SlideShare una empresa de Scribd logo

AAA Protocol

Netwax Lab
Netwax Lab

AAA stands for Authentication, Authorization and Accounting. This protocol was defined by the Internet Engineering Task Force in RFC 6733 and is intended to provide an Authentication, Authorization, and Accounting (AAA) framework for applications such as network access or IP mobility in both local and roaming situations.

Tecnología
1 de 8
Descargar para leer sin conexión
AAA Protocol AAA stands for Authentication, Authorization and Accounting. This protocol was defined by the Internet Engineering Task Force in RFC 6733 and is intended to provide an Authentication, Authorization, and Accounting (AAA) framework for applications such as network access or IP mobility in both local and roaming situations.  Authentication is the process of identifying an individual, usually based on a username and password. Authentication is based on the idea that each individual user will have unique information that sets him or her apart from other users.  Authorization is the process of granting or denying a user access to network resources once the user has been authenticated through the username and password. The amount of information and the amount of services the user has access to depend on the user's authorization level.  Accounting is the process of keeping track of a user's activity while accessing the network resources, including the amount of time spent in the network, the services accessed while there and the amount of data transferred during the session. Accounting data is used for trend analysis, capacity planning, billing, auditing and cost allocation. AAA is used in scenarios where a NAS(Network Access Server) or a RAS(Remote Access server) Acts like a switch granting or denying access to the internet or intranet for a user based on AAA authentication & authorization. Elements of Authentication When performing authentication, numerous elements can be evaluated before a PDP reaches its access decision. At a high level, these elements can be broken down into three categories: the principal itself (the user, device, or service requesting access), the credential the principal submits (shared key, one- time password, digital certificate, or biometric credential), and the contextual information describing the transaction (location, time of day, software state, and so on). Figure 1 AAA Working
AAA Protocol  Principal: The principal is the entity requesting authorization. It is generally some combination of user, device, or service. When concerned with a user, the PIP can provide attributes about the user such as role or group affiliations, job title, e-mail address, physical address, and so on.  Credential: The next element the PDP considers is the credential the user or device submits as proof of identity. There are four main types of credentials: shared key (password), one-time password (OTP), digital certificate, and biometric credential. This section examines each of these types. The first and most widely used form of credential is the shared key, typically a user password. AAA deployments that use shared keys can be subdivided based on the protocol the system uses to verify the password, including the Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), and Microsoft CHAP Extensions (MS- CHAP) Versions 1 and 2. PAP authentication is a plaintext authentication method that is not recommended for use in security-sensitive environments. Authorization Approaches At its core, authorization means determining what a client is allowed to do on the network. However, the granularity of this authorization is only as good as the sophistication of the PDP and the enforcement capabilities of the PEP. This section examines the authorization options for network AAA, including Layer 2 segmentation, Layer 3 filtering, and Layer 7 entitlements. It closes with an examination of some of the challenges encountered when sending or "provisioning" the authorizations from the PDP to the PEP.  Null Authorization (Authentication Only): Strangely the most common authorization in AAA is no authorization at all. After the authentication event occurs, the client is immediately granted full access to the network. This characteristic is a holdover from the original goal of remote- access AAA: to perform an authentication check that simply determines whether the client should be trusted as if it were connected to the organization's home network.  Layer 2 Segmentation: For wireless access points and Ethernet switches, the most common form of authorization enforcement is Layer 2 segmentation, which works by splitting the network into multiple logical segments, isolating certain classes of client from one another.  Layer 3 Filtering: Layer 3 filtering authorizes access to resources through ACLs configured on Layer 3 devices (routers, Ethernet switches, security gateways, and so on). These ACLs (which generally encompass Layer 4 of the OSI stack as well) can enforce authorizations to a range of hosts, specific hosts, or services on those hosts. As mentioned earlier, Layer 3 filtering can be combined with Layer 2 segmentation to provide aggregate authorizations for an entire VLAN.  Layer 7 Entitlements: Increasingly, security gateways are able to go beyond Layer 3 and 4 filtering and are starting to become application-aware, meaning that the authorizations handed from the PDP to the PEP can be very granular, focusing on the specific applications that are needed rather than broader filters based on segments or hosts on the network. Because this technology is still relatively new, there are no standards yet to make this interaction work
AAA Protocol transparently. As a result, most granular application filters are written on the PEP itself in order to allow the PDP to trigger a pre-existing profile on the PEP.  Provisioning Challenges: In AAA parlance, the term "provisioning" refers to communicating a user's session rights and constraints to the PEP so that the PEP can grant and enforce these permissions. One of the most difficult aspects of provisioning access rights on a PEP is communicating the decision of the PDP in a format the PEP can understand. This fact is one of the reasons that many PEPs come with a lightweight PDP. This approach solves the narrow problem for that PEP but creates management challenges when coordinating network AAA across a broader enterprise, because the enterprise AAA policies must be implemented individually on each unique type of PEP on the network. Because RADIUS is the most commonly used network AAA protocol, it is natural to communicate the PDP decision using that protocol. RADIUS attributes such as the "filter-id" allow the PDP to trigger a preexisting filter on the PEP. Network Access Server (NAS) The Network Access Server (NAS) is a service element that clients dial in order to get access to the network. An NAS is a device having interfaces both to the backbone and to the POTS or ISDN, and receives calls from hosts that want to access the backbone by dialup services. NAS is located at an Internet provider's point of presence to provide Internet access to its customers. A Network Access Server is:  A single point of access to a remote resource.  A Remote Access Server, because it allows remote access to a network.  An Initial Entry Point to a network.  A Gateway to guard to protected resource. Figure 2 Basic Architecture of NAS/Radius/AAA
AAA Protocol AAA Flow 1. The client attempts to connect to the network, is challenged for identity information, and sends this information to the PEP. In this example, let's assume the client is a laptop with a worker attempting to access an organization's VPN from a remote location. Additionally, we'll assume this is a valid, permitted use of the network. 2. The PEP sends the collected identity information to the PDP. In some cases (discussed in part two of this article), the PEP cannot see the specific identity information provided but instead relays the information directly to the PDP. 3. The PDP queries any configured PIPs for information about the client and validates that the credential provided by the client is valid. In this example, the PIP is an LDAP directory. Figure 3 A Client Connects to a AAA-Protected Network
