AAA

AAA

Authentication, Authorization & Accounting

AAA is a hardware or a software based server used for authentication purpose during User access management. Authentication determines who the user is, authorization determines what the user has access to. And accounting keeps track of what they did on the equipment, AAA acts as a centralized system so a single system can be accessed to administrate user accounts and understanding configuration changes. Generally, CISCO uses two protocols for AAA server communication i.e. TACACS+ and RADIUS. 

The AAA can have other features as

• It can provide authentication, user or administrator access, and policy control for centralized access control. 
• The solution must support an integrated user repository in addition to integration with existing external identity repositories such as Microsoft Active Directory servers, LDAP servers.
• The solution must support multiple authentication protocols such as PAP, MS-CHAP, EAP-MD5, PEAP and EAP-TLS.
• It must support use of multiple authentication protocols concurrently.
• AAA must support multiple identity stores such as Microsoft Active Directory, Kerberos, LDAP-compliant directory, Open Database Connectivity (ODBC)-compliant SQL database, token servers, and internal databases across domains within a single policy.
• It should support passive device profiling methods such as DHCP, Span Ports, HTTP User-Agent, MAC OUI/Auth or TCP SYN-ACK handshakes as well as active device profiling methods such as SNMP, Subnet Scan, SSH and NMAP Scan.
• Through AAA we can define different access levels for each administrator and the ability to group network devices to enforce and change of security policy and can define sets of ACLs that can be applied per user or per group for layer 3 network devices like routers, firewalls and VPNs.
• AAA supports process inbound threat-related events (which are Syslog events received from any third-party vendor device, such as Firewall, SIEM) and perform enforcements and actions based on the defined enforcement policies and services.
• Provision of utilities for interactive policy simulation and monitor mode for assessing the policies before applying to the production network.
• Supports user as well as device authentication based on 802.1X, non-802.1X, and Web Portal access methods across multi-vendor wired networks, wireless networks, and VPNs.
• If it is used as Hardware, it must be used as 1:1 redundancy.

-DR