Chapter 3. Basic Access Control
This chapter addresses what most people think about when they start to secure a router—authenticating users and restricting access. There are many more ways to access Cisco routers than most network administrators realize. Each of these methods can have different authentication methods and can be set to allow various levels of privilege access. It is important that all methods of access are either secured or disabled. The chapter briefly discusses the differences between authentication and authorization and then moves on to the fundamentals of how Cisco routers handle controlling and protecting access.
Authentication Versus Authorization
Access control involves both authentication and authorization. People often confuse the two. Authentication is the process of identifying a user; authorization restricts what a user is allowed to do. Cisco router authentication controls can be divided into two main categories—those that use the AAA (authentication, authorization, accounting) access methods and those that don’t. The non-AAA methods include line authentication (console, auxiliary, and VTY ports), local username authentication, and Terminal Access Controller Access Control System (TACACS) or extended TACACS authentication. The AAA authentication methods add TACACS+, RADIUS, and Kerberos. AAA provides much greater control over authentication, authorization, and accounting than do non-AAA methods. While Cisco calls ...