AAA and Radius Overview
AAA is a set of security protocols for securing access to an network device like a router, firewall or a switch, and also an end device like a server or host computer. AAA stands for Authentication, Authorization and Accounting. Authentication refers to how you login to the device meaning, usernames, passwords and encryption. Authorization refers to your granted privilege level once you have been authenticated to the system, and example of this would be the difference between and admin or root privileges and regular user privileges. Accounting refers to keeping a record of user activities and like access times, commands used, files accessed etc.. Having AAA security features enabled and configured enhances the security of your network, your users, and your data.
With Cisco network devices like firewalls, routers, and switches, you can implement AAA security by utilizing the device’s built in database to store usernames and encrypted passwords however this is not the optimal way of implementing AAA security because you will have to duplicate your efforts over and over again on each network device. A better way of implementing AAA security is to have one or two external AAA devices that handle all authentication, authorization and accounting on the network. That way all of your network devices and clients can authenticate usernames and passwords to the same database. An external server based authentication system can be configured to work in conjunction with a Windows server Active Directory database of users or other LDAP based user database. Cisco network devices can be configured to work in conjunction with RADIUS or TACACS+ authentication servers, or Cisco offers its own authentication server that supports both RADIUS and TACACS+, Cisco Secure ACS.
In part 1, I start the WinRadius server, create a database, add a user, and test the connection
In part 2, I configure AAA services on the router and configure it to send user authentication to the Radius server
In part 3, I configure AAA services with Cisco CLI and Cisco SDM, in order for the router to send authentication to a Radius server