Overview

Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. It can provide the following security functions:

AAA typically uses a client/server model, as shown in Figure 1. The client runs on the network access server (NAS), which is also referred to as the access device. The server maintains user information centrally. In an AAA network, the NAS is a server for users, but a client for AAA servers.

Figure 1: AAA application scenario

The NAS uses the authentication server to authenticate any user who tries to log in, use network resources, or access other networks. The NAS transparently transmits the authentication, authorization, and accounting information between the user and the servers. The RADIUS and HWTACACS protocols define how a NAS and a remote server exchange user information.

The network shown in Figure 1 comprises a RADIUS server and an HWTACACS server. You can choose different servers for different security functions. For example, you can use the HWTACACS server for authentication and authorization, and the RADIUS server for accounting.

You can implement any of the three security functions provided by AAA as needed. For example, if your company wants employees to be authenticated before they access specific resources, configure an authentication server. If network usage information is needed, you must also configure an accounting server.

AAA can be implemented through multiple protocols. The device supports RADIUS and HWTACACS, of which RADIUS is most often used.