User's Manual

83
Chapter 8 AAA Configuration
8.1 AAA Overview
Access control is used to control the users to access SWITCH or NAS and to limit their service types.
Authentication, authorization, and accounting (AAA) network security services provide the primary framework
through which you set up access control on your SWITCH or access server.
8.1.1 AAA Security Service
AAA is an architectural framework for configuring a set of three independent security functions in a consistent
manner. AAA provides a modular way of performing the following services:
Authentication: It is a method of identifying users, including username/password inquiry and
encryption according to the chosen security protocol.
Authentication is a method to distinguish the user’s identity before users access the network
and enjoy network services. AAA authentication can be configured through the definition of
an authentication method list and then application of this method list on all interfaces. This
method list defines the authentication type and the execution order; any defined
authentication method list must be applied on a specific interface before it is executed. The
only exception is the default authentication method list (which is named default). If there are
no other authentication method lists, the default one will be applied on all interfaces
automatically. If anyone is defined, it will replace the default one. For how to configure all
authentications, see “Authentication Configuration”.
Authorization: it is a remote access control method to limit user’s permissions.
AAA authorization takes effect through a group of features in which a user is authorized with
some permissions. Firstly, the features in this group will be compared with the information
about a specific user in the database, then the comparison result will be returned to AAA to
confirm the actual permissions of this user. This database can be at the accessed local
server or SWITCH, or remote Radius/TACACS+ server. The Radius or TACACS+ server
conducts user authorization through a user-related attribute-value peer. The attribute value
(AV) defines the allowably authorized permissions. All authorization methods are defined
through AAA. Like authentication, an authorization method list will be first defined and then
this list will be applied on all kinds of interfaces. For how to carry on the authorization
configuration, see “Authorization Configuration”.
Accounting: it is a method to collect user’s information and send the information to the
security server. The collected information can be used to open an account sheet, make
auditing and form report lists, such as the user ID, start/end time, execution commands, and
the number of packets or bytes.
The accounting function can track the services that users access, and at the same time track
the service-consumed network resource number. When AAA accounting is activated, the
access server can report user’s activities to the TACACS+ or Radius server in way of
accounting. Each account contains an AV peer, which is stored on the security server. The
data can be used for network management, client's accounting analysis or audit. Like
authentication and authorization, an accounting method list must be first defined and then
applied on different interfaces. For how to carry on the accounting configuration, see
“Accounting Configuration”.
8.1.2 Benefits of Using AAA
AAA provides the following benefits:
Increased flexibility and control of access configuration
Scalability