3.1.

2 AAA Characteristics
AAA Authentication

AAA can be used to authenticate users for administrative access or it can be used to authenticate users
for remote network access. These two access methods use different modes to request AAA services:
Character mode - A user sends a request to establish an EXEC mode process with the router for
administrative purposes.
Packet mode - A user sends a request to establish a connection through the router with a device
on the network.
With the exception of accounting commands, all AAA commands apply to both character mode and
packet mode. This topic focuses on securing character mode access. For a truly secure network, it is
important to also configure the router for secure administrative access and remote LAN network access
using AAA services as well. Cisco provides two common methods of implementing AAA services.

Local AAA Authentication
Local AAA uses a local database for authentication. This method stores usernames and passwords locally
in the Cisco router, and users authenticate against the local database. This database is the same one
required for establishing role-based CLI. Local AAA is ideal for small networks.
Server-Based AAA Authentication
The server-based method uses an external database server resource that leverages RADIUS or TACACS+
protocols. Examples include Cisco Secure Access Control Server (ACS) for Windows Server, Cisco Secure
ACS Solution Engine, or Cisco Secure ACS Express. If there are multiple routers, server-based AAA is
more appropriate.
Access Methods
Access Type Modes Router Ports Common AAA
Commands
Remote administrative
access
Character Mode
provides user and
privileged EXEC access
console, vty, aux, and
tty
login, exec, and enable
commands
Remote network
access
Packet Mode provides
access to network
resources
Dial-up and VPN access ppp and network
commands

Local AAA
1. The client establishes a connection with the router.
2. The AAA router prompts the user for a username and password.
3. The router authenticates the username and password using the local database and the user is
authorized to access the network based on information in the local database.

Server Based-AAA

1. The client establishes a connection with the router.
2. The AAA router prompts the user for a username and password.
3. The router authenticates the username and password using a remote AAA server.
4. The user is authorized to access the network based on information on the remote AAA Server.
AAA Authorization
After users are successfully authenticated against the selected AAA data source (local or server-based),
they are then authorized for specific network resources. Authorization is basically what a user can and
cannot do on the network after that user is authenticated, similar to how privilege levels and role-based
CLI give users specific rights and privileges to certain commands on the router.
Authorization is typically implemented using a AAA server-based solution. Authorization uses a created
set of attributes that describes the user's access to the network. These attributes are compared to the
information contained within the AAA database, and a determination of restrictions for that user is
made and delivered to the local router where the user is connected.
Authorization is automatic and does not require users to perform additional steps after authentication.
Authorization is implemented immediately after the user is authenticated.

1. When a user has been authenticated, a session is established with the AAA server.
2. The router requests authorization for the requested service from the AAA server.
3. The AAA server returns a PASS/FAIL for authorization.
AAA Accounting
Accounting collects and reports usage data so that it can be employed for purposes such as auditing or
billing. The collected data might include the start and stop connection times, executed commands,
number of packets, and number of bytes.
Accounting is implemented using a AAA server-based solution. This service reports usage statistics back
to the ACS server. These statistics can be extracted to create detailed reports about the configuration of
the network.
One widely deployed use of accounting is combining it with AAA authentication for managing access to
internetworking devices by network administrative staff. Accounting provides more security than just
authentication. The AAA servers keep a detailed log of exactly what the authenticated user does on the
device. This includes all EXEC and configuration commands issued by the user. The log contains
numerous data fields, including the username, the date and time, and the actual command that was
entered by the user. This information is useful when troubleshooting devices. It also provides leverage
against individuals who perform malicious actions.
Accounting Steps

1. When a user has been authenticated, the AAA accounting process generates a start message to begin
the accounting process.
2. When the user finishes, a stop message is recorded and the accounting process ends.
AAA Accounting Functions
Network accounting Network accounting captures information for all
Point-to-Point Protocol (PPP), Serial Line Internet
Protocol (SLIP), or Apple Remote Access Protocol
(ARAP) sessions, including packet and byte
counts.
Connection accounting Connection accounting captures information
about all outbound connections made from the
AAA client, such as Telnet, local-area transport
(LAT), TN3270, packet assembler/disassembler
(PAD), and rlogin.
EXEC accounting EXEC accounting captures information about user
EXEC terminal sessions (user shells) on the
network access server, including username, date,
start and stop times, the access server IP address,
and (for dial-in users) the telephone number
from which the call originated.
System accounting System accounting captures information about all
system-level events (for example, when the
system reboots or when accounting is turned on
or off).
Command accounting Command accounting captures information
about the EXEC shell commands for a specified
privilege level that are being executed on a
network access server. Each command
accounting record includes a list of the
commands executed for that privilege level, as
well as the date and time each command was
executed, and the user who executed it.
Resource accounting The Cisco implementation of AAA accounting
captures "start" and "stop" record support for
calls that have passed user authentication. The
additional feature of generating "stop" records
for calls that fail to authenticate as part of user
authentication is also supported. Such records
are necessary for users employing accounting
records to manage and monitor their networks.