AAA Principles and Configuration

Page 2 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
 Foreword
 User management is one of the most basic security management requirements for
any network.
 Authentication, authorization, and accounting (AAA) is a management framework that provides a
security mechanism for authorizing some users to access specified resources and recording the operations
of these users. AAA is widely used because of its good scalability and easy implementation of centralized
management of user information. AAA can be implemented through multiple protocols. In actual
applications, the Remote Authentication Dial-In User Service (RADIUS) protocol is the most commonly
used to implement AAA.
 This course describes the basic concepts, implementation, basic configurations, and typical application
scenarios of AAA.

Page 3 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
 Objectives
 Upon completion of this course, you will be able to:
▫ Understand the fundamentals of AAA.

▫ Describe the application scenarios of AAA.

▫ Understand the fundamentals of RADIUS.

▫ Get familiar with the basic configurations of AAA.

Page 4 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
 Contents
1. AAA Overview
2. AAA Configuration

Page 5 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
 Basic Concepts of AAA
 Authentication, authorization, and accounting (AAA) provides a management mechanism for network security.

Step 1 Step 2 Step 3 Step 4

User identity Authentication Authorization Accounting

Identifies users by Identifies and Determines whether the Checks and records
information such as authenticates users access is granted access information.
the account and who attempt to access authorization.
password. resources.

Page 6 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
 Common AAA Architecture
 A common AAA architecture includes the user, network access server (NAS), and AAA server.

User
• The NAS collects and manages user access requests in a
centralized manner.
• Multiple domains are created on the NAS to manage
User 1@Domain 1 users. Different domains can be associated with different
AAA schemes, which include the authentication scheme,
IP Network IP Network authorization scheme, and accounting scheme.
• When receiving a user access request, the NAS
User 2@Domain 2 NAS AAA Server determines the domain to which the user belongs based
on the username and performs user management and
control based on the AAA schemes configured for the
domain.
Common AAA architecture
User 3@Domain 3

Page 7 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
 Authentication
 AAA supports the following authentication modes: non-authentication, local authentication, and remote
authentication.

User 1@Domain 1 IP Network

IP Network
Username and password User 3's username and password

Returning an authentication result

User 2@Domain 2 rd NAS AAA Server

pa sswo
e a nd
rnam
Use
User Domain Authentication Mode

User 3@Domian 3 User 1@Domain 1 Domain 1 Non-authentication

User 2@Domain 2 Domain 2 Local authentication

User 3@Domain 3 Domain 3 Remote authentication

Page 8 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
 Authorization
 AAA supports the following authorization modes: non-authorization, local authorization, and remote authorization.
 Authorization information includes the user group, VLAN ID, and ACL number.

User 1@Domain 1 IP Network

IP Network Delivers permissions to user 2 after
authentication succeeds.

User 2@Domain 2 NAS AAA Server

User Domain Authorization Mode Authorization Content

User 1@Domain 1 Domain 1 Non-authorization None
User 3@Domain 3
User 2@Domain 2 Domain 2 Local authorization Internet access is allowed.
Authorization is granted by a
User 3@Domain 3 Domain 3 Remote authorization
remote server.

Page 9 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
 Accouting
 The accounting function monitors the network behavior and network resource utilization of
authorized users.
 AAA supports two accounting modes: non-accounting and remote accounting.

User 1@Domain 1 IP Network

IP Network
Accounting-Start request

Accounting-Start response
User 2@Domain 2 NAS AAA Server

User Domain Accounting Mode

User 1@Domain 1 Domain 1 Non-accounting

User 3@Domain 3
User 2@Domain 2 Domain 2 Non-accounting

User 3@Domain 3 Domain 3 Remote accounting

Page 10 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
 AAA Implementation Protocol - RADIUS
 Of the protocols that are used to implement AAA, RADIUS is the most commonly used.

User NAS RADIUS Server

The user enters a username and a password.
Access-Request
The authentication is accepted or rejected, and the
corresponding packet is delivered.
The user is notified of the authentication result.
Accounting-Start request
Accounting-Start response

The user starts to access network resources.

The user requests to go offline.

Accounting-Stop request

The user is notified of the completion of Accounting-Stop response

network access.