AAA Protocol 4. The PIP returns a success or failure message from the credential validation step and sends additional information about the client to the PDP for evaluation. This information could include the role of the user, the home location for the user, and so on. 5. The PDP evaluates information learned about the client through the client, PEP, and PIP; the role of the PEP and PIP that serviced the request; and any contextual information (such as time of day) against its configured policies. Based on this information, the PDP makes an authorization decision. 6. The PDP sends the PEP the authentication result and any authorizations specific to the client. These authorizations trigger specific PEP actions to apply to the client. For example, the authorization data might trigger specific Access Control Lists (ACLs) or IP pool assignments for the client. 7. The PDP also sends the result of this transaction to the accounting system. 8. The PEP applies the authorization profile learned from the PDP and sends the "authentication successful" message to the client. The PEP can also be configured to send accounting information on this new connection to the accounting and reporting system. 9. The client accesses the production network through the PEP. Types of AAA Servers  Access Network AAA (AN-AAA): Communicates with the RNC in the Access Network (AN) to enable authentication and authorization functions to be performed at the AN. The interface between AN and AN-AAA is known as the A12 interface.  Broker AAA (B-AAA): Acts as an intermediary to proxy AAA traffic between roaming partner networks (i.e., between the H-AAA server in the home network and V-AAA server in the serving network). B-AAA servers are used in CRX networks to enable CRX providers to offer billing settlement functions.  Home AAA (H-AAA): The AAA server in the roamer's home network. The H-AAA is similar to the HLR in voice. The H-AAA stores user profile information, responds to authentication requests, and collects accounting information.  Visited AAA (V-AAA): The AAA server in the visited network from which a roamer is receiving service. The V-AAA in the serving network communicates with the H-AAA in a roamer's home network. Authentication requests and accounting information are forwarded by the V-AAA to the H-AAA, either directly or through a B-AAA.
AAA Protocol Core Components of AAA  Client: The client is the device attempting to access the network. The client either authenticates itself, or it acts as a proxy to authenticate the user.  Policy Enforcement Point (Authenticator): The Policy Enforcement Point (PEP) is sometimes called the authenticator or dial-in server, VPN concentrator, firewall, gateway General Packet Radio Service (GPRS) support node, Ethernet switch, wireless access point, or an inline security gateway. The PEP is responsible for enforcing the terms of a client's access. This enforcement varies based on the capabilities of the PEP and is discussed later in this article.  Policy Information Point: The Policy Information Point (PIP) is a repository of information to help make the access decision. It could be a database of device IDs, a user directory such as the Lightweight Directory Access Protocol (LDAP), a one-time password (OTP) token server, or any other system that houses data relevant to a device or user access request.  Policy Decision Point (AAA Server): The Policy Decision Point (PDP) is the brain of the AAA decision. It collects the access request from the client through the PEP. It also queries any relevant PIPs to gather the information it needs to make the access decision. The PDP, as its name implies, is the entity that makes the final decision around network access. It also can send specific authorizations back to the PEP that apply settings or constraints to the client's network traffic.  Accounting and Reporting System: Whether on a dedicated system or built as part of a PDP, tracking use of the network with accounting is one of the best features of AAA. With all forms of network access now offering controlled access, the AAA service can tell you who got on the network, from where, and what that person was granted access to. AAA Protocols Radius is an AAA protocol for applications such as Network Access or IP Mobility. Besides Radius, we have the following protocols in AAA: Terminal Access Controller Access Control System (TACACS) TACACS is a remote authentication protocol that is used to communicate with an authentication server commonly used in Unix networks. TACACS allows a remote access server to communicate with an authentication server in order to determine if the user has access to the network. TACACS+ TACACS+ provides access control for routers, network access servers, and other networked computing devices via one or more centralized servers. It uses TCP and provides separate authentication, authorization, and accounting services. It works on port 49.
AAA Protocol DIAMETER Diameter is a planned replacement of Radius. Benefits of Using AAA AAA provides the following benefits:  Increased flexibility and control of access configuration  Scalability  Standardized authentication methods, such as RADIUS and TACACS+  Multiple backup devices Choosing between RADIUS and TACACS  RADIUS Advantages The main advantage of RADIUS is availability. Although all modern Cisco devices support TACACS+, support outside the Cisco community is limited. If you work on a mixed vendor network, RADIUS is likely the best option available.  TACACS+ Advantages As an extension of the RADIUS protocol, TACACS+ implements most of the features of RADIUS. The advantages of TACACS+ are in how it changes the implementation of RADIUS, as well as how it extends the protocol to meet the needs of modern networks. 1. TACACS+ uses TCP instead of UDP. TCP guarantees communication between the client and server. Unlike UDP, which is connectionless, TCP initiates a connection with the server and is not as susceptible to situations such as network congestion and server crashes. 2. TACACS+ encrypts all of the data in the TACACS+ packet. Although RADIUS does encrypt the password in the packet, it doesn't protect against other data interception such as username and accounting information. 3. TACACS+ allows for different methods of authentication, authorization, and accounting. RADIUS couples authentication and authorization, making it difficult to use different servers for these purposes. 4. TACACS+ allows a network administrator to define what commands a user may run. This fine grain level of control allows more controlled access for a greater number of users on a network. When choosing an AAA protocol to use on a Cisco-based network, TACACS+ is the obvious choice. RADIUS (or a combination of TACAS+ and RADIUS) may be required if the network uses non-Cisco devices that do not support the TACACS+ protocol.
AAA Protocol Basic AAA Configuration on IOS Steps to configuring AAA:  Enable AAA Router(config)# aaa new-model  Configure authentication, using RADIUS or TACACS+ There are two approaches to configuring TACACS+ servers. In the first, servers are specified in global configuration mode using the command tacacs-server to specify an IP address and shared secret key for each server: Router(config)# tacacs-server host 192.168.1.3 key MySecretKey1 Router(config)# tacacs-server host 192.168.2.3 key MySecretKey2 This approach is sufficient for many deployments, but is problematic if you want to reference only a subset of the defined servers for a certain AAA function. For example, suppose you want to use one TACACS+ server for control plane authentication on the router itself, and the second server for authenticating PPP connections. In this case, you would assign the servers to named AAA server groups: Router(config)# aaa group server tacacs+ LoginAuth Router(config-sg-tacacs+)# server 192.168.1.3 Router(config)# aaa group server tacacs+ PPPAuth Router(config-sg-tacacs+)# server 192.168.2.3  Define the method lists for authentication Router(config)# aaa authentication login default group tacacs+ local The above method list handles only the authentication aspect of AAA. By itself, this list only allows us to authenticate as a user with privilege level 1 (user exec mode). To communicate a heightened privilege level (e.g. privilege level 15, or "enable mode") from the TACACS+ server, we also need to define an authorization method list for IOS shell creation. Router(config)# aaa authorization exec default group tacacs+ local  Apply the method lists per line/ per interface Router(config)# line console 0 Router(config-line)# login authentication default Router(config)# line vty 0 15 Router(config-line)# login authentication default

