Hi,
Nowadays, network security issues are becoming increasingly serious. In order to prevent unauthorized users from accessing, authenticating access users is the most common practice. The most commonly used method for user authentication is AAA, that is, authentication, authorization, and accounting. AAA can not only authenticate access users but also authorize an account based on user roles. In this way, the access, access privileges, and traffic records of access users are fully controlled.
Authentication
Authentication confirms the identities of remote users accessing the network and determines whether the users are authorized.
Authorization
Authorization assigns differentiated rights to authorize users to use specific services.
Accounting
Accounting records all operations of a user during the network service process, including the used service type, start time, and data traffic, to collect and record the network resource usage of the user for implementing time- or traffic-based accounting and network monitoring.
Basic Architecture of AAA
AAA uses the client/server architecture. The access device on which an AAA client runs is usually called the network access server (NAS) that is responsible for user identity verification and user access management. An AAA server provides a collection of authentication, authorization, and accounting functions and is responsible for centralized user information management.
Figure 1: Basic architecture of AAA
The most commonly used AAA server is RADIUS, which is the industry common standard.
Authentication process
Before the user tries to access the internet, it will initiate the authentication process to get itself online. Suppose the access user sends the username and password to the AAA to have itself authenticated. When receiving the username and password, the AAA client sends them to the AAA server to have this information verified. If the pair of username and password are correct, AAA will reply accept message to notify the AAA client that the accessing user is a legal user. Else, the AAA server will reply reject message to notify the AAA client the accessing user is an illegal user, as a result, the internet accessing traffic will be dropped by the AAA client.
Figure 2: Access user get authenticated
Besides the architecture above, we also could integrate the AAA server on the AAA client device. And in this scenario, the AAA client is the AAA server too.
Figure 3: The AAA client integrates the AAA server function
Though the AAA client could integrate the AAA function, it cannot be used as the AAA server, which means when acting as the AAA client and server, the device could only authenticate the access users that access on itself.
What is the difference between local authentication and AAA server authentication?
Local authentication | AAA server authentication | |
Authentication server | Local device | AAA server |
Resource | Occupy extra resource to store the username and password | Doesn't occupy an extra resource |
Configuration complexity | Easy | difficult |
The scale of supported users | small | large |
Extra protocol needed | No | Yes, usually use the RADIUS |
Maintenance difficulty | Easy | difficult |
Application scenario | SOHO etc. | Large-scale user access |
Table 1: Difference between local authentication and AAA server authentication
How to configure the local authentication?
To configure the local authentication, we can following the process.
Figure 4: Procedures for the local authentication configuring
