AAA stands for Authentication (Who you are), Authorization (What you are allowed to do) and Accounting (What you did).
Setting up AAA involves creating a centralised Authentication server(s). They could be AD servers or Freeradius servers and all of the user accounts are created on those servers. The user database is set up and stored on these servers.
You then set up the Routers that people use to get access to the network to use either RADIUS or TACACS+, so that they will ask the Server if the credentails on the server match what the user has put in. – The user is then authenticated to that device. These are the protocols that are used in the communication between the cisco networking device and the Authentication server
This is especially benefitial in large networks – because when a user password is changed or a new user is added it doesn’t have to be added on all of the routers – it can just be changed on the Authentication server.
It’s also good to still have a local database on those local routers, that can be referred to if the link to the server goes down. That’s the function of AAA – you can identify multiple methods of authentication.
It’s very normal to use AAA for Authentication, Authorisation and accounting is less commonly used – more in larger organisations.
TACACS+
- Cisco Proprietary
- Command-by-command Authorisation (So you can run some commands but not others)
- Fully encrypted packets
- Used mainly on network devices
RADIUS
- Predates TACACS+
- Industry Standard Protocol
- Only encrypted with password – not all the packets.
- Usually used for User Authentication