Aruba Switch Series 2930 AAA (Authentication Authorization and Accounting)
AAA is authentication management protocol
AAA network security services provide the primary framework through which a network administrator can set-up access control on network points of entry or network access servers.
- Port No-49 TACACS uses
TCP services to delivery data.
- RADIUS uses Port No-1812 for authentication and authorization
and Port No-1813 for
accounting.
- All the AAA packets are
encrypted but RADIUS Only
the password are encrypted while the other information such as username,
accounting information etc are not encrypted.
1) Authentication identifies a user.
2) Authorization determines that what user can do on the network.
3) Accounting monitors
the network usage time for billing purposes.
AAA
information is typically stored in an external database or remote server such
as a RADIUS or TACACS+ server. The information can also be stored locally on
the access server or router.
Remote
security servers, such as RADIUS and TACACS+ servers, assign users specific
privileges by associating attribute-value pairs, which define the access rights
with the appropriate user. All authorization methods must be defined through
AAA.
What
is RADIUS Protocol
The
RADIUS (Remote Authentication Dial-In User Service) protocol carries authentication,
authorization, and configuration information between a network access server
(NAS) and a RADIUS authentication server.
Authentication
with RADIUS allows for a unique password for each user, instead of the need to
maintain and distribute switch-specific passwords to all users. RADIUS verifies
identity for the following types of primary password access to the switch:
1)
Serial
port (console)
2)
Telnet
3)
SSH
4)
SFTP/SCP
5)
Web
Agent
6)
Port-Access
(802.1X)
Aruba-OS switches support RADIUS accounting for web-based authentication and MAC
authentication sessions, collecting resource consumption data and forwarding it
to the RADIUS server. This data can be used for trend analysis, capacity planning,
billing, auditing, and cost analysis.
Requests
and responses carried by the RADIUS protocol are called RADIUS attributes. These attributes provide the
information needed by a RADIUS server to authenticate users and to establish
authorized network service for them. The RADIUS protocol also carries
accounting information between a network access server and a RADIUS accounting
server.
RADIUS
is a client/server protocol. The RADIUS client is typically a network access
server. The client passes user information to designated RADIUS servers and
acts on the response that is returned. RADIUS servers receive user connection
requests, authenticate the user, and then return the configuration information
necessary for the client to deliver service to the user.
What
is TACACS+ Protocol
TACACS
AAA systems are used as a single point of management to configuring and store
user accounts. They are often coupled with directories and management
repositories, simplifying the set up and maintenance of the end-user accounts.
In
the authorization function of the AAA system, network devices with Authentication
Services can provide fine-grained control over user capabilities for the
duration of the user’s session; for example, setting access control or session
duration.
Enforcement
of restrictions to a user account can limit available commands and levels of
access.
TACACS+
authentication provides a central server in which you can allow or deny access
to switches and other TACACS-aware devices in your network. TACACS employs a
central database that creates multiple unique user name and password sets with
their associated privilege levels. This central database can be accessed by
individuals via the Aruba-OS switch from either a console port or via Telnet.
TACACS+
uses an authentication hierarchy consisting of:
Remote
passwords assigned in a TACACS+ server
Local
passwords configured on the switch
v In
the event of a connection failure, a TACACS+ server defaults to locally
assigned passwords for authentication control.
