|
|
This chapter describes authentication, authorization, and accounting (AAA), with an emphasis on accounting. It starts with a general introduction to AAA, RADIUS, and Diameter, and then the various standards are discussed, along with voice-specific extensions. You will learn how to identify which AAA functions to use for which requirements and what Cisco has implemented.
With authentication, authorization, and accounting, each "A" describes a specific set of tasks to perform:
Authentication verifies that the users are who they say they are.
Authorization limits the user's activities to a set of policies, such as hours of operation, idle timeouts, filters, limiting service and connection access, and so on.
Accounting generates usage records that log the user's activities.
AAA was invented long before broadband and wireless Internet access became pervasive. It provides a mechanism for user access over dial-in connections, Telnet, SSH, and PPP. Remote access to the network occurs over a modem and a phone line to the Internet service provider (ISP). Users provide their username and password during the authentication process to a Network Access Server (NAS). It usually does not store these details locally but instead forwards the request to a database server that has the user credential information. RADIUS became the standard communication protocol between the NAS and the user database server, defined in RFC 2865 through 2869.
A typical AAA concept is based on a three-tier model, including a user, a client, and a server. With today's networks, the RADIUS RFC terminology can be slightly confusing, because the access server is called the "client," the back-end application is called the "server," and the user is not mentioned at all. A better terminology was introduced by RFC 2753, A Framework for Policy-Based Admission Control, distinguishing between a Policy Decision Point (PDP) and a Policy Enforcement Point (PEP). The PEP is the client component, equal to the RADIUS NAS, and the PDP describes the server component, similar to the RADIUS server. Because neither RADIUS nor Diameter uses the RFC 2753 terms, and to avoid the mingling of terminology, we use the RADIUS terms, even though in some scenarios they do not match perfectly, such as with controlling Telnet login into a router.
From an implementation perspective, the user connects to the network element (NAS)—in this case, a Cisco router. The NAS is responsible for passing user information to a RADIUS server, typically running on UNIX or Windows systems. The server is responsible for receiving the NAS requests and returning responses, indicating that it successfully received the initial request.
Figure 9-1 shows the different RADIUS components. The RADIUS naming convention is used, and the RFC 2753 terminology appears in brackets.
Because of the long history of AAA, you might consider it a legacy technology that was appropriate for only modem dial-in sessions; however, the opposite is true! Even though the analog dial-in model is kind of the exception these days, the latest network technologies still leverage AAA. Think about high-speed Internet connectivity in hotels (usually DSLbroadband networks) or public wireless hotspots at airports or Internet cafes. Users normally get free access to the provider's web page. If they want to surf the Internet or connect to their corporate intranet via VPN tunnels, an access fee is charged first, based on connectivity time. For these scenarios, the AAA server is linked to the billing system, which authenticates and authorizes the user. The NAS establishes and terminates the connection when the contract expiries. For broadband networks, the classic dial-in NAS has been replaced by a broadband remote-access server (B-RAS, such as the Cisco 10000 router), but the concept remains the same. In IP telephony environments, especially the accounting component of AAA is extensively used by the gateways to generate Call Detail Records (CDR) for creating billing details. The Internet Protocol Detail Record (IPDR) format is an IP-centric example of a CDR.
Note
For more details on IPDR, visit www.ipdr.org/.
To feed the CDRs into a billing system, accurate time stamps are required. Best practice suggests deploying the network time protocol (NTP) in the network, which synchronizes the system clocks on network elements with an authoritative time source.
NTP is defined in RFC 1305. NTP servers can be organized as a symmetric mesh topology or a hierarchy or a combination. In the classic NTP design, the servers are organized as a symmetric peer-to-peer topology or a hierarchy. Each level in the hierarchy is called a stratum, which defines the distance from the reference, which is an atomic source, referred to as Stratum 0. In large networks, a hierarchical structure increases consistency, stability, and scalability. A Cisco router can act as the NTP source and receive updates from public sources via the Internet. However, for increased accuracy, it is advised that you consider investing in a GPS appliance with Ethernet or AUX ports that can be connected to a Cisco router.
Because of this book's focus, the rest of this chapter focuses on the accounting part of AAA.
The following principles apply for AAA:
AAA is an improved logging system used for authentication, authorization, and accounting. In PPP, SLIP, and dial-in networks, AAA is not enabled primarily for accounting, but for authentication and authorization instead. In contrast, for voice scenarios, AAA is primarily used for accounting. For example, in H.323 voice signaling networks, H.325 instead of AAA is used for authentication. In a Session Initiation Protocol (SIP) voice signaling network, HTTP basic or digest is used for authentication, not AAA.
AAA collects incoming and outgoing packets/bytes.
Each session can generate start and stop records:
AAA is adequate for billing because the username gets reported.
AAA is supported on all switching paths.
It is relevant to note that AAA is not limited to controlling user access; it can also control the operator's access to network devices or even command execution at a network element. Consequently, several types of accounting are possible with AAA; Cisco IOS Software supports five different kinds:
Network accounting collects usage records for network access (over dial-in, broadband, or wireless).
Connection accounting provides information about all outbound connections made from the NAS, such as Telnet and rlogin.
EXEC accounting gathers information about user EXEC terminal sessions (user shells) on the NAS, including username, date, start and stop times, the access server IP address, and (for dial-in users) the telephone number the call originated from.
System accounting provides information about all system-level events (for example, when the system reboots, or when accounting is turned on or off).
Command accounting supplies information about the EXEC shell commands for specified privilege levels that are being executed on a NAS. Each command accounting record includes a list of the commands executed for that privilege level, as well as the date and time each command was executed and the user who executed it.
Note
The authors think that in the preceding list, the RADIUS terminology (in particular, the NAS term) is inadequate. However, in an attempt to reduce the potential for confusion, we decided to use RADIUS terms.
|
|