5.0 Security Fundamentals

5.8 Differentiate authentication, authorization, and accounting concepts in network security

Authentication, authorization, and accounting (AAA) are three fundamental concepts in network security.

1. Authentication: This is the process of verifying the identity of a user, device, or service. In other words, authentication is about proving that you are who you claim to be. This is usually done by providing a username and password, but can also be done through other methods such as biometric authentication or digital certificates.

2. Authorization: Once the identity of a user or device has been verified, authorization determines what that entity is allowed to do. This is typically based on the user's role and the policies and permissions defined by the organization. Authorization determines what resources a user can access, what actions they can perform, and what level of access they have.

3. Accounting: This is the process of recording and tracking network activity. Accounting information can be used for billing, auditing, or performance analysis. It provides a detailed record of what actions were taken by whom, when, and from where. This information can be used to monitor network usage and detect any unauthorized or suspicious activity.

The AAA framework is used to provide a consistent and secure way to manage authentication, authorization, and accounting services. It allows organizations to enforce security policies and monitor network activity in a centralized and scalable manner.

AAA configuration on Cisco IOS devices

To configure AAA on a Cisco IOS device, you need to perform the following steps:

1. Define the AAA authentication method: This is done using the "aaa authentication" command. For example, you can use the following command to configure local username/password authentication:

aaa authentication login default local

2. Define the authorization method: This is done using the "aaa authorization" command. For example, you can use the following command to configure authorization based on the local username database:

aaa authorization exec default local

3. Define the accounting method: This is done using the "aaa accounting" command. For example, you can use the following command to configure accounting of all exec commands to a syslog server:

aaa accounting exec default start-stop group syslog

4. Create a local username database: This is done using the "username" command. For example:

username admin password cisco

5. Apply the AAA configuration to a specific interface or line: This is done using the "login authentication" command. For example:

line vty 0 4
 login authentication default

Note: These are just examples and you should adjust the configuration to your specific requirements. Also, make sure to properly secure your username/password database, as well as the communication between the device and the AAA server.