Recomendados

AAA Implementation
AAA ImplementationAAA Implementation
AAA ImplementationAhmad El Tawil
 
Access Control List & its Types
Access Control List & its TypesAccess Control List & its Types
Access Control List & its TypesNetwax Lab
 
802.1x
802.1x802.1x
802.1xakruthi k
 
UDP - User Datagram Protocol
UDP - User Datagram ProtocolUDP - User Datagram Protocol
UDP - User Datagram ProtocolPeter R. Egli
 
Snmp
SnmpSnmp
Snmphetaljadav
 
Tcp Udp Icmp And The Transport Layer
Tcp Udp Icmp And The Transport LayerTcp Udp Icmp And The Transport Layer
Tcp Udp Icmp And The Transport Layertmavroidis
 
Access Control List (ACL)
Access Control List (ACL)Access Control List (ACL)
Access Control List (ACL)ISMT College
 
Radius vs. Tacacs+
Radius vs. Tacacs+Radius vs. Tacacs+
Radius vs. Tacacs+Netwax Lab
 

Recomendados

AAA Implementation
AAA ImplementationAAA Implementation
AAA ImplementationAhmad El Tawil
 
Access Control List & its Types
Access Control List & its TypesAccess Control List & its Types
Access Control List & its TypesNetwax Lab
 
802.1x
802.1x802.1x
802.1xakruthi k
 
UDP - User Datagram Protocol
UDP - User Datagram ProtocolUDP - User Datagram Protocol
UDP - User Datagram ProtocolPeter R. Egli
 
Snmp
SnmpSnmp
Snmphetaljadav
 
Tcp Udp Icmp And The Transport Layer
Tcp Udp Icmp And The Transport LayerTcp Udp Icmp And The Transport Layer
Tcp Udp Icmp And The Transport Layertmavroidis
 
Access Control List (ACL)
Access Control List (ACL)Access Control List (ACL)
Access Control List (ACL)ISMT College
 
Radius vs. Tacacs+
Radius vs. Tacacs+Radius vs. Tacacs+
Radius vs. Tacacs+Netwax Lab
 
Quality of Service
Quality of ServiceQuality of Service
Quality of ServiceAbhishek Wadhwa
 
TCP and UDP
TCP and UDP TCP and UDP
TCP and UDP Ramesh Giri
 
AAA & RADIUS Protocols
AAA & RADIUS ProtocolsAAA & RADIUS Protocols
AAA & RADIUS ProtocolsPeter R. Egli
 
CSMA/CD
CSMA/CDCSMA/CD
CSMA/CDsainadh kamatala
 
VPN - Virtual Private Network
VPN - Virtual Private NetworkVPN - Virtual Private Network
VPN - Virtual Private NetworkPeter R. Egli
 
udp , tcp ,sctp
udp , tcp ,sctpudp , tcp ,sctp
udp , tcp ,sctpAKSHIT KOHLI
 
Pentesting custom TLS stacks
Pentesting custom TLS stacksPentesting custom TLS stacks
Pentesting custom TLS stacksAlexandre Moneger
 
Chap 12 tcp
Chap 12 tcpChap 12 tcp
Chap 12 tcpSparsh Samir
 
Gns3
Gns3Gns3
Gns3Bahaa Aladdin
 
Point to-point protocol (ppp)
Point to-point protocol (ppp)Point to-point protocol (ppp)
Point to-point protocol (ppp)Kongu Engineering College, Perundurai, Erode
 
snmp
snmpsnmp
snmpحسن رشید
 
Internet protocols Report Slides
Internet protocols Report SlidesInternet protocols Report Slides
Internet protocols Report SlidesBassam Kanber
 
TCP Vs UDP
TCP Vs UDP TCP Vs UDP
TCP Vs UDP Ahmed Elnaggar
 
Security and Linux Security
Security and Linux SecuritySecurity and Linux Security
Security and Linux SecurityRizky Ariestiyansyah
 
Distance Vector Multicast Routing Protocol (DVMRP) : Combined Presentation
Distance Vector Multicast Routing Protocol (DVMRP) : Combined PresentationDistance Vector Multicast Routing Protocol (DVMRP) : Combined Presentation
Distance Vector Multicast Routing Protocol (DVMRP) : Combined PresentationSubhajit Sahu
 
transport layer
transport layertransport layer
transport layerpriyadharshini murugan
 
ICMP
ICMPICMP
ICMPselvakumar_b1985
 
Implementing Cisco AAA
Implementing Cisco AAAImplementing Cisco AAA
Implementing Cisco AAAdkaya
 
Internet control message protocol
Internet control message protocolInternet control message protocol
Internet control message protocolasimnawaz54
 
Tacacs
TacacsTacacs
Tacacs1 2d
 
Authentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slidesAuthentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slidesrahul kundu
 
AAA in a nutshell
AAA in a nutshellAAA in a nutshell
AAA in a nutshellMohamed Daif
 

Más contenido relacionado

La actualidad más candente

AAA & RADIUS Protocols
AAA & RADIUS ProtocolsAAA & RADIUS Protocols
AAA & RADIUS ProtocolsPeter R. Egli
 
VPN - Virtual Private Network
VPN - Virtual Private NetworkVPN - Virtual Private Network
VPN - Virtual Private NetworkPeter R. Egli
 
Pentesting custom TLS stacks
Pentesting custom TLS stacksPentesting custom TLS stacks
Pentesting custom TLS stacksAlexandre Moneger
 
Internet protocols Report Slides
Internet protocols Report SlidesInternet protocols Report Slides
Internet protocols Report SlidesBassam Kanber
 
Distance Vector Multicast Routing Protocol (DVMRP) : Combined Presentation
Distance Vector Multicast Routing Protocol (DVMRP) : Combined PresentationDistance Vector Multicast Routing Protocol (DVMRP) : Combined Presentation
Distance Vector Multicast Routing Protocol (DVMRP) : Combined PresentationSubhajit Sahu
 
