Authentication, authorization, and accounting (AAA) is a
term for a framework for intelligently controlling access to computer
resources, enforcing policies, auditing usage, and providing the information
necessary to bill for services. These combined processes are considered
important for effective network management and security.
A rogue access point is a wireless access point that has been installed on a secure network without explicit authorization from a local network administrator, whether added by a well-meaning employee or by a malicious attacker. An access
point like this is called a rogue access point and this is something you DON’T
want to see on your network. It’s hard to detect because on the switch you’ll
only see one MAC address. The router is doing NAT so you will only see one IP
address, this is something you can’t prevent with port security.
One way of
dealing with issues like this is to use AAA.
AAA stands
for Authentication, Authorization and Accounting:
Authentication : Identifies users by login and password using challenge and
response methodology before the user even gains access to the network.
Depending on your security options, it can also support encryption.
Authorization : After
initial authentication, authorization looks at what that authenticated user has
access to do. RADIUS or TACACS+ security servers perform authorization for
specific privileges by defining attribute-value (AV) pairs, which would be
specific to the individual user rights. In the Cisco IOS, you can define AAA
authorization with a named list or authorization method.
Accounting : The last "A" is for accounting. It provides a way
of collecting security information that you can use for billing, auditing, and
reporting. You can use accounting to see what users do once they are
authenticated and authorized. For example, with accounting, you could get a log
of when users logged in and when they logged out.
The idea
behind AAA is that a user has to authenticate before getting access to the
network. The fa0/1 interface on SwitchA will be blocked and you are not even
getting an IP address. The only thing the user is allowed to do is send his/her
credentials which will be forwarded to the AAA server. If your credentials are
OK the port will be unblocked and you will be granted access to the network.
802.1X is
the mechanism that will block or unblock the interface. It’s called port-based
control. In the picture above an unknown user plugged in a cable to the switch.
All traffic
is being dropped with the exception of EAPoL (Extensible Authentication
Protocol over LAN). EAP is what we use to exchange authentication information.
Once the user has authenticated and everything is OK she is granted access to
the network.
In the
picture above you see the terminology that 802.1X uses. The user device is
called thesupplicant; it “supplies” authentication information. The switch is
called the authenticator because it accepts the authentication information and
passes it along to the authentication server. User information is stored on the
authentication server.
There are
two types of authentication servers:
· RADIUS
· TACACS+
The most
common authentication server is RADIUS (Remote Authentication Dial In User
Service). It’s a protocol that has been standardized by the IETF. TACACS+
(Terminal Access Controller Access-Control System) does a similar job but its
Cisco proprietary.
There are
many different RADIUS servers you can use, for example:
· Cisco ACS (Cisco’s RADIUS and TACACS+
server software)
· Microsoft IAS (you can install it on
Windows server 2003 or 2008).
· Freeradius (very powerful and free)
· Integrated in network devices (Cisco’s
Wireless LAN controller have RADIUS server software for example).
You now have
an idea what the components are in a AAA 802.1X authentication setup. In the
next lesson I will give you a configuration example how to implement this on a
Cisco Catalyst Switch.