Location>code7788 >text

AAA Certification

Popularity:314 ℃/2025-03-18 17:31:54

AAA Authentication (Authentication, Authorization, and Accounting) is a network security framework used to manage how users access network resources. Specifically:

  1. Authentication: Confirm the user's identity. This usually involves usernames and passwords, but can also include biometric technologies (such as fingerprint or facial recognition), one-time passwords (OTP), and so on.

  2. Authorization: Determines which resources or actions an authenticated user can access. This may involve permission levels, roles, or responsibilities, etc.

  3. Audit (Accounting): Record user activities, such as login time, resources used, data transmission amount, etc. This helps with auditing and billing.

Configuration example:
1. AAA basic configuration

aaa authentication-scheme default # default authentication scheme
 aaa authorization-scheme default # default authorization scheme
 aaa accounting-scheme default # default billing scheme
 aaa accounting-scheme audit # Enable operation logging
  accounting log information # record detailed operations
  server 192.168.1.100 # Audit server IP

Function: Enable the AAA framework to use the default authentication, authorization, and audit policies.

2. Domain configuration
domain ceshi # Create domain name "ceshi" (optional, used for group management)

3. Local user configuration
Administrator (Permission 15)

local-user admin password cipher %$%$A1B2C3D4E5F6%$%$
local-user admin privilege level 15
local-user admin service-type ssh telnet terminal

Operation and maintenance personnel (Permission 3)

local-user op password cipher %$%$12345678%$%$
local-user op privilege level 3
local-user op service-type telnet terminal

Auditor (Permission 1, view only)

local-user audit password cipher %$%$abcdefg%$%$
local-user audit privilege level 1
local-user audit service-type ssh

4. Interface configuration
Console interface (con 0)

user-interface con 0
  authentication-mode aaa
  idle-timeout 15 # Timeout 15 minutes

Remote login interface (VTY 0-4)

user-interface vty 0 4
  authentication-mode aaa
  protocol inbound ssh # Only SSH is allowed
  authorization-attribute user-role level 3 # Default permission level 3

SSH configuration

ssh user admin authentication-type password
 ssh user audit authentication-type password
 rsa local-key-pair create # Generate RSA key pair

Apply to VTY interface

user-interface vty 0 4
 accounting-scheme audit

5. Security enhancement
Disable Telnet (Unsecure Protocol)
telnet server disable

Limit the number of SSH attempts
ssh authentication-retries 3

Password Policy
password-policy min-length 8 # Minimum password length 8 digits

Check the audit log:
display aaa accounting

Dynamic password:
local-user admin dynamic-password # Enable dynamic password (such as OTP)

Multi-factor certification:
aaa authentication-scheme radius # Integrated RADIUS server for two-factor authentication

<Previous Next>