Chapter 5. AAA Access Control

AAA stands for authentication, authorization, accounting. This chapter will cover the authentication and authorization aspects of AAA, leaving the accounting details for Chapter 11. AAA access control provides much greater scalability and functionality than the basic access control methods discussed in Chapter 3. AAA can use local router configuration, TACACS+, RADIUS, and Kerberos for authentication and can utilize a TACACS+ or RADIUS for authorization.

TACACS+ and RADIUS can be used both for authentication and authorization, while Kerberos can be used only for authentication. Cisco-only networks usually choose TACACS+ because of its enhanced features. TACACS+, however, is proprietary to Cisco. Networks using equipment from multiple vendors usually choose RADIUS for its interoperability. Finally, organizations with existing Kerberos access servers can configure their routers to use those servers to control access to Cisco routers.

Enabling AAA

To use any of these authentication and authorization methods, you must first enable AAA on the router. The general steps for enabling AAA are:

  1. Turn on AAA with the aaa new-model command.

  2. Configure security protocol information if using an access control server (ACS).

  3. Define methods that specify the type and order of authentication with the aaa authentication command.

  4. Apply the authentication methods to each line and/or enable access.

  5. Configure AAA authorization, if needed, with the aaa authorization command.

Local Authentication ...

Get Hardening Cisco Routers now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.