Cisco® CCNA Exam Cram Notes :AAA(Authentication, Authorization, and Accounting)

VIII. Security Fundamentals

8. AAA(Authentication, Authorization, and Accounting)

By default, a Cisco IOS device performs authentication based on a line password and authorization based on a level 15 enable password. This is a problem for any organization that desires granularity or the ability to track activities back to one of multiple users. The solution to this is AAA. This allows an administrator to configure granular access and audit ability to an IOS device. To enable this more advanced and granular control in IOS, we must first use the "aaa new-model" command.

Authentication is the process of identifying an individual, usually based on a username and password. Authentication is based on the idea that each individual user will have unique information that sets him or her apart from other users.

Authorization is the process of granting or denying a user access to network resources once the user has been authenticated through the username and password. The amount of information and the amount of services the user has access to depend on the user's authorization level.

Accounting is the process of keeping track of a user's activity while accessing the network resources, including the amount of time spent in the network, the services accessed while there and the amount of data transferred during the session. Accounting data is used for trend analysis, capacity planning, billing, auditing and cost allocation.


For recording any switch events, you need to configure and enable Accounting module of the AAA.

The necessary configuration steps for doing the same are as given below:

R1#configure terminal
R1(config)#aaa new-model

The given command is: aaa authentication login console line

In the above command:

i) The named list is console
ii) There is only one authentication method (line).

Once a named list (in this example, console) is created, it must be applied to a line or interface for it to come into effect. This is done using the login authentication list name command:

line con 0
exec-timeout 0 0
password cisco
login authentication console

As per the above example you need to enter the password "cisco" (configured on line con 0) to get console access. The default list, if specified, is used on tty, vty and aux.

The syntax for a method list is as follows:

aaa type { default | list-name} method-1 [ method-2 method-3 method-4]

Given the AAA command:

aaa authentication login default group radius local

In the above command:

1. AAA type is authentication login
2. The named list is the default one (default).
3. There are two authentication methods (group radius and local).

All users are authenticated using the Radius server (the first method). If the Radius server doesn't respond, then the router's local database is used (the second method). For local authentication, define the username name and password

username xxx password yyy

Because we are using the list default in the aaa authentication login command, login authentication is automatically applied for all login connections (such as tty, vty, console and aux)

Given below are the steps in brief that one needs to go through for configuring AAA.

On the client side:

1. Configure AAA : aaa new model

2. Specify AAA server to be accessed by the client : acacs-server host key cisco@123

3. Create a name method list. MYAUTHLIST is used for example only. You can use whichever name you want : aaa authentication login MYAUTHLIST group tacacs+ local

4. Create authorization method list to apply on users that have been authenticated : aaa authorization exec MYAUTHORIZATIONLIST group tacacs+ local

5. Apply the method lists to a device interface

line vty 0 4
login authentication
authorization exec

Previous    Contents    Next

CCNA Cram Notes Contents
certexams ad

simulationexams ad