Introduction
Overtheyears,authentication,authorization,andaccounting(AAA)haschangeddramaticallyasusersofnew-world
access technologies seek a way to authenticate, authorize, and start accounting records for billing user time on their
networks.
CiscoSystemshasarichandrobustAAAimplementationthatenablesawiderangeofapplicationclientsincluding:
• 802.11b
• Cable and DSL
• Dial
• Firewall
• Gateway General Packet Radio Service (GPRS) and GPRS Support Node (GGSN)
• IP Security (IPSec)
• Multiprotocol Label Switching (MPLS)
• Open Settlement Protocol (OSP)
• Packet Data Serving Node (PDSN)
• Public Key Infrastructure (PKI)
• Session Initiation Protocol (SIP)
• Telco Data Communication Networks (DCNs)
• Tunneling
• Voice over IP (VoIP)
• Remote Access Dial-In User Service (RADIUS)
®
Cisco IOS Software AAA network security services provide the primary framework to set up access control on a
router or access server. Cisco IOS AAA is an architectural framework for configuring a set of three independent
securityfunctionsinaconsistentmanner.AAAprovidesamodularwayofperformingauthentication,authorization,
and accounting services.
Cisco IOS AAA provides the following benefits:
• Increased flexibility and control
• Scalability
• Standardized authentication methods (RADIUS, Terminal Access Controller Access Control System Plus [TACACS+], and
Kerberos)
The Cisco IOS AAA client resides on a router or network access server (NAS) and can locally perform all authentication,
authorization,andaccountingfunctions.Thismodeldoesnotscalebecausetherecanbealargeamountofstoreddata.TheRADIUS
protocol enables use of an external server so that AAA can query and receive responses. The RADIUS protocol is based on a client/
servermodel.ANASsuchasaCiscoAS5200AccessServeroperatesasaclientofRADIUS.Theclientpassesuserinformationtoa
designated RADIUS server and then acts on the response that is returned. The RADIUS database might contain thousands of user
profiles for security, network access, and billing records, as well as other connection-related data.
Need for AAA Services
Securityforuseraccesstothenetworkandtheabilitytodynamicallydefineauser’sprofiletogainaccesstonetworkresourceshasa
legacy dating back to asynchronous dial access. AAA network security services provide the primary framework through which a networkadministratorcansetupaccesscontrolonnetworkpointsofentryornetworkaccessservers,whichisusuallythefunctionof
arouteroraccessserver.Authenticationidentifiesauser;authorizationdetermineswhatthatusercando;andaccountingmonitorsthe
network usage time for billing purposes.
AAA information is typically stored in an external database or remote server such as RADIUS or TACACS+. The information can
also be stored locally on the access server or router. Remote security servers, such as RADIUS and TACACS+, assign users specific
privilegesbyassociatingattribute-value(AV)pairs,whichdefinetheaccessrightswiththeappropriateuser.Allauthorizationmethods
must be defined through AAA.
Traditional AAA Usage
Figure 2 shows the original use of AAA: authenticating and maintaining accounting records for a dial Point-to-Point Protocol (PPP)
user.Inthisimplementation,auserdialsaphonenumbercorrespondingtoaportononeoftheNASsattheedgeofthedatanetwork.
When the user ID and password are configured, the server looks locally at the NAS database or makes a query to a preconfigured
RADIUS server to determine whether to permit or deny access to the network. If the user is permitted, the RADIUS server typically
sends a configuration or AV pair to the NAS, which dictates the type of service permitted for that user.
VoIP Prepaid Billing Solution
Cisco’s prepaid billing VoIP implementation (Figure 3) uses the RADIUS protocol to communicate AAA information between the
voice gateways and the billing application.
The market for this prepaid service includes tourists, immigrant communities, mobile populations such as military personnel, and
people with limited credit histories who cannot otherwise get a private telephone line in their homes. These users can all gain
immediateaccesstolong-distanceorinternationalcallingservicesfromwherevertheyarelocatedthroughtheuseofplasticprepaid
calling cards that can be purchased at supermarkets and many other types of retail outlets.
TheCiscodistributedVoIPprepaidcallingsolutionrequiresthateachvoicegatewayintheserviceprovider’snetworkruntheprepaid
InteractiveVoiceResponse(IVR)script.Thescriptsandpreferredlanguagepromptsarestoredon,andrunfrom,eachgateway.The
prepaidIVRscriptdetermineswhichaudiopromptstoplaytothecallerandcollectsthecaller’sresponsesenteredusingthetelephone
handset and extracted using Dual-Tone Multifrequency (DTMF) detection on each gateway. The mechanisms for timing and
terminating calls also run in the VoIP gateways, ensuring that the call is disconnected if its authorized duration expires.
Theprepaidcallingbillingapplicationmaintainsallofthecallers’records,authenticatesthecallers,ratesandauthorizesthecalls,and
updates callers’ card balances at the end of all calls.
The RADIUS Protocol
Implemented by several vendors of network access servers, RADIUS has gained support among a wide customer base, including
Internet service providers (ISPs). Cisco supports several RADIUS server implementations such as the Access Registrar (AR) and
Access Control Server (ACS).
The RADIUS protocol carries authentication, authorization and configuration information between a NAS and a RADIUS
authenticationserver.RequestsandresponsescarriedbytheRADIUSprotocolarecalledRADIUSattributes.Theseattributescanbe
username,Service-Type,andsoon.TheseattributesprovidetheinformationneededbyaRADIUSservertoauthenticateusersandto
establish authorized network service for them. The RADIUS protocol also carries accounting information between a NAS and a
RADIUS accounting server.
DIAMETER Protocol
DIAMETER is a new framework in the Internet Engineering Task Force (IETF) for the next-generation AAA server. Requirements
for DIAMETER are being defined by the Mobile IP ROAMOPS (Roaming Operations) TR45.6 working group, as well as by other
new-worldtechnologieswherethereisaneedtoprovideauthenticationorauthorizationtonetworkresourcesortocaptureaccounting
for billing of network resource usage such as a voice call.
The DIAMETER base protocol provides an AAA framework for Mobile-IP, NASREQ, and ROAMOPS. The DIAMETER protocol
does not address flaws within the RADIUS model. DIAMETER does not use the same RADIUS protocol data unit, but is backward
compatible with RADIUS to ease migration. A primary difference between DIAMETER and RADIUS is that DIAMETER allows
peers to exchange a variety of messages.
AccordingtotheDIAMETERRFC:“ThebasicconceptbehindDIAMETERistoprovideabaseprotocolthatcanbeextendedinorder
to provide AAA services to new access technologies. Currently, the protocol only concerns itself with Internet access, both in the
traditional PPP sense as well as taking into account the ROAMOPS model, and Mobile-IP.”
DIAMETER is currently not supported in the Cisco IOS Software.
AAA Web site:
http://www.cisco.com/en/US/products/ps6663/products_ios_protocol_option_home.html
Authentication, Authorization and Accounting Overview
