Authentication, Authorization, and Accounting (AAA) is one of the most overlooked methods of hardening networks, particularly in small and medium- sized networks. A couple of factors contribute to this. First, many companies don t think about controlling access to their network infrastructure resources like they should. Companies fall prey to thinking of network devices as just a switch, so what does it really matter if someone gains access to it? Second, many network administrators are accustomed to using shared passwords for access to network equipment. After all, they were almost all taught that method. Third, many companies just don t realize that they can restrict access to many of their network devices with a degree of granularity similar to how they restrict access to their server resources.
However, AAA is really a necessity for all networks. Authentication allows you to determine the identity of a user. Authorization allows you to determine what the user is permitted to do. Accounting allows you to determine what a user did while logged in. At the very minimum, you need to implement an AAA scheme that allows you to use stringent access control for the administrative sessions on your network devices. In addition, AAA enables you to provide granular management access through the use of authorization, which allows you to break away from the all or nothing administration that is so prevalent on today s networks (that is, you either know the enable secret or you don t). You can specify read-only or diagnostic commands for some users, while allowing other users less restrictive access. You can then verify the use and function of your AAA implementation by configuring accounting, allowing you to determine who did what and when they did it. Having this record can be an invaluable resource in legal proceedings , in addition to letting you know who is doing what on a day-to-day basis.
This chapter explores how we can implement an AAA framework to control who is allowed to access the network and what they are allowed to use once they have access. The first step is to look at not only how we can leverage authentication as a management access control mechanism, but also how we can use it to control access to the network in general. Next we will look at how we can control what an authenticated user can do through the use of authorization. After that, we will look at using accounting to provide a means to show what was done for auditing purposes. We will finish up by looking at how we can implement 802.1x to require authentication of all systems attempting to connect to the network.