Table of Contents
Advertisement
2. Benefits of Using AAA
AAA provides the following benefits:
♦ Increased flexibility and control
♦ Easy to update
♦ Standardized authentication methods, such as RADIUS and TACACS+
♦ Multiple backup systems
3. Basic Theories Of AAA
AAA is designed to dynamically configure the types of authentication and authorization based on each
line (user) or service (eg. IP、 IPX or VPDN). You can define the authentication and authorization types
by creating method lists and then apply these lists on a specific service or port.
4. List Of Methods
The list of authentication methods defines multiple methods used to authenticate a user.
administrator can configure one or more protocols used for authentication in the method list, therefore,
to ensure that you can have a backup authentication method in case the former method fails. Firstly,
list one method, if it doesn't work out any response, please select the second method on the methods
list; This process will continue until the listed method successfully carries out an authentication or use
up the resource of authentication method list, in this case, the authentication turns out to be fail.
Note:
The later methods to attempt authentication are only used when the former ones don't work. As long as any part of ths
authetication process fails—in other words, the response from the security server or local user names database is to reject
the user to access—the authentication process ends, andthere will be no more attempt to proceed.
Figuer 8-1shows a typical AAA network configuration that includes four security servers: R1and R2 are
RADIUS servers and T1 and T2 are TACACS+ servers.
Suppose the system administrator has determined that all ports authenticate the PPP based
connection with the same authentication method in the security scheme: Firstly, connect R1 to learn the
ralating authentication information, if R1 doesn't respond, then connect R2, if R2 doesn't respond, then
T1, then T2. If all designated server don't respond, the authentication will be focused on the local user
name database of the access server itself. When a remote user is attempting to access the network
by dial-up, the network server will demand the relative authentication info on R1, if the user is
authenticated to be legal, it will send a PASS reply to network access server, to enable the user to
access the server;
terminated. If there's no response from R1, the network server will view it as a ERROR and try to find
the authentication info on R2. This model will last in the rest of the time until the user is accepted or
rejected, or the termination of this session.
Note:
Model Name
Figuer 8-1 a typical AAA network configuration
If
R1 answers FAIL message, the user will be turned down, the session
- 334 -
The
Hide quick links:
Advertisement
Table of Contents