Page 11 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
 Common AAA Application Scenarios
Local Authentication and Authorization for Administrative
AAA for Internet Access Users Through RADIUS
Users

Login through Telnet/SSH

RADIUS server Network administrator Router

Internet access user NAS
(NAS)
• AAA schemes are configured on the NAS to implement interworking • After local AAA schemes are configured on Router, Router compares the
between the NAS and RADIUS server. username and password of the network administrator with the locally
• After the user enters a username and a password on the client, the NAS configured username and password when the network administrator logs in
sends the username and password to the RADIUS server for authentication. to Router.
• If the authentication succeeds, the user is granted the Internet access • After the authentication succeeds, Router grants certain administrator
permission. permissions to the network administrator.
• The RADIUS server can record the user's network resource utilization
during Internet access.

Page 13 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
 Contents
1. AAA Overview
2. AAA Configuration

Page 14 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
 AAA Configuration (1)
1. Enter the AAA view.

[Huawei] aaa

Exit the system view and enter the AAA view.

2. Create an authentication scheme.

[Huawei-aaa] authentication-scheme authentication-scheme-name

Create an authentication scheme and enter the authentication scheme view.

[Huawei-aaa-authentication-scheme-name] authentication-mode { hwtacacs | local | radius }

Set the authentication mode to local authentication. By default, the authentication mode is local authentication.

Page 15 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
 AAA Configuration (2)
3. Create a domain and bind an authentication scheme to the domain.

[Huawei-aaa] domain domain-name

Create a domain and enter the domain view.
[Huawei-aaa-domain-name] authentication-scheme authentication-scheme-name
Bind the authentication scheme to the domain.

4. Create a user.

[Huawei-aaa] local-user user-name password cipher password

Create a local user and configure a password for the local user.
• If the username contains a delimiter "@", the character before "@" is the username and the character after "@" is the domain
name.
• If the value does not contain "@", the entire character string represents the username and the domain name is the default
one.

Page 16 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
 AAA Configuration (3)
5. Configure a user access type.

[Huawei-aaa] local-user user-name service-type { { terminal | telnet | ftp | ssh | snmp | http } | ppp | none }

Configure the access type of the local user. By default, all access types are disabled for a local user.

6. Configure a user level.

[Huawei-aaa] local-user user-name privilege level level

Specify the permission level of the local user.

Page 17 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
 AAA Configuration Examples
 After a user password and a user level are configured on R1, host A can use the configured username and
password to remotely log in to R1.

Host A R1
GE 0/0/0
10.1.1.1/24

[R1]aaa
[R1-aaa]local-user huawei password cipher huawei123
[R1-aaa]local-user huawei service-type telnet
[R1-aaa]local-user huawei privilege level 0
[R1]user-interface vty 0 4
[R1-ui-vty0-4]authentication-mode aaa

Page 18 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
 Configuration Verification (1)
 In AAA, each domain is associated with an authentication scheme, an authorization scheme, and an
accounting scheme. In this example, the default domain is used.

[R1]display domain name default_admin

Domain-name: default_admin
Domain-state: Active
Authentication-scheme-name: default
Accounting-scheme-name: default
Authorization-scheme-name: -
Service-scheme-name: -
RADIUS-server-template: -
HWTACACS-server-template: -
User-group: -

Page 19 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
 Configuration Verification (2)
 After the user properly logs in and logs out, you can view the user record.

[R1]display aaa offline-record all

-------------------------------------------------------------------
User name: huawei
Domain name: default_admin
User MAC: 00e0-fc12-3456
User access type: telnet
User IP address: 10.1.1.2
User ID: 1
User login time: 2019/12/28 17:59:10
User offline time: 2019/12/28 18:00:04
User offline reason: user request to offline

Page 20 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
 Quiz
1. What authentication, authorization, and accounting modes are supported by AAA?
2. When a new common user is configured with local authentication but is not associated with a user-
defined domain, which domain does the user belong to?

Page 21 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
 Summary
 AAA improves enterprise network security and prevents unauthorized users from logging in to enterprise
networks by authenticating the identities of enterprise employees and external users, authorizing
accessible resources, and monitoring Internet access behavior.
▫ Authentication: determines which users can access the network.

▫ Authorization: authorizes users to access specific services.

▫ Accounting: records network resource utilization.

 AAA technology can be implemented either locally or through a remote server.

 Of the protocols that are used to implement AAA, RADIUS is the most commonly used.

Page 22 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
 Thank You
www.huawei.com

Page 23 Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.