AAA

AAA is an acronyms for authentication, authorization and accounting and is a term for a framework for intelligently controlling access to computer resources, enforcing policies, auditing usage, and providing the information necessary to bill for services.
This whole process is  important for effective network management and security.



If you have more than a few network devices using local user accounts is not a scalable solution. The solution is to centralize the authentication either via a TACACS+ or a RADIUS server. It is more common to use a TACACS server. Cisco has their own TACACS server which is called Cisco ACS. To setup authentication we need to do some configuration.

Terminal Access Controller Access-Control System (TACACS) is a protocol set created and intended for controlling access to UNIX terminals. Cisco created a new protocol called TACACS+, which was released as an open standard in the early 1990’s.
 TACACS+ uses Transmission Control Protocol (TCP) port 49 to communicate between the TACACS+ client and the TACACS+ server. An example is a Cisco switch authenticating and authorizing administrative access to the switch’s IOS CLI.
 One of the key differentiators of TACACS+ is its ability to separate authentication, authorization and accounting as separate and independent functions. This is why TACACS+ is so commonly used for device administration, even though RADIUS is still certainly capable of providing device administration AAA.

 Remote Access Dial-In User Service (RADIUS) is an IETF standard for AAA. As with TACACS+, it follows a client / server model where the client initiates the requests to the server. With IEEE 802.1X, RADIUS is used to extend the layer-2 Extensible Authentication Protocol (EAP) from the end-user to the authentication server.

     RADIUS security system with Extensible Authentication Protocol (EAP) extensions is the  only supported authentication server to configure 802.1x

Here are some differences between Tacacs and Radius :

Network authorization  type connection: —Applies to network connections. This can include a PPP, SLIP, or ARAP connection.

This is the configuration of AAA

Now check the example..I am going to use my name as a password..

In this first part we try to enable a a Radius and Tacacs server authentication

Now we try to set up a local authentication in case that the server authentication fails.

Now this is the results when we try to exit..And we try to login again

This is the way we authenticate locally.

I hope that you like this lab...And you understand Radius and Tacacs authentication..
In case you did , please share it...