least restrictive. Cisco routers have three default privilege levels, depending on the user mode. These are:

  • Privilege Level 0, which provides only the commands that are required for a user to log in. These being enable, exit and logout.

  • Privilege Level 0, which is entered when the router enters user mode. It allows the user to display system information, perform basic tests, and change terminal settings. It also allows for telnet, ping, and some other fundamental commands.

  • Privilege Level 15, which is the highest privilege level and is entered when the router enters privilege mode. It allows the user full access to all commands.

You can create additional privilege levels that provide specific commands. Access to each privilege level requires separate passwords but they can be associated with a user login. When the user is authenticated, that user will be placed in the appropriate privilege level and will have access to the specified commands. This provides fine granularity over authorizing the use of commands, but must be configured on each router.

You can configure a new privilege level for users and associate commands with that privilege level by using the privilege command. The syntax for this command is:

privilege mode {level level | reset} command-list

In this command level level specifies the privilege level you are configuring for the commands specified in the command-list; and reset resets the privilege level of the commands specified in the command-list to the default values and removes the privilege level configuration from the running-config file.

8.1.2.3 Security Servers and Permission Granting

The implementation of remote security servers overcomes the limitations of both user modes and privilege levels, while reducing administrative effort. Some security servers provide the ability to assign privilege level, in addition to restricting or permitting individual commands based on the username. This centralized authorization scales well for large networks.

8.1.3 Accounting

Accounting is the process of recording various types of actions that have occurred on the routers. This is useful for security-related issues such as auditing, billing, and error-reporting, and can greatly reduce troubleshooting efforts. Three methods can be used for accounting: SYSLOG, RADIUS and TACACS+. The later two are used by the AAA accounting feature.

8.1.3.1 SYSLOG

Cisco routers provide system message logging, called the SYSLOG, which uses UDP port 514 to send messages to various destinations, including: Console logging, which is the default and outputs messages to the console port of the router; Buffered logging, which outputs messages into memory; Monitor logging, which outputs messages to any session that has enabled monitoring; and Trap logging, which outputs messages to a remote server running the SYSLOG service. The router can be configured to send logging messages that meet a specified minimum severity level. These severity levels are listed below.

Traffic Shaping Terminology

Severity Level Description
Emergencies (0) Indicates that the system is unusable.
Alerts (1) Indicates a condition requiring immediate action.
Critical (2) Indicates a critical condition.
Errors (3) Indicates an error condition.
Warnings (4) Indicates a warning condition.
Notifications (5) Indicates a normal but significant condition.
Informational (6) Indicates an informational message.
Debugging (7) Indicate a debugging message.

Note: SYSLOG requires network connectivity to deliver a message to the server. If the interfaces that are required to communicate with the SYSLOG server fail, no message will be recorded.

8.1.3.2 TACS+ and RADIUS

TACACS+ and RADIUS protocols accounting functions are used by AAA clients to communicate relevant data for each user session to the AAA server for recording. Cisco Secure ACS writes accounting records to a comma-separated value (CSV) log file or ODBC database, depended on your configuration. It is possible to import these logs into a popular database and spreadsheet applications for billing, security audits, and report generation.