AAA Overview

Authentication
AAA authentication verifies users before they are allowed access to the network and network
services.
Login Methods of Local Passwords, Kerberos, or Radius
Case-sensitive and complex passwords
Login Input Timeout
Privileged Level Access must support Login Methods of Local Passwords,
Kerberos, or Radius, requiring a username and password
Changing the Text Displayed at the Password Prompt
Allow for a different Login and Failed-Login Message Banner
Configuring AAA Packet of Disconnect (Desirable)
Enabling Double Authentication (Desirable)
Enabling Automated Double Authentication (Desirable)

Authorization
Must be able to designate one or more security protocols to be used for
authorization, thus ensuring a backup system in case the initial method fails
If the security server or local username database responds by denying the user
services, the authorization process must stop
You must be able to define the authorization method based on a per-user basis,
executive mode commands associated with a specific privilege level, user terminal
session, network connection, reverse Telnet sessions, downloading configurations
from the AAA server, and IP Mobile
The method of authorization must be applied to individual lines or interfaces
(Desirable)
The methods of Authorization must support RADIUS, Local database, and none.
(Desirable)

Accounting
Network, Connection, Executive, System, Command, and Resource Accounting (no
authorization after authentication)
AAA broadcast accounting (desirable) - allows accounting information to be sent to
multiple AAA servers at the same time
AAA session MIB feature (desirable) - allows customers to monitor and terminate their

authenticated client connections using Simple Network Management Protocol (SNMP)

AAA uses

protocols such as RADIUS, TACACS+, or Kerberos to administer its security functions.

The recommended method of administering AAA is on a centralized AAA server with local passwords as a fallback method. Local
fallback provides a method of authentication in case communication with the AAA server is not possible. The key benefits of using a
centralized AAA server include:

Manageability
Usernames and passwords are stored in a separate, central location which may be independently managed and leveraged
across multiple devices.

Scalability

The AAA server(s) may be independently scaled according to the size of the user database and the number of transactions per
second.

Security
Company-wide usernames and passwords may be stored off the router in a secure, encrypted file system or database. In
contrast, locally stored passwords on Cisco IOS devices, even if encrypted, are still reversible.

Accountability
Access attempts and authorized sessions may be independently logged on the AAA server

If a centralized AAA server is not currently required or deployed, it is still recommended to implement authentication using a AAA
configuration, even though a local user password database will be used. This enables the implementation of per-user local
passwords, rather than all users using the same login secret or password. This approach offers greater security, visibility and
control, along with easier migration to a possible future deployment leveraging a centralized AAA server.

a AAA server group is a list of AAA server hosts of a particular type, e.g. RADIUS or TACACS+, which are used to perform AAA.
The particular AAA server group to be used for each particular AAA service is defined by the AAA method list, as discussed below.
The use of the AAA server-group feature provides greater flexibility and control over which AAA servers are used for which
purposes, as well as offering redundancy across the defined servers.
For example, different AAA servers may be used for different AAA services to enable the separation and prioritization of device
access management from end-user access management through the use of two independently maintained and scaled data stores.
For example, infrastructure device access management may be authenticated using a set of TACACS+ servers, whereas end-user
network access may be authenticated using a set of RADIUS servers.

Authentication Methods
The security appliance supports the following authentication methods with RADIUS:

PAP

CHAP

MS-CHAPv1

MS-CHAPv2 (including password aging), for IPSec users only

Attribute Support
The security appliance supports the following sets of RADIUS attributes:

Authentication attributes defined in RFC 2138.

Accounting attributes defined in RFC 2139.

RADIUS attributes for tunneled protocol support, defined in RFC 2868.

RADIUS server is ideal for Carriers that need a flexible, scalable, and customizable AAA (Authentication, Authorization,
and Accounting) infrastructure and System Integrators and OEMs that want to incorporate RADIUS software into their
product platforms.
For customizing your solution, an optional RADIUS server Software Developer's Kit (SDK) to allow the addition of custom
plug-ins to accomplish a wide variety of purposes. Plug-ins can be used to influence the authentication and authorization
decision-making process, modify incoming or outgoing packets, or call any external AAA services
Networks also offers a developers release of the Diameter Server, the next generation protocol specifically designed to
meet the requirements of the IETF and TIA for CDMA2000, 3GPP2, Mobile IPv4 and IPv6 Authentication, Authorization,
and Accounting (AAA) requirements.
Server should provides an excellent platform for third generation (3G) cellular and Mobile IP data services AAA solutions.