Category list

Accounting Example

Back once again to our sample network, you can now use AAA accounting to perform one of the previously mentioned types of accounting. In this example, you pick up after authentication and authorization have taken place. Here resource accounting performs start stop accounting for FTP on the network. See Figure 1-3.

Figure 1-3. Basic Accounting of Resources

In this example, the following process is performed. Note that once again authentication must take place.

Step 1.	When a user has been authenticated, the AAA accounting process generates a start message to begin the accounting process.
Step 2.	When the user finishes, a stop message is recorded ending the accounting process.

Once again, a method list determines what type of accounting is to be performed.

Cisco Device Support for AAA

It is pretty safe to say that most Cisco devices support the AAA framework. In some cases, the support for AAA is not the issue, but rather the support for either Terminal Access Controller Access Control System Plus (TACACS+) or Remote Authentication Dial-In User Service (RADIUS), because these are the protocols that AAA uses to communicate with an AAA server. In some situations, the protocol might be LOCAL, however, and RADIUS or TACACS+ are not needed.

In some cases, the RADIUS protocol is the only type of communication protocol that is used. In other cases, RADIUS can be used for user AAA, and TACACS+ can be used in administrative AAA, as is the case for Cisco VPN 3000 series concentrators . It is best that you determine this prior to the configuration of AAA. The RADIUS and TACACS+ protocols have different ways that they communicate and likewise have different ways that you might need to configure them.

AAA services are often provided by a dedicated AAA server, such as CSACS, a program that performs these functions. The current standards by which network access servers interface with the AAA servers are the RADIUS and TACACS+ protocols. These are supported by the CSACS server software. This server is discussed in greater detail in the following chapters.

An AAA server is simply a server program that handles user requests for access to network resources and provides AAA services. The AAA server typically interacts with network access and gateway servers and with databases and directories containing user information. The current standard by which devices or applications communicate with an AAA server is RADIUS. Most Cisco devices also support the TACACS+ protocol; however, this is a proprietary protocol. Not all devices support it.

Summary

AAA is a framework for authentication, authorization, and accounting in a Cisco environment. To perform these processes, a Cisco device uses a method list, along with other configuration tasks to designate the server and protocol. At this point, you should have a basic understanding of what the AAA framework is, what it provides in your network, and the most basic process of configuration.

Chapter 2, "TACACS+ and RADIUS" will discuss the TACACS+ and RADIUS protocols and how they communicate between the AAA server and the AAA client. In Chapter 3, you will configure AAA on a Cisco router and discuss some of the implications that might come along with these configurations.