In This Chapter
Authentication, Authorization, and Accounting
This chapter describes authentication, authorization, and accounting (AAA) used to monitor
and control network access on routers. Network security is based on a multi-step process. The
first step, authentication, validates a user's name and password. The second step is
authorization, which allows the user to access and execute commands at various command
levels based on profiles assigned to the user.
Another step, accounting, keeps track of the activity of a user who has accessed the network.
The type of accounting information recorded can include a history of the commands executed,
the amount of time spent in the session, the services accessed, and the data transfer size during
the session. The accounting data can then be used to analyze trends, and also for billing and
auditing purposes.
You can configure routers to use local, Remote Authentication Dial In User Service
(RADIUS), or Terminal Access Controller Access Control System Plus (TACACS+) security
to validate users who attempt to access the router by console, Telnet, or FTP. You can select
the authentication order which determines the authentication method to try first, second, and
third.
The router supports the following security features:
Figure 1
names and passwords, the RADIUS server returns an access-accept message to the users on
ALA-1 and ALA-2. The user name and password from ALA-3 could not be authenticated,
thus access was denied.
ALA-1
Page 20
•
RADIUS can be used for authentication, authorization, and accounting.
•
TACACS+ can be used for authentication, authorization, and accounting.
•
Local security can be implemented for authentication and authorization.
depicts end user access-requests sent to a RADIUS server. After validating the user
Access Request
Access Accepted
Access Request
Access Accepted
ALA-2
Figure 1: RADIUS Requests and Responses
RADIUS Server
Authentication
Access Request
7450 ESS System Mangement Guide
Network
ALA-3
OSSG008