Implementing Cisco AAA
Implementing Cisco AAAImplementing Cisco AAA
Implementing Cisco AAAdkaya
 
Internet control message protocol
Internet control message protocolInternet control message protocol
Internet control message protocolasimnawaz54
 
Tacacs
TacacsTacacs
Tacacs1 2d
 

La actualidad más candente (20)

Quality of Service
Quality of ServiceQuality of Service
Quality of Service
 
TCP and UDP
TCP and UDP TCP and UDP
TCP and UDP
 
AAA & RADIUS Protocols
AAA & RADIUS ProtocolsAAA & RADIUS Protocols
AAA & RADIUS Protocols
 
CSMA/CD
CSMA/CDCSMA/CD
CSMA/CD
 
VPN - Virtual Private Network
VPN - Virtual Private NetworkVPN - Virtual Private Network
VPN - Virtual Private Network
 
udp , tcp ,sctp
udp , tcp ,sctpudp , tcp ,sctp
udp , tcp ,sctp
 
Pentesting custom TLS stacks
Pentesting custom TLS stacksPentesting custom TLS stacks
Pentesting custom TLS stacks
 
Chap 12 tcp
Chap 12 tcpChap 12 tcp
Chap 12 tcp
 
Gns3
Gns3Gns3
Gns3
 
Point to-point protocol (ppp)
Point to-point protocol (ppp)Point to-point protocol (ppp)
Point to-point protocol (ppp)
 
snmp
snmpsnmp
snmp
 
Internet protocols Report Slides
Internet protocols Report SlidesInternet protocols Report Slides
Internet protocols Report Slides
 
TCP Vs UDP
TCP Vs UDP TCP Vs UDP
TCP Vs UDP
 
Security and Linux Security
Security and Linux SecuritySecurity and Linux Security
Security and Linux Security
 
Distance Vector Multicast Routing Protocol (DVMRP) : Combined Presentation
Distance Vector Multicast Routing Protocol (DVMRP) : Combined PresentationDistance Vector Multicast Routing Protocol (DVMRP) : Combined Presentation
Distance Vector Multicast Routing Protocol (DVMRP) : Combined Presentation
 
transport layer
transport layertransport layer
transport layer
 
ICMP
ICMPICMP
ICMP
 
Implementing Cisco AAA
Implementing Cisco AAAImplementing Cisco AAA
Implementing Cisco AAA
 
Internet control message protocol
Internet control message protocolInternet control message protocol
Internet control message protocol
 
Tacacs
TacacsTacacs
Tacacs
 

Destacado

Authentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slidesAuthentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slidesrahul kundu
 
Radius Protocol
Radius ProtocolRadius Protocol
Radius ProtocolNetwax Lab
 
The Three Musketeers (Authentication, Authorization, Accounting)
The Three Musketeers (Authentication, Authorization, Accounting)The Three Musketeers (Authentication, Authorization, Accounting)
The Three Musketeers (Authentication, Authorization, Accounting)Sarah Conway
 
CCNA Security 06- AAA
CCNA Security 06- AAACCNA Security 06- AAA
CCNA Security 06- AAAAhmed Habib
 
Authentication, authorization, and accounting Nawaf-Sultan
Authentication, authorization, and accounting Nawaf-SultanAuthentication, authorization, and accounting Nawaf-Sultan
Authentication, authorization, and accounting Nawaf-SultanNawaf_alghamdi
 
Design and Performance Optimization of Authentication, Authorization, and Acc...
Design and Performance Optimization of Authentication, Authorization, and Acc...Design and Performance Optimization of Authentication, Authorization, and Acc...
Design and Performance Optimization of Authentication, Authorization, and Acc...saidzaghloul
 
Cisco acs configuration guide
Cisco acs configuration guideCisco acs configuration guide
Cisco acs configuration guideRichardsCCNA
 
Keamanan Jaringan - Pertemuan 4
Keamanan Jaringan - Pertemuan 4Keamanan Jaringan - Pertemuan 4
Keamanan Jaringan - Pertemuan 4Abrianto Nugraha
 
Capturing Network Traffic into Database
Capturing Network Traffic into Database Capturing Network Traffic into Database
Capturing Network Traffic into Database Tigran Tsaturyan
 
Wireshar training
Wireshar trainingWireshar training
Wireshar trainingLuke Luo
 
Convert Wireshark PCAP Files to Sequence Diagrams
Convert Wireshark PCAP Files to Sequence DiagramsConvert Wireshark PCAP Files to Sequence Diagrams
Convert Wireshark PCAP Files to Sequence DiagramsEventHelix.com Inc.
 
Authentication and Authorization in Asp.Net
Authentication and Authorization in Asp.NetAuthentication and Authorization in Asp.Net
Authentication and Authorization in Asp.NetShivanand Arur
 
Radius server,PAP and CHAP Protocols
Radius server,PAP and CHAP ProtocolsRadius server,PAP and CHAP Protocols
Radius server,PAP and CHAP ProtocolsDhananjay Aloorkar
 

Destacado (20)

Authentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slidesAuthentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slides
 
AAA in a nutshell
AAA in a nutshellAAA in a nutshell
AAA in a nutshell
 
Radius Protocol
Radius ProtocolRadius Protocol
Radius Protocol
 
The Three Musketeers (Authentication, Authorization, Accounting)
The Three Musketeers (Authentication, Authorization, Accounting)The Three Musketeers (Authentication, Authorization, Accounting)
The Three Musketeers (Authentication, Authorization, Accounting)
 
CCNA Security 06- AAA
CCNA Security 06- AAACCNA Security 06- AAA
CCNA Security 06- AAA
 
A A A
A A AA A A
A A A
 
Security
SecuritySecurity
Security
 
Authentication, authorization, and accounting Nawaf-Sultan
Authentication, authorization, and accounting Nawaf-SultanAuthentication, authorization, and accounting Nawaf-Sultan
Authentication, authorization, and accounting Nawaf-Sultan
 
Authentication Concepts
Authentication ConceptsAuthentication Concepts
Authentication Concepts
 
High Risk EVAR
High Risk EVARHigh Risk EVAR
High Risk EVAR
 
Design and Performance Optimization of Authentication, Authorization, and Acc...
Design and Performance Optimization of Authentication, Authorization, and Acc...Design and Performance Optimization of Authentication, Authorization, and Acc...
Design and Performance Optimization of Authentication, Authorization, and Acc...
 
