Mod 3: 3.4 Access Control
Authorization
After the user is authenticated, authorization services determine which resources the user can access and which operations the user is allowed to perform. An example is "User 'student' can access host server XYZ using SSH only."
Cisco provides two common methods of implementing AAA services
Local AAA Authentication Server-Based Authentication
Server-Based Authentication
This method authenticates against a central AAA server that contains the usernames and passwords for all users, as shown in the figure. Server-based AAA authentication is appropriate for medium-to-large networks.
Authentication
Users and administrators must prove that they are who they say they are. Authentication can be established using username and password combinations, challenge and response questions, token cards, and other methods. AAA authentication provides a centralized way to control access to the network.
Devices communicate with the Centralized AAA
Using Remote Authentication Dail-In User Service (RADIUS) or Terminal Access Controller Access Control System (TACACS+)
Resource Accounting
captures "start" and "stop" record support for connections that have passed user authentication. The additional feature of generating "stop" records for connections that fail to authenticate as part of user authentication is also supported. Such records are necessary for users employing accounting records to manage and monitor their networks.
Connection Accounting
captures information about all outbound connections that are made from the AAA client, such as by SSH.
System Accounting
captures information about all system-level events (for example, when the system reboots or when accounting is turned on or off).
Command Accounting
captures information about the EXEC shell commands for a specified privilege level, as well as the date and time each command was executed, and the user who executed it.
EXEC Accounting
captures information about user EXEC terminal sessions (user shells) on the network access server, including username, date, start and stop times, and the access server IP address.
Network Accounting
captures information for all Point-to-Point Protocol (PPP) sessions, including packet and byte counts
Lightweight
for user authentication and group membership, while maintaining its own authorization and accounting data base
Centralized AAA
is more scalable and manageable than Local AAA authentication. May independently maintain databases for authentication, authorization, and accounting.
Accounting
records what the user does, including what is accessed, the amount of time the resource is accessed, and any changes that were made. Accounting keeps track of how network resources are used. An example is "User 'student' accessed host server XYZ using SSH for 15 minutes."
Local AAA Authentication
this method is sometimes known as self-contained authentication because it authenticates users against locally stored usernames and passwords, as shown in the figure. Local AAA is ideal for small networks.