AAA Principles and Configuration

age 1 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
 Forewor

d
User management is one of the most basic security management requirements for
any network.

Authentication, authorization, and accounting (AAA) is a management framework
that provides a security mechanism for authorizing some users to access specified
resources and recording the operations of these users. AAA is widely used because
of its good scalability and easy implementation of centralized management of user
information. AAA can be implemented through multiple protocols. In actual
applications, the Remote Authentication Dial-In User Service (RADIUS) protocol is
the most commonly used to implement AAA.

This course describes the basic concepts, implementation, basic configurations, and
typical application scenarios of AAA.

age 2 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
 Objective
s

Upon completion of this course, you will be able to:
▫ Understand the fundamentals of AAA.

▫ Describe the application scenarios of AAA.

▫ Understand the fundamentals of RADIUS.

▫ Get familiar with the basic configurations of AAA.

age 3 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
 Content
s
1. AAA Overview
2. AAA Configuration

age 4 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
 Basic Concepts of AAA

Authentication, authorization, and accounting (AAA) provides a management mechanism for
network security.

Step 1 Step 2 Step 3 Step 4

Authenticatio
User identity Authorization Accounting
n
Identifies users Identifies and Determines Checks and
by information authenticates whether the access records access
such as the users who is granted information.
account and attempt to access authorization.
password. resources.

age 5 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
 Common AAA Architecture

A common AAA architecture includes the user, network access server (NAS), and AAA server.

Use
r • The NAS collects and manages user access
requests in a centralized manner.
• Multiple domains are created on the NAS to
User 1@Domain manage users. Different domains can be
1 associated with different AAA schemes, which
IP Network IP Network include the authentication scheme,
authorization scheme, and accounting
User 2@Domain NA AAA scheme.
2 S Server • When receiving a user access request, the
NAS determines the domain to which the user
belongs based on the username and performs
Common AAA
User 3@Domain user management and control based on the
3 architecture
AAA schemes configured for the domain.

age 6 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
 Authentication

AAA supports the following authentication modes: non-authentication, local authentication,
and remote authentication.

User 1@Domain 1 IP Network

IP Network
Username and password User 3's username and
password
Returning an authentication result

User 2@Domain 2 sw ord NAS AAA Server

pas
nd
m ea
rna
Us e
Authentication
User Domain
Mode
User 3@Domian 3
User 1@Domain 1 Domain 1 Non-authentication

User 2@Domain 2 Domain 2 Local authentication

Remote
User 3@Domain 3 Domain 3
authentication
age 7 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
 Authorization

AAA supports the following authorization modes: non-authorization, local authorization, and
remote authorization.

Authorization information includes the user group, VLAN ID, and ACL number.

User 1@Domain 1 IP Network

IP Network Delivers permissions to user 2
after authentication succeeds.

User 2@Domain 2 NAS AAA Server

Authorization Authorization
User Domain
Mode Content
User 3@Domain 3 User 1@Domain 1 Domain 1 Non-authorization None
User 2@Domain 2 Domain 2 Local authorization Internet access is allowed.
Authorization is granted
User 3@Domain 3 Domain 3 Remote authorization
by a remote server.

age 8 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
 Accouting

The accounting function monitors the network behavior and network resource utilization of
authorized users.

AAA supports two accounting modes: non-accounting and remote accounting.

User 1@Domain 1 IP Network

IP Network
Accounting-Start request

Accounting-Start response
User 2@Domain 2 NAS AAA Server

User Domain Accounting Mode

User 1@Domain 1 Domain 1 Non-accounting

User 3@Domain 3
User 2@Domain 2 Domain 2 Non-accounting

User 3@Domain 3 Domain 3 Remote accounting

age 9 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
 AAA Implementation Protocol -
RADIUS

Of the protocols that are used to implement AAA, RADIUS is the most commonly used.

User NAS RADIUS Server

The user enters a username and a password.
Access-Request
The authentication is accepted or rejected,
and the corresponding packet is delivered.
The user is notified of the authentication result.
Accounting-Start request
Accounting-Start response

The user starts to access network resources.

The user requests to go offline.