Cisco acs configuration guide
Cisco acs configuration guideCisco acs configuration guide
Cisco acs configuration guide
 
Keamanan Jaringan - Pertemuan 4
Keamanan Jaringan - Pertemuan 4Keamanan Jaringan - Pertemuan 4
Keamanan Jaringan - Pertemuan 4
 
Capturing Network Traffic into Database
Capturing Network Traffic into Database Capturing Network Traffic into Database
Capturing Network Traffic into Database
 
Wireshar training
Wireshar trainingWireshar training
Wireshar training
 
Convert Wireshark PCAP Files to Sequence Diagrams
Convert Wireshark PCAP Files to Sequence DiagramsConvert Wireshark PCAP Files to Sequence Diagrams
Convert Wireshark PCAP Files to Sequence Diagrams
 
20 años de EVAR
20 años de EVAR20 años de EVAR
20 años de EVAR
 
Authentication and Authorization in Asp.Net
Authentication and Authorization in Asp.NetAuthentication and Authorization in Asp.Net
Authentication and Authorization in Asp.Net
 
Radius server,PAP and CHAP Protocols
Radius server,PAP and CHAP ProtocolsRadius server,PAP and CHAP Protocols
Radius server,PAP and CHAP Protocols
 
RADIUS
RADIUSRADIUS
RADIUS
 

Similar a AAA Protocol

OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...Good Dog Labs, Inc.
 
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays
 
Configuring Wired 802.1x Authentication on Windows Server 2012.pdf
Configuring Wired 802.1x Authentication on Windows Server 2012.pdfConfiguring Wired 802.1x Authentication on Windows Server 2012.pdf
Configuring Wired 802.1x Authentication on Windows Server 2012.pdfdjameleddine2015
 
Distributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdfDistributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdfNordic APIs
 
Securing FIWARE Architectures
Securing FIWARE ArchitecturesSecuring FIWARE Architectures
Securing FIWARE ArchitecturesFIWARE
 
IEEE 802.1X and Axis’ Implementation
IEEE 802.1X and Axis’ ImplementationIEEE 802.1X and Axis’ Implementation
IEEE 802.1X and Axis’ ImplementationAxis Communications
 
The three chain links of radius security
The three chain links of radius securityThe three chain links of radius security
The three chain links of radius securityGrafic.guru
 
Applications Drive Secure Lightpath Creation Across Heterogeneous Domains
Applications Drive Secure Lightpath Creation Across Heterogeneous DomainsApplications Drive Secure Lightpath Creation Across Heterogeneous Domains
Applications Drive Secure Lightpath Creation Across Heterogeneous DomainsTal Lavian Ph.D.
 
How do the 802.11u and HotSpot 2.0 work?
How do the 802.11u and HotSpot 2.0 work?How do the 802.11u and HotSpot 2.0 work?
How do the 802.11u and HotSpot 2.0 work?Michal Jarski
 
Cert0101 HPE6-A42 & HPE6-A70.pdf
Cert0101 HPE6-A42 & HPE6-A70.pdfCert0101 HPE6-A42 & HPE6-A70.pdf
Cert0101 HPE6-A42 & HPE6-A70.pdfAllen Kuo
 
Remote access service
Remote access serviceRemote access service
Remote access serviceApoorw Pandey
 
API Security in a Microservice Architecture
API Security in a Microservice ArchitectureAPI Security in a Microservice Architecture
API Security in a Microservice ArchitectureMatt McLarty
 

Similar a AAA Protocol (20)

Vinod Rebello
Vinod RebelloVinod Rebello
Vinod Rebello
 
AAA server
AAA serverAAA server
AAA server
 
Ch08 Authentication
Ch08 AuthenticationCh08 Authentication
Ch08 Authentication
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
 
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
 
PACE-IT, Security + 5.1: Summary of Authentication Services
PACE-IT, Security + 5.1: Summary of Authentication ServicesPACE-IT, Security + 5.1: Summary of Authentication Services
PACE-IT, Security + 5.1: Summary of Authentication Services
 
Configuring Wired 802.1x Authentication on Windows Server 2012.pdf
Configuring Wired 802.1x Authentication on Windows Server 2012.pdfConfiguring Wired 802.1x Authentication on Windows Server 2012.pdf
Configuring Wired 802.1x Authentication on Windows Server 2012.pdf
 
SDP Glossary v2.0
SDP Glossary v2.0 SDP Glossary v2.0
SDP Glossary v2.0
 
Distributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdfDistributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdf
 
Securing FIWARE Architectures
Securing FIWARE ArchitecturesSecuring FIWARE Architectures
Securing FIWARE Architectures
 
ClearPass Policy Model - An Introduction
ClearPass Policy Model - An IntroductionClearPass Policy Model - An Introduction
ClearPass Policy Model - An Introduction
 
IEEE 802.1X and Axis’ Implementation
IEEE 802.1X and Axis’ ImplementationIEEE 802.1X and Axis’ Implementation
IEEE 802.1X and Axis’ Implementation
 
Restful api
Restful apiRestful api
Restful api
 
The three chain links of radius security
The three chain links of radius securityThe three chain links of radius security
The three chain links of radius security
 
Applications Drive Secure Lightpath Creation Across Heterogeneous Domains
Applications Drive Secure Lightpath Creation Across Heterogeneous DomainsApplications Drive Secure Lightpath Creation Across Heterogeneous Domains
Applications Drive Secure Lightpath Creation Across Heterogeneous Domains
 
How do the 802.11u and HotSpot 2.0 work?
How do the 802.11u and HotSpot 2.0 work?How do the 802.11u and HotSpot 2.0 work?
How do the 802.11u and HotSpot 2.0 work?
 
