Authentication, Authorization and Accounting (AAA)

AAA is a term describing a framework for intelligently controlling access to computer resources, enforcing policies, auditing usage, and providing the information necessary to bill for services. These combined processes are considered important for effective network management and security. The AAA feature allows you to verify the identity of, grant access to, and track the actions of users managing the system. The UFM Enterprise Appliance switch supports Terminal Access Controller Access Control device Plus (TACACS+) protocol.

• Authentication – authentication provides the initial method of identifying each individual user, typically by entering a valid username and password before access is granted. The AAA server compares a user's authentication credentials with the user credentials stored in a database. If the credentials match, the user is granted access to the network or devices. If the credentials do not match, authentication fails and network access is denied.

• Authorization – following the authentication, a user must gain authorization for performing certain tasks. After logging into a system, for instance, the user may try to issue commands. The authorization process determines whether the user has the authority to issue such commands. Simply put, authorization is the process of enforcing policies: determining what types or qualities of activities, resources, or services a user is permitted. Usually, authorization occurs within the context of authentication. Once you have authenticated a user, they may be authorized for different types of access or activity.

• Accounting – the last level is accounting, which measures the resources a user consumes during access. This includes the amount of system time or the amount of data a user has sent and/or received during a session. Accounting is carried out by logging of session statistics and usage information, and is used for authorization control, billing, trend analysis, resource utilization, and capacity planning activities.

Authentication, authorization, and accounting services are often provided by a dedicated AAA server, a program that performs these functions.

TACACS (Terminal Access Controller Access Control System), widely used in network environments, is a client/server protocol that enables remote access servers to communicate with a central server to authenticate dial-in users and authorize their access to the requested system or service. TACACS implements the TACACS Client and provides the AAA (Authentication, Authorization and Accounting) functionalities.

TACACS is used for several reasons:

• Facilitates centralized user administration

• Uses TCP for transport to ensure reliable delivery

• Supports inbound authentication, outbound authentication and change password request for the authentication service

• Provides some level of protection against an active attacker

For the list of TACACAS+ CLI commands, please refer to TACACAS+.

Configuring TACACS+ on UFM Servers

• Add TACACS server with a key. Run:

  Copy

  Copied!

              
  
              
  ufmapl (config) # tacacs-server host 10.209.102.86 key testkey123 
          

• [Optional] Review the added server configuration. Run:

  Copy

  Copied!

              
  
              
  ufmapl (config) # show tacacs 
          

  Example:

  Copy

  Copied!

              
  
              
  swx-ufm3-06 (config) # show tacacs 
   
  TACACS+ defaults:
   Timeout      :1
  TACACS+ servers:
   10.209.102.86:49:
     Key        : *********
          

• Enable TACACS authentication. Run:

  Copy

  Copied!

              
  
              
  ufmapl (config) # aaa authentication login default local tacacs+ 
          

• [Optional] Review the Authentication and Accounting methods. Run:

  Copy

  Copied!

              
  
              
  ufmapl (config) # show aaa 
          

  Example:

  Copy

  Copied!

              
  
              
  swx-ufm3-06 (config) # show aaa 
  AAA authorization: 
      Map Order: remote-only
   
  Authentication method(s)L
      local
      tacacs+
   
  Accounting method(s)L
      tacacs+
          

Adding TACACS Users on the Server Side

A simple configuration file is provided below:

            

            
accounting file = /var/log/tac_plus.acct
key = testkey123
user = testuser1 {
        global = cleartext testpass1
        service = exec { priv-lvl=15 }
        cmd = help { permit .* }
        cmd = enable { permit .* }
        cmd = configure { permit terminal }
        cmd = show {
                permit ufm.*
                deny .*
        }
}
 
user = testuser2 {
        global = cleartext testpass2
        service = exec { priv-lvl=15 }
        cmd = help { permit .* }
        cmd = enable { permit .* }
        cmd = configure { permit terminal }
        cmd = ufm {
                permit "logging .*"
                deny .*
        }
        cmd = no {
                permit "ufm logging .*"
                deny .*
        }
        cmd = show { permit .* }
}
 
user = testuser3 {
        default service = permit
        global = cleartext testpass3
        service = exec { priv-lvl=15 }
}
        

From the above configuration example

• There are 3 TACACS users named testuser1, testuser2 and testuser3 with respective passwords of testuser1, testuser2 and testuser3.

• The secret of the tacacs server is testkey123, assuming that this server is running at an IP address of 10.209.102.86. This information is used to register a TACACS server using the tacacs-host command in UFMCLI.

• testuser1 can only execute the show ufm commands. Executing any other command is not allowed.

• testuser2 can execute all show commands and can configure only the [no]ufm logging commands.

• testuser3 can execute all commands since the default service is permit.