20 AAA OVERVIEWIntroduction to AAA AAA is the acronym for the three security functions: authentication, authorizationand accounting. It provides a uniform framework for you to configure these threefunctions to implement network security management.■ Authentication: Defines what users can access the network,■ Authorization: Defines what services can be available to the users who canaccess the network, and■ Accounting: Defines how to charge the users who are using networkresources.Typically, AAA operates in the client/server model: the client runs on the managedresources side while the server stores the user information. Thus, AAA is wellscalable and can easily implement centralized management of user information.Authentication AAA supports the following authentication methods:■ None authentication: Users are trusted and are not checked for their validity.Generally, this method is not recommended.■ Local authentication: User information (including user name, password, andsome other attributes) is configured on this device, and users are authenticatedon this device instead of on a remote device. Local authentication is fast andrequires lower operational cost, but has the deficiency that information storagecapacity is limited by device hardware.■ Remote authentication: Users are authenticated remotely through the RADIUSprotocol. This device (for example, a 3Com series switch) acts as the client tocommunicate with the RADIUS server. You can use standard or extendedRADIUS protocols in conjunction with such systems as iTELLIN/CAMS for userauthentication. Remote authentication allows convenient centralizedmanagement and is feature-rich. However, to implement remoteauthentication, a server is needed and must be configured properly.Authorization AAA supports the following authorization methods:■ Direct authorization: Users are trusted and directly authorized.■ Local authorization: Users are authorized according to the related attributesconfigured for their local accounts on this device.■ RADIUS authorization: Users are authorized after they pass RADIUSauthentication. In RADIUS protocol, authentication and authorization arecombined together, and authorization cannot be performed alone withoutauthentication.