Cert0101 HPE6-A42 & HPE6-A70.pdf
Cert0101 HPE6-A42 & HPE6-A70.pdfCert0101 HPE6-A42 & HPE6-A70.pdf
Cert0101 HPE6-A42 & HPE6-A70.pdf
 
Radius1
Radius1Radius1
Radius1
 
Remote access service
Remote access serviceRemote access service
Remote access service
 
API Security in a Microservice Architecture
API Security in a Microservice ArchitectureAPI Security in a Microservice Architecture
API Security in a Microservice Architecture
 

Más de Netwax Lab

Eincop Netwax Lab: Lab 1 static route
Eincop Netwax Lab: Lab 1 static routeEincop Netwax Lab: Lab 1 static route
Eincop Netwax Lab: Lab 1 static routeNetwax Lab
 
Eincop Netwax Lab: HSRP (Hot Standby Router Protocol)
Eincop Netwax Lab: HSRP (Hot Standby Router Protocol)Eincop Netwax Lab: HSRP (Hot Standby Router Protocol)
Eincop Netwax Lab: HSRP (Hot Standby Router Protocol)Netwax Lab
 
Eincop Netwax Lab: Redistribution
Eincop Netwax Lab: RedistributionEincop Netwax Lab: Redistribution
Eincop Netwax Lab: RedistributionNetwax Lab
 
Eincop Netwax Lab: Route Redistribution
Eincop Netwax Lab: Route RedistributionEincop Netwax Lab: Route Redistribution
Eincop Netwax Lab: Route RedistributionNetwax Lab
 
Nxll12 zone based firewall
Nxll12 zone based firewallNxll12 zone based firewall
Nxll12 zone based firewallNetwax Lab
 
Nxll09 access list
Nxll09 access listNxll09 access list
Nxll09 access listNetwax Lab
 
Nxll21 ospf filtering & summarization
Nxll21 ospf filtering & summarizationNxll21 ospf filtering & summarization
Nxll21 ospf filtering & summarizationNetwax Lab
 
Nxll10 v lan and trunking
Nxll10 v lan and trunkingNxll10 v lan and trunking
Nxll10 v lan and trunkingNetwax Lab
 
Nxll16 basic asa v8.2
Nxll16 basic asa v8.2Nxll16 basic asa v8.2
Nxll16 basic asa v8.2Netwax Lab
 
Nxll20 na ting
Nxll20 na ting Nxll20 na ting
Nxll20 na ting Netwax Lab
 
Nxll14 cut through-proxy on asa
Nxll14 cut through-proxy on asaNxll14 cut through-proxy on asa
Nxll14 cut through-proxy on asaNetwax Lab
 
Nxll17 dynamic routing with asa
Nxll17 dynamic routing with asaNxll17 dynamic routing with asa
Nxll17 dynamic routing with asaNetwax Lab
 
Nxll18 vpn (s2 s gre & dmvpn)
Nxll18 vpn (s2 s gre & dmvpn)Nxll18 vpn (s2 s gre & dmvpn)
Nxll18 vpn (s2 s gre & dmvpn)Netwax Lab
 
Nxll19 vrrp (virtual router redundancy protocol)
Nxll19 vrrp (virtual router redundancy protocol)Nxll19 vrrp (virtual router redundancy protocol)
Nxll19 vrrp (virtual router redundancy protocol)Netwax Lab
 
Nxll22 role based cli
Nxll22 role based cliNxll22 role based cli
Nxll22 role based cliNetwax Lab
 
Nxll25 hsrp with failover
Nxll25 hsrp with failoverNxll25 hsrp with failover
Nxll25 hsrp with failoverNetwax Lab
 
Nxll28 ospf iii
Nxll28 ospf iiiNxll28 ospf iii
Nxll28 ospf iiiNetwax Lab
 

Más de Netwax Lab (20)

Eincop Netwax Lab: Lab 1 static route
Eincop Netwax Lab: Lab 1 static routeEincop Netwax Lab: Lab 1 static route
Eincop Netwax Lab: Lab 1 static route
 
Eincop Netwax Lab: HSRP (Hot Standby Router Protocol)
Eincop Netwax Lab: HSRP (Hot Standby Router Protocol)Eincop Netwax Lab: HSRP (Hot Standby Router Protocol)
Eincop Netwax Lab: HSRP (Hot Standby Router Protocol)
 
Eincop Netwax Lab: Redistribution
Eincop Netwax Lab: RedistributionEincop Netwax Lab: Redistribution
Eincop Netwax Lab: Redistribution
 
Eincop Netwax Lab: Route Redistribution
Eincop Netwax Lab: Route RedistributionEincop Netwax Lab: Route Redistribution
Eincop Netwax Lab: Route Redistribution
 
Nxll12 zone based firewall
Nxll12 zone based firewallNxll12 zone based firewall
Nxll12 zone based firewall
 
Nxll11 bgp
Nxll11 bgpNxll11 bgp
Nxll11 bgp
 
Nxll09 access list
Nxll09 access listNxll09 access list
Nxll09 access list
 
Nxll21 ospf filtering & summarization
Nxll21 ospf filtering & summarizationNxll21 ospf filtering & summarization
Nxll21 ospf filtering & summarization
 
Nxll10 v lan and trunking
Nxll10 v lan and trunkingNxll10 v lan and trunking
Nxll10 v lan and trunking
 
Nxll16 basic asa v8.2
Nxll16 basic asa v8.2Nxll16 basic asa v8.2
Nxll16 basic asa v8.2
 
Nxll20 na ting
Nxll20 na ting Nxll20 na ting
Nxll20 na ting
 
Nxll14 cut through-proxy on asa
Nxll14 cut through-proxy on asaNxll14 cut through-proxy on asa
Nxll14 cut through-proxy on asa
 
Nxll17 dynamic routing with asa
Nxll17 dynamic routing with asaNxll17 dynamic routing with asa
Nxll17 dynamic routing with asa
 
Nxll18 vpn (s2 s gre & dmvpn)
Nxll18 vpn (s2 s gre & dmvpn)Nxll18 vpn (s2 s gre & dmvpn)
Nxll18 vpn (s2 s gre & dmvpn)
 
Nxll19 vrrp (virtual router redundancy protocol)
Nxll19 vrrp (virtual router redundancy protocol)Nxll19 vrrp (virtual router redundancy protocol)
Nxll19 vrrp (virtual router redundancy protocol)
 
Nxll22 role based cli
Nxll22 role based cliNxll22 role based cli
Nxll22 role based cli
 
Nxll25 hsrp with failover
Nxll25 hsrp with failoverNxll25 hsrp with failover
Nxll25 hsrp with failover
 
Nxll26 bgp ii
Nxll26 bgp iiNxll26 bgp ii
Nxll26 bgp ii
 
Nxll28 ospf iii
Nxll28 ospf iiiNxll28 ospf iii
Nxll28 ospf iii
 
Nxll23 i pv6
Nxll23 i pv6Nxll23 i pv6
Nxll23 i pv6
 

Último

A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 

Último (20)

