AAA stands for "Authentication, Authorization and Accounting", is a term for a framework for intelligently controlling access to computer resources, enforcing policies, auditing usage, and providing the information necessary to bill for services. These combined processes are considered important for effective network management and security.
Authentication :
- Refers to confirmation that a user who is requesting a service is a valid user.
- Accomplished via the presentation of an identity and credentials.
- Examples of credentials are passwords, one-time tokens, digital certificates, and phone numbers (calling/called).
Authorization :
- Refers to confirmation that a user who is requesting a service is a valid user.
- Accomplished via the presentation of an identity and credentials.
- Examples of credentials are passwords, one-time tokens, digital certificates, and phone numbers (calling/called).
Accounting :
- Refers to the tracking of the consumption of network resources by users.
- Typical information that is gathered in accounting is the identity of the user, the nature of the service delivered, when the service began, and when it ended.
- May be used for management, planning, billing etc.
AAA Protocols:
- Terminal Access Controller Access Control System (TACACS): TACACS is a remote authentication protocol that is used to communicate with an authentication server commonly used in UNIX networks. TACACS allows a remote access server to communicate with an authentication server in order to determine if the user has access to the network. Unix daemon is TACACSD and runs on port 49. It uses TCP.
- TACACS+ : TACACS+ is a protocol which provides access control for routers, network access servers and other networked computing devices via one or more centralized servers. It uses TCP and provides separate authentication, authorization and accounting services. Port is 49.
For session request:
1. An administrator logs in to a network device.
2. The network device sends a TACACS+ access request to ACS.
3. ACS uses an identity store to validate the user's credentials.
4. ACS sends a TACACS+ response to the network device that applies the decision. The response includes parameters, such as the privilege level that determines the level of administrator access for the duration of the session.
For command authorization:
1. An administrator issues a command at a network device.
2. The network device sends a TACACS+ access request to ACS.
3. ACS optionally uses an identity store to retrieve user attributes for inclusion in policy processing.
4. The TACACS+ response indicates whether the administrator is authorized to issue the command.
- RADIUS : Remote Authentication Dial In User Service is an AAA protocol for applications such as Network Access or IP Mobility. We will see more about RADIUS in subsequent chapters.
- DIAMETER : Diameter is a planned replacement of RADIUS.
Usage of AAA servers in LDAP Networks:
AAA servers in CDMA data networks are entities that provide Internet Protocol (IP) functionality to support the functions of authentication, authorization and accounting. The AAA server in the CDMA wireless data network architecture is similar to the HLR in the CDMA wireless voice network architecture.
Types of AAA servers :
- Access Network AAA (AN-AAA) – Communicates with the RNC in the Access Network (AN) to enable authentication and authorization functions to be performed at the AN. The interface between AN and AN-AAA is known as the A12 interface.
- Broker AAA (B-AAA) – Acts as an intermediary to proxy AAA traffic between roaming partner networks (i.e., between the H-AAA server in the home network and V-AAA server in the serving network). B-AAA servers are used in CRX networks to enable CRX providers to offer billing settlement functions.
- Home AAA (H-AAA) – The AAA server in the roamer's home network. The H-AAA is similar to the HLR in voice. The H-AAA stores user profile information, responds to authentication requests, and collects accounting information.
- Visited AAA (V-AAA) – The AAA server in the visited network from which a roamer is receiving service. The V-AAA in the serving network communicates with the H-AAA in a roamer's home network. Authentication requests and accounting information are forwarded by the V-AAA to the H-AAA, either directly or through a B-AAA.
Current AAA servers communicate using the RADIUS protocol. As such, TIA specifications refer to AAA servers as RADIUS servers. However, future AAA servers are expected to use a successor protocol to RADIUS known as Diameter.
The behavior of AAA servers (radius servers) in the CDMA2000 wireless IP network is specified in TIA-835.
No comments:
Post a Comment