TL;DR
Yes, many solutions support AAA (Authentication, Authorisation and Accounting). This guide covers common methods like RADIUS, TACACS+, and LDAP/Kerberos, with practical steps for setup and verification. We’ll focus on integrating these with network devices like routers and switches.
Understanding AAA
AAA is crucial for secure cyber security access control. It’s not a single protocol but a framework. Here are the three core components:
- Authentication: Verifying who someone is (e.g., username/password).
- Authorisation: Determining what someone is allowed to do.
- Accounting: Tracking what someone has done.
1. RADIUS (Remote Authentication Dial-In User Service)
RADIUS is widely used for network access control, especially with Wi-Fi and VPNs.
Setup Steps
- Choose a RADIUS Server: FreeRADIUS is popular and open source. Others include Microsoft Network Policy Server (NPS).
- Install the Server: On Debian/Ubuntu:
sudo apt update && sudo apt install freeradius freeradius-utils - Configure Clients: Add your network devices as RADIUS clients in
/etc/radius.conf(FreeRADIUS). This includes the device’s IP address and shared secret.client my_router ipaddr 192.168.1.10 secret 'mysecret' - Configure Network Devices: Point your router/switch to the RADIUS server’s IP address and port (usually 1812 for authentication, 1813 for accounting). The exact commands vary by vendor. Example Cisco IOS:
aaa new-model radius server radius_server address ipv4 192.168.1.5 auth-port 1812 acct-port 1813 key mysecret - Define Authentication Methods: Configure the router/switch to use RADIUS for authentication (e.g., for console access, SSH, or Wi-Fi).
aaa authentication login default local group radius_server line vty 0 4 transport input ssh login local - Test: Attempt to connect using a user account configured in the RADIUS server. Check the RADIUS server logs (usually in
/var/log/radius.log) for success or failure messages.
2. TACACS+ (Terminal Access Controller Access Control System Plus)
TACACS+ is Cisco’s proprietary protocol, offering more granular control than RADIUS.
Setup Steps
- Choose a TACACS+ Server: Cisco ISE is common. FreeTACACS+ is an open-source alternative.
- Install and Configure the Server: Follow the server’s documentation for installation and user/group setup.
- Configure Network Devices: Similar to RADIUS, point your Cisco devices to the TACACS+ server.
aaa new-model tacacs server tacacs_server host 192.168.1.5 key mysecret - Define Authentication Methods: Configure authentication, authorisation and accounting using TACACS+.
aaa authentication login default local group tacacs_server aaa authorization exec default local group tacacs_server aaa accounting exec default start-stop group tacacs_server - Test: Connect to the device and verify in the TACACS+ server logs.
3. LDAP/Kerberos
LDAP (Lightweight Directory Access Protocol) and Kerberos are often used for centralised user management, integrating with existing directory services like Active Directory.
Setup Steps
- Configure Network Devices: Enable LDAP or Kerberos authentication on your router/switch. This usually involves specifying the server address, bind DN (Distinguished Name), and password.
aaa new-model ldap group kerberos my_domain 192.168.1.6 port 389 - Define Authentication Methods: Configure the device to use LDAP/Kerberos for authentication.
aaa authentication login default local group kerberos - Test: Attempt to connect using a user account from your directory service. Check logs on both the network device and the directory server.
Important Considerations
- Shared Secrets: Keep shared secrets strong and change them regularly.
- Logging: Enable detailed logging on all AAA servers and devices for troubleshooting and cyber security auditing.
- Encryption: Use encryption (e.g., TLS) to protect communication between network devices and AAA servers.
- Vendor Documentation: Always refer to your specific device’s documentation for the most accurate configuration instructions.