A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 

AAA Protocol

  • 1. AAA Protocol AAA stands for Authentication, Authorization and Accounting. This protocol was defined by the Internet Engineering Task Force in RFC 6733 and is intended to provide an Authentication, Authorization, and Accounting (AAA) framework for applications such as network access or IP mobility in both local and roaming situations.  Authentication is the process of identifying an individual, usually based on a username and password. Authentication is based on the idea that each individual user will have unique information that sets him or her apart from other users.  Authorization is the process of granting or denying a user access to network resources once the user has been authenticated through the username and password. The amount of information and the amount of services the user has access to depend on the user's authorization level.  Accounting is the process of keeping track of a user's activity while accessing the network resources, including the amount of time spent in the network, the services accessed while there and the amount of data transferred during the session. Accounting data is used for trend analysis, capacity planning, billing, auditing and cost allocation. AAA is used in scenarios where a NAS(Network Access Server) or a RAS(Remote Access server) Acts like a switch granting or denying access to the internet or intranet for a user based on AAA authentication & authorization. Elements of Authentication When performing authentication, numerous elements can be evaluated before a PDP reaches its access decision. At a high level, these elements can be broken down into three categories: the principal itself (the user, device, or service requesting access), the credential the principal submits (shared key, one- time password, digital certificate, or biometric credential), and the contextual information describing the transaction (location, time of day, software state, and so on). Figure 1 AAA Working
  • 2. AAA Protocol  Principal: The principal is the entity requesting authorization. It is generally some combination of user, device, or service. When concerned with a user, the PIP can provide attributes about the user such as role or group affiliations, job title, e-mail address, physical address, and so on.  Credential: The next element the PDP considers is the credential the user or device submits as proof of identity. There are four main types of credentials: shared key (password), one-time password (OTP), digital certificate, and biometric credential. This section examines each of these types. The first and most widely used form of credential is the shared key, typically a user password. AAA deployments that use shared keys can be subdivided based on the protocol the system uses to verify the password, including the Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), and Microsoft CHAP Extensions (MS- CHAP) Versions 1 and 2. PAP authentication is a plaintext authentication method that is not recommended for use in security-sensitive environments. Authorization Approaches At its core, authorization means determining what a client is allowed to do on the network. However, the granularity of this authorization is only as good as the sophistication of the PDP and the enforcement capabilities of the PEP. This section examines the authorization options for network AAA, including Layer 2 segmentation, Layer 3 filtering, and Layer 7 entitlements. It closes with an examination of some of the challenges encountered when sending or "provisioning" the authorizations from the PDP to the PEP.  Null Authorization (Authentication Only): Strangely the most common authorization in AAA is no authorization at all. After the authentication event occurs, the client is immediately granted full access to the network. This characteristic is a holdover from the original goal of remote- access AAA: to perform an authentication check that simply determines whether the client should be trusted as if it were connected to the organization's home network.  Layer 2 Segmentation: For wireless access points and Ethernet switches, the most common form of authorization enforcement is Layer 2 segmentation, which works by splitting the network into multiple logical segments, isolating certain classes of client from one another.  Layer 3 Filtering: Layer 3 filtering authorizes access to resources through ACLs configured on Layer 3 devices (routers, Ethernet switches, security gateways, and so on). These ACLs (which generally encompass Layer 4 of the OSI stack as well) can enforce authorizations to a range of hosts, specific hosts, or services on those hosts. As mentioned earlier, Layer 3 filtering can be combined with Layer 2 segmentation to provide aggregate authorizations for an entire VLAN.  Layer 7 Entitlements: Increasingly, security gateways are able to go beyond Layer 3 and 4 filtering and are starting to become application-aware, meaning that the authorizations handed from the PDP to the PEP can be very granular, focusing on the specific applications that are needed rather than broader filters based on segments or hosts on the network. Because this technology is still relatively new, there are no standards yet to make this interaction work
  • 3. AAA Protocol transparently. As a result, most granular application filters are written on the PEP itself in order to allow the PDP to trigger a pre-existing profile on the PEP.  Provisioning Challenges: In AAA parlance, the term "provisioning" refers to communicating a user's session rights and constraints to the PEP so that the PEP can grant and enforce these permissions. One of the most difficult aspects of provisioning access rights on a PEP is communicating the decision of the PDP in a format the PEP can understand. This fact is one of the reasons that many PEPs come with a lightweight PDP. This approach solves the narrow problem for that PEP but creates management challenges when coordinating network AAA across a broader enterprise, because the enterprise AAA policies must be implemented individually on each unique type of PEP on the network. Because RADIUS is the most commonly used network AAA protocol, it is natural to communicate the PDP decision using that protocol. RADIUS attributes such as the "filter-id" allow the PDP to trigger a preexisting filter on the PEP. Network Access Server (NAS) The Network Access Server (NAS) is a service element that clients dial in order to get access to the network. An NAS is a device having interfaces both to the backbone and to the POTS or ISDN, and receives calls from hosts that want to access the backbone by dialup services. NAS is located at an Internet provider's point of presence to provide Internet access to its customers. A Network Access Server is:  A single point of access to a remote resource.  A Remote Access Server, because it allows remote access to a network.  An Initial Entry Point to a network.  A Gateway to guard to protected resource. Figure 2 Basic Architecture of NAS/Radius/AAA
  • 4. AAA Protocol AAA Flow 1. The client attempts to connect to the network, is challenged for identity information, and sends this information to the PEP. In this example, let's assume the client is a laptop with a worker attempting to access an organization's VPN from a remote location. Additionally, we'll assume this is a valid, permitted use of the network. 2. The PEP sends the collected identity information to the PDP. In some cases (discussed in part two of this article), the PEP cannot see the specific identity information provided but instead relays the information directly to the PDP. 3. The PDP queries any configured PIPs for information about the client and validates that the credential provided by the client is valid. In this example, the PIP is an LDAP directory. Figure 3 A Client Connects to a AAA-Protected Network
