CCNAS V1.2 Chapter 03 Authentication, Authorization, and Accounting

A network must be designed to control who is allowed to connect to it and what they are allowed to do when they are connected. These design specifications are identified in the network security policy. The policy specifies how network administrators, corporate users, remote users, business partners, and clients access network resources. The network security policy can also mandate the implementation of an accounting system that tracks who logged in and when and what they did while logged in.

Managing network access using only the user mode or privilege mode password commands is limited and does not scale well. Instead, using the Authentication, Authorization, and Accounting (AAA) protocol provides the necessary framework to enable scalable access security.

Cisco IOS routers can be configured to use AAA to access a local username and password database. Using a local username and password database provides greater security than a simple password and is a cost effective and easily implemented security solution. Cisco IOS routers can also be configured to use AAA to access a Cisco Secure Access Control Server (ACS). Using Cisco ACS is very scalable because all infrastructure devices access a central server. The Cisco Secure ACS solution is also fault tolerant because multiple servers can be configured. The Cisco Secure ACS solution is often implemented by large organizations.

A hands-on lab for the chapter, Securing Administrative Access Using AAA and RADIUS, allows learners to use CLI and CCP to configure and test local authentication with and without AAA. Centralized authentication using AAA and RADIUS is also explored.

A Packet Tracer activity, Configure AAA Authentication on Cisco Routers, provides learners additional practice implementing the technologies introduced in this chapter. Learners configure local authentication with and without AAA. Server-based AAA authentication is configured with TACACS+ and RADIUS.