AAA stands for authentication, authorization, accounting. This chapter will cover the authentication and authorization aspects of AAA, leaving the accounting details for Chapter 11. AAA access control provides much greater scalability and functionality than the basic access control methods discussed in Chapter 3. AAA can use local router configuration, TACACS+, RADIUS, and Kerberos for authentication and can utilize a TACACS+ or RADIUS for authorization. | Page 43 Friday February 15 2002 2 53 PM CHAPTER 5 AAA Access Control AAA stands for authentication authorization accounting. This chapter will cover the authentication and authorization aspects of AAA leaving the accounting details for Chapter 11. AAA access control provides much greater scalability and functionality than the basic access control methods discussed in Chapter 3. AAA can use local router configuration TACACS RADIUS and Kerberos for authentication and can utilize a TACACS or RADIUS for authorization. TACACS and RADIUS can be used both for authentication and authorization while Kerberos can be used only for authentication. Cisco-only networks usually choose TACACS because of its enhanced features. TACACS however is proprietary to Cisco. Networks using equipment from multiple vendors usually choose RADIUS for its interoperabliity. Finally organizations with existing Kerberos access servers can configure their routers to use those servers to control access to Cisco routers. Enabling AAA To use any of these authentication and authorization methods you must first enable AAA on the router. The general steps for enabling AAA are 1. Turn on AAA with the aaa new-model command. 2. Configure security protocol information if using an access control server ACS . 3. Define methods that specify the type and order of authentication with the aaa authentication command. 4. Apply the authentication methods to each line and or enable access. 5. Configure AAA authorization if needed with the aaa authorization command. 43 Page 44 Friday February 15 2002 2 53 PM Local Authentication Assume that the router configuration has the following users username jdoe password 7 09464A061C480713181F13253920 username rsmith password 7 095E5D0410111F5F1B0D17393C2B3A37 To take advantage of the AAA accounting features you can enable AAA but use these locally defined usernames for access. To do so 1. Enable AAA with aaa new-model. 2. Make the default AAA .