  • 5. AAA Protocol 4. The PIP returns a success or failure message from the credential validation step and sends additional information about the client to the PDP for evaluation. This information could include the role of the user, the home location for the user, and so on. 5. The PDP evaluates information learned about the client through the client, PEP, and PIP; the role of the PEP and PIP that serviced the request; and any contextual information (such as time of day) against its configured policies. Based on this information, the PDP makes an authorization decision. 6. The PDP sends the PEP the authentication result and any authorizations specific to the client. These authorizations trigger specific PEP actions to apply to the client. For example, the authorization data might trigger specific Access Control Lists (ACLs) or IP pool assignments for the client. 7. The PDP also sends the result of this transaction to the accounting system. 8. The PEP applies the authorization profile learned from the PDP and sends the "authentication successful" message to the client. The PEP can also be configured to send accounting information on this new connection to the accounting and reporting system. 9. The client accesses the production network through the PEP. Types of AAA Servers  Access Network AAA (AN-AAA): Communicates with the RNC in the Access Network (AN) to enable authentication and authorization functions to be performed at the AN. The interface between AN and AN-AAA is known as the A12 interface.  Broker AAA (B-AAA): Acts as an intermediary to proxy AAA traffic between roaming partner networks (i.e., between the H-AAA server in the home network and V-AAA server in the serving network). B-AAA servers are used in CRX networks to enable CRX providers to offer billing settlement functions.  Home AAA (H-AAA): The AAA server in the roamer's home network. The H-AAA is similar to the HLR in voice. The H-AAA stores user profile information, responds to authentication requests, and collects accounting information.  Visited AAA (V-AAA): The AAA server in the visited network from which a roamer is receiving service. The V-AAA in the serving network communicates with the H-AAA in a roamer's home network. Authentication requests and accounting information are forwarded by the V-AAA to the H-AAA, either directly or through a B-AAA.
  • 6. AAA Protocol Core Components of AAA  Client: The client is the device attempting to access the network. The client either authenticates itself, or it acts as a proxy to authenticate the user.  Policy Enforcement Point (Authenticator): The Policy Enforcement Point (PEP) is sometimes called the authenticator or dial-in server, VPN concentrator, firewall, gateway General Packet Radio Service (GPRS) support node, Ethernet switch, wireless access point, or an inline security gateway. The PEP is responsible for enforcing the terms of a client's access. This enforcement varies based on the capabilities of the PEP and is discussed later in this article.  Policy Information Point: The Policy Information Point (PIP) is a repository of information to help make the access decision. It could be a database of device IDs, a user directory such as the Lightweight Directory Access Protocol (LDAP), a one-time password (OTP) token server, or any other system that houses data relevant to a device or user access request.  Policy Decision Point (AAA Server): The Policy Decision Point (PDP) is the brain of the AAA decision. It collects the access request from the client through the PEP. It also queries any relevant PIPs to gather the information it needs to make the access decision. The PDP, as its name implies, is the entity that makes the final decision around network access. It also can send specific authorizations back to the PEP that apply settings or constraints to the client's network traffic.  Accounting and Reporting System: Whether on a dedicated system or built as part of a PDP, tracking use of the network with accounting is one of the best features of AAA. With all forms of network access now offering controlled access, the AAA service can tell you who got on the network, from where, and what that person was granted access to. AAA Protocols Radius is an AAA protocol for applications such as Network Access or IP Mobility. Besides Radius, we have the following protocols in AAA: Terminal Access Controller Access Control System (TACACS) TACACS is a remote authentication protocol that is used to communicate with an authentication server commonly used in Unix networks. TACACS allows a remote access server to communicate with an authentication server in order to determine if the user has access to the network. TACACS+ TACACS+ provides access control for routers, network access servers, and other networked computing devices via one or more centralized servers. It uses TCP and provides separate authentication, authorization, and accounting services. It works on port 49.
  • 7. AAA Protocol DIAMETER Diameter is a planned replacement of Radius. Benefits of Using AAA AAA provides the following benefits:  Increased flexibility and control of access configuration  Scalability  Standardized authentication methods, such as RADIUS and TACACS+  Multiple backup devices Choosing between RADIUS and TACACS  RADIUS Advantages The main advantage of RADIUS is availability. Although all modern Cisco devices support TACACS+, support outside the Cisco community is limited. If you work on a mixed vendor network, RADIUS is likely the best option available.  TACACS+ Advantages As an extension of the RADIUS protocol, TACACS+ implements most of the features of RADIUS. The advantages of TACACS+ are in how it changes the implementation of RADIUS, as well as how it extends the protocol to meet the needs of modern networks. 1. TACACS+ uses TCP instead of UDP. TCP guarantees communication between the client and server. Unlike UDP, which is connectionless, TCP initiates a connection with the server and is not as susceptible to situations such as network congestion and server crashes. 2. TACACS+ encrypts all of the data in the TACACS+ packet. Although RADIUS does encrypt the password in the packet, it doesn't protect against other data interception such as username and accounting information. 3. TACACS+ allows for different methods of authentication, authorization, and accounting. RADIUS couples authentication and authorization, making it difficult to use different servers for these purposes. 4. TACACS+ allows a network administrator to define what commands a user may run. This fine grain level of control allows more controlled access for a greater number of users on a network. When choosing an AAA protocol to use on a Cisco-based network, TACACS+ is the obvious choice. RADIUS (or a combination of TACAS+ and RADIUS) may be required if the network uses non-Cisco devices that do not support the TACACS+ protocol.
  • 8. AAA Protocol Basic AAA Configuration on IOS Steps to configuring AAA:  Enable AAA Router(config)# aaa new-model  Configure authentication, using RADIUS or TACACS+ There are two approaches to configuring TACACS+ servers. In the first, servers are specified in global configuration mode using the command tacacs-server to specify an IP address and shared secret key for each server: Router(config)# tacacs-server host 192.168.1.3 key MySecretKey1 Router(config)# tacacs-server host 192.168.2.3 key MySecretKey2 This approach is sufficient for many deployments, but is problematic if you want to reference only a subset of the defined servers for a certain AAA function. For example, suppose you want to use one TACACS+ server for control plane authentication on the router itself, and the second server for authenticating PPP connections. In this case, you would assign the servers to named AAA server groups: Router(config)# aaa group server tacacs+ LoginAuth Router(config-sg-tacacs+)# server 192.168.1.3 Router(config)# aaa group server tacacs+ PPPAuth Router(config-sg-tacacs+)# server 192.168.2.3  Define the method lists for authentication Router(config)# aaa authentication login default group tacacs+ local The above method list handles only the authentication aspect of AAA. By itself, this list only allows us to authenticate as a user with privilege level 1 (user exec mode). To communicate a heightened privilege level (e.g. privilege level 15, or "enable mode") from the TACACS+ server, we also need to define an authorization method list for IOS shell creation. Router(config)# aaa authorization exec default group tacacs+ local  Apply the method lists per line/ per interface Router(config)# line console 0 Router(config-line)# login authentication default Router(config)# line vty 0 15 Router(config-line)# login authentication default