Understand enterprise AAA authentication, authorization, billing services and configuration in one article

Hello everyone, I am Bernie, an IT pre-sales engineer.

If a branch of an enterprise wants to access the headquarters network, the headquarters network is definitely not accessible to everyone, only those who have passed the authentication can access it, such as accessing the OA system, accounting system, ERP system, etc.

This is when AAA authentication and authorization services come in handy.

AAA is a security service that provides authentication, authorization, and accounting. It can be used to verify whether a user account is legitimate, whether it is authorized to access services, and record access to network resources.

About Certification

Authentication means verifying whether a user has access rights to a network.

AAA authentication methods can be divided into three types: no authentication, local authentication, and remote authentication.

Not certified

It is very simple, which means that the server completely trusts the user and does not perform any identity check on the accessing user. In fact, most networks will not use the non-authentication method because it is too simple and crude and unsafe.

Local Authentication

It is to configure the user's local information as a parameter on the NAS storage. Local authentication processing speed is fast and the authentication cost is low. However, since the authentication information is stored locally, the amount of data stored is often relatively small.

Remote Authentication

This method is more advanced. It configures the authentication information on a remote server and uses the authentication server to assist in authentication.

Here we need to point out that if an authentication scheme adopts a composite authentication method, that is, multiple authentication methods coexist, for example, local authentication is configured first, and then remote authentication is configured. Then, when local authentication fails or there is no response, remote authentication will be used.

About authorization

Authorization refers to the definition of which services a user is authorized to access on the network. AAA supports the following authorization methods: no authorization, local authorization, