|
|
|
|
|
|
As networks grow beyond the campus, network security increases in importance and administration complexity. As identity security and access management become more complex, networks and network resources require safeguarding from unauthorized access.
An access management solution is a policy-based enforcement model that ensures that users have a secure administration model. The security of the administration model stems from providing a user with policy-based access control for all devices and services on the network, supplying audit and report functions, and giving system administrators the ability to enforce user-based privacy and security policies. Identity security and access management are essential layers in the security framework.
The AAA acronym stands for
Authentication: Who is the user? (identity)
Authorization: What can the user do? (services)
Accounting: What did the user do? (audit)
Network access control is one of the most important measures that is often overlooked. AAA security services bring together the ability to control who is allowed access to the network devices and what services the user is allowed to access. AAA network security services provide the primary framework through which access control is set up on a network device such as a router, switch, firewall, concentrator, and other networking appliances.
AAA services can be used to control administrative access such as Telnet or Console access (also known as character mode access) to network devices and also to manage remote user network access such as dialup clients or VPN clients (also known as packet mode access).
Note
The AAA framework is one of the most common and recommended access control methods and is available on all major Cisco IOS devices and security appliances (except IPS appliance). There are several other measures available to achieve network access control, including the following: local username authentication, enable password authentication, and line password authentication mechanisms. These features do not provide the same level of granularity in provisioning network access control that you can achieve by using AAA.
AAA services can also be administered by using local databases that are stored on the network device instead of using a security server. Username and password credentials can be stored on the router's local database and referenced by the AAA services. Local database implementation is not scalable and can be used to control network access for a small group of users for one or two devices on the network. To achieve the greatest benefit and control, use security servers that employ the authentication protocols described in this chapter. Cisco IOS Software AAA technology provides the basic framework to set up network security services and implement access control.
AAA is an architectural framework that provisions a set of three independent security functions in a modular format to offer secure access control. AAA is a model for intelligently controlling access to network resources, enforcing policies, and auditing usage. These integrated security services are critical measures that knit together effective network management and secure implementations.
RADIUS, TACACS+, and Kerberos are the authentication protocols used to administer AAA security functions. A network device such as a router establishes a communication path to the security server by using these protocols via the AAA engine. Authentication protocols are discussed later in this chapter.
Authentication provides the means of identifying valid users by having a user present valid credentials, such as the username and password, to get access to the network resource. Additionally, authentication offers services such as challenge and response, messaging support, and encryption, depending on the security protocol selected. In summary, authentication is a method of identifying the user before access is granted to the network and network services.
Authorization provides the capability to enforce policies for network resources after the user gains access to the network via the authentication process. Authorization provides additional control of privileges such as downloading per-user ACL or assigning IP-addressing information. After the user successfully logs on to the device, authorization can further control the service delivery. For example, authorization can control what commands are available for the user to execute (for example, show running-config or reload).
Authorization works primarily by collating a set of authorized attributes that dictate the user capabilities. These attributes are compared to the information stored in a database. The database can either be local on the router or it can be hosted remotely on a security server using RADIUS or TACACS+ authentication protocol. The RADIUS and TACACS+ security servers validate and authorize users for specific services by associating attribute-value (AV) pairs, which define service binding with the user and provide access rights. AV pairs will be discussed in more detail later in this chapter.
Accounting provides the means to capture resource utilization by collecting and sending to the security server information that can be used for billing, auditing, and reporting, such as user identities to check who logged in, start and stop times, report IOS commands executed, and traffic information such as number of bytes/packets transmitted and received. Accounting provides the capability to keep track of the services users are accessing as well as monitor utilization of these resources.
The network device reports user activity by sending accounting records to the security server using either RADIUS or TACACS+ authentication protocol. Each record consists of accounting AV pairs that are stored on the security server for the purposes mentioned earlier.
The three separate functions within the AAA architecture work closely together to enforce policy with the following dependencies:
Authentication is valid without authorization.
Authentication is valid without accounting.
Authorization is not valid without authentication.
Accounting is not valid without authentication.