Authentication, authorization, and accounting (AAA) is a method you can use in your network to control which administrators are allowed to connect to which devices (authentication), what they can do on these devices (authorization), and log what they actually did while they were logged in (accounting).
Here is an explanation of each process included in AAA:
- Authentication – the process by which users prove that they are who they claim to be, typically by having the user enter a valid user name and valid password before access is granted. An example would be of such process is authenticating an administrator’s access to a router console port. You can authenticate the administrator against the local router database or a remote RADIUS or TACACS+ server.
- Authorization – after the user has been authenticated, the authorization is used to determine which resources the user is allowed to access, and which operations he can perform. For example, you can control what the user is allowed to modify or delete.
- Accounting – the process of recording (logging) the actions the user took while accessing the network resources. This can include the amount of data a user has sent and received during a session, the amount of time spent in the network, the services accessed, etc. Accounting is carried out by logging the session statistics and usage information and is used for trend analysis, capacity planning, billing, auditing and cost allocation.
The following options can be used to implement AAA on Cisco devices:
- Cisco Secure ACS Solution Engine – a dedicated server that contains the usernames, passwords, and other information about what users are allowed to access and when.
- Cisco Secure ACS for Windows Server – a software package installed on a Windows system that provide AAA services.
- Cisco Secure ACS in a virtual machine
- Local database – also known as local authentication and authorization, this option uses the local router database for AAA purposes.