Accounting-Stop request

The user is notified of the Accounting-Stop response

completion of network access.

age 10 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
 Common AAA Application Scenarios
Local Authentication and Authorization for
AAA for Internet Access Users Through RADIUS
Administrative Users

Login through
Telnet/SSH

RADIUS Network Route

Internet access NA
server administrator r
user S
• AAA schemes are configured on the NAS to implement • (NAS)Router
After local AAA schemes are configured on Router,
interworking between the NAS and RADIUS server. compares the username and password of the network
• After the user enters a username and a password on the administrator with the locally configured username and
client, the NAS sends the username and password to the password when the network administrator logs in to Router.
RADIUS server for authentication. • After the authentication succeeds, Router grants certain
• If the authentication succeeds, the user is granted the administrator permissions to the network administrator.
Internet access permission.
• The RADIUS server can record the user's network resource
utilization during Internet access.

age 12 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
 Content
s
1. AAA Overview
2. AAA Configuration

age 13 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
 AAA Configuration (1)
1. Enter the AAA view.

[Huawei] aaa

Exit the system view and enter the AAA view.

2. Create an authentication scheme.

[Huawei-aaa] authentication-scheme authentication-scheme-name

Create an authentication scheme and enter the authentication scheme view.

[Huawei-aaa-authentication-scheme-name] authentication-mode { hwtacacs | local | radius }

Set the authentication mode to local authentication. By default, the authentication mode is local
authentication.

age 14 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
 AAA Configuration (2)
3. Create a domain and bind an authentication scheme to the domain.

[Huawei-aaa] domain domain-name

Create a domain and enter the domain view.
[Huawei-aaa-domain-name] authentication-scheme authentication-scheme-name
Bind the authentication scheme to the domain.

4. Create a user.

[Huawei-aaa] local-user user-name password cipher password

Create a local user and configure a password for the local user.
• If the username contains a delimiter "@", the character before "@" is the username and the
character after "@" is the domain name.
• If the value does not contain "@", the entire character string represents the username and the
domain name is the default one.

age 15 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
 AAA Configuration (3)
5. Configure a user access type.

[Huawei-aaa] local-user user-name service-type { { terminal | telnet | ftp | ssh | snmp | http } |
ppp | none }
Configure the access type of the local user. By default, all access types are disabled for a local user.

6. Configure a user level.

[Huawei-aaa] local-user user-name privilege level level

Specify the permission level of the local user.

age 16 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
 AAA Configuration Examples

After a user password and a user level are configured on R1, host A can use the
configured username and password to remotely log in to R1.

Host R1
A
GE
0/0/0
10.1.1.1/
24

[R1]aaa
[R1-aaa]local-user huawei password cipher huawei123
[R1-aaa]local-user huawei service-type telnet
[R1-aaa]local-user huawei privilege level 0
[R1]user-interface vty 0 4
[R1-ui-vty0-4]authentication-mode aaa

age 17 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
 Configuration Verification (1)

In AAA, each domain is associated with an authentication scheme, an authorization
scheme, and an accounting scheme. In this example, the default domain is used.

[R1]display domain name default_admin

Domain-name: default_admin

Domain-state: Active
Authentication-scheme-name: default
Accounting-scheme-name: default
Authorization-scheme-name: -
Service-scheme-name: -
RADIUS-server-template: -
HWTACACS-server-template: -
User-group: -

age 18 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
 Configuration Verification (2)

After the user properly logs in and logs out, you can view the user record.

[R1]display aaa offline-record all

-------------------------------------------------------------------
User name: huawei
Domain name: default_admin
User MAC: 00e0-fc12-3456
User access type: telnet
User IP address: 10.1.1.2
User ID: 1
User login time: 2019/12/28 17:59:10
User offline time: 2019/12/28 18:00:04
User offline reason: user request to offline

age 19 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
 Quiz
1. What authentication, authorization, and accounting modes are supported by AAA?
2. When a new common user is configured with local authentication but is not
associated with a user-defined domain, which domain does the user belong to?

age 20 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
 Summar

AAA
y
improves enterprise network security and prevents unauthorized users from
logging in to enterprise networks by authenticating the identities of enterprise
employees and external users, authorizing accessible resources, and monitoring
Internet access behavior.
▫ Authentication: determines which users can access the network.

▫ Authorization: authorizes users to access specific services.

▫ Accounting: records network resource utilization.


AAA technology can be implemented either locally or through a remote server.

Of the protocols that are used to implement AAA, RADIUS is the most commonly
used.

age 21 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
 Thank You
www.huawei.com

age 22 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.