Page | 1
T411- Wireless Networking
Security and Advance Data Network Technology
“Analysis on AAA Service”
ANANDU KARTHIKYEAN 101238315
NAIK HETVI 101212340
UMANG PATEL 101235317
HIRWA JANI 101255327
Prof. Jacky Min
Page | 2
AAA is an abbreviation of authentication, authorization, and accounting. Sometimes it is referred
as “Triple-A”. It represents the big tree in terms of IP based network management and policy
administration. A AAA server is a framework program that handles the request of user for all
kinds of resources. It gives access to users with verification of their information and keep its
record of information been assigned to user.
Authentication is the process of identifying a user uniquely by their username and password. It
compares the data stored in database and the user provided login credentials and then give
access. If the user’s login is same, then the permission is granted and if it does not match then the
access is denied.
Example: “who are you?” gets authenticate with “I am user ‘student’ and my password
‘validate’ proves it.”
Authorization is the process of allowing or restricting the user to access the network resources
after the authentication of user through username and password. The level of authorization
determines the user’s authority to type or quality of data.
Example: “what did you do? What can you access?” gets authorize with “User ‘student’ can
access host ‘server XYZ’ using Telnet.”
Page | 3
Accounting is the process of keeping record of user’s activity while using network resources like
keeping track of time spent, data accessed or transferred during session. This stage is used for
authorization control, billing, trend analysis, resource utilization and planning for data capacity
required for business operations.
Example: “what did you do? How long did you do it? How often did you do it?” is
accounted by “User ‘student’ accessed host ‘server XYZ’ using Telnet for ’15
Framework of AAA:
The AAA server typically interacts with network access and gateway servers and with databases
and directories containing user information. The current standard by which devices or
applications communicate with a AAA server is the Remote Authentication Dial-In User Service
Page | 4
The following options can be used to implement AAA on Cisco devices:
Cisco Secure ACS Solution Engine – a dedicated server that contains the usernames,
passwords, and other information about what users are allowed to access and when.
Cisco Secure ACS for Windows Server – a software package installed on a Windows
system that provide AAA services.
Cisco Secure ACS- in a virtual machine
Local database – also known as local authentication and authorization, this option uses
the local router database for AAA purposes.
Page | 5
Implementing Cisco AAA: -
Implementing AAA Using LocalServices:
o Step1: The client establishes connection with the router.
o Step2: The router prompts the user for their username and password.
o Step3: The router authenticates the username and password in the local
database. The user is authorized to access the network based on information
in the local database.
Page | 6
Implementing Authentication Using External Servers:
o Step1: The client establishes a connection with the router.
o Step2: The router communicates with the Cisco Secure ACS (server or
o Step3: The Cisco Secure ACS prompts the user for their username and
o Step4: The Cisco Secure ACS authenticates the user. The user is authorized
to access the network based on information found in the Cisco Secure ACS
ACS FOR WINDOWS
Page | 7
RADIUS and TACACS+:-
Two different protocols are used to communicate between the AAA security
servers and authenticating devices. Cisco secure ACS (access controlserver)
supports bothRADUIS and TACACS+.
Terminal Access Controller Access ControlSystem (TACASCS+)is a protocol
which is used for the communication of the Client and ACS server. It uses TCP
port number 49 which makes it reliable.
Remote Access Dial In User Service (RADIUS) is an open standard protocolused
for the communication between any AAA client and ACS server. If one of client or
server is from any other vendor than CISCO;then we must use RADIUS. It uses
port number 1812 for authentication and authorization 1813 for accounting.
Cisco secure ACS
Page | 8
TACACS+ remains more secure than RADIUS but RADIUS have robust application
programming interface for strong accounting.
The process is start by Network Access Device (NAD – client of TACACS+ or RADIUS). NAD
contact the TACACS+ or RADIUS server and transmit the request for authentication (username
and password) to the server. First, NAD obtain username prompt and transmit the username to
the server and then again, the server is contact by NAD to obtain password prompt and then the
password is sent to the server.
The server replies with access-accept message if the credentials are valid otherwise send an
access-reject message to the client. Further authorisation and accounting are different in both
protocols as authentication and authorisation is combined in RADIUS.
Advantages (TACACS+ over RADIUS)
As TACACS+ uses TCP therefore more reliable than RADIUS.
TACACS+ provides more control over the authorization of commands while in
RADIUS, no external authorization of commands is supported.
All the AAA packets are encrypted in TACACS+ while only the passwords are encrypted
in RADIUS i.e. more secure.
Advantages (RADIUS over TACACS+)
As it is open standard therefore RADIUS can be used with other vendors device while
because TACACS+ is Cisco proprietary, it can be used with Cisco devices only.
It has more extensive accounting support than TACACS+.
Page | 9
Parameters TACACS+ RADIUS
Functionality Separates AAA Combines Auth
TransportProtocol TCP UDP
CHAP Bidirectional Unidirectional
ProtocolSupport Multi-protocol support No ARA no NETBEUI
Confidentiality Entire packet-encrypted Password encrypted
Accounting Limited Extensive
Page | 10
Cisco proprietary protocol open standard protocol
It uses TCP as transmission protocol It uses UDP as transmission protocol
It uses TCP port number 49. It uses UDP port number 1812 for
authentication and authorization and 1813 for
Authentication, Authorization and
Accounting is separated in TACACS+.
Authentication and Authorization is
combined in RADIUS.
All the AAA packets are encrypted. Only the password is encrypted while the
other information such as username,
accounting information etc. are not encrypted.
preferably used for ACS. used when ISE is use.
It provides more granular control i.e. can
specify the command for authorization.
No external authorization of commands
TACACS+ offers multiprotocol support No multiprotocol supports.
Used for device administration. used for network access
Page | 11
AAA services is higher degree privileged EXCE authentication.
The AAA server typically interacts with network access and gateway
servers and with databases and directories containing user
RADIUS and TACACS+ are two main protocols which plays
important role in communicating between AAA server and
Implementation AAA Server can be done by Local server and
AAA can be used in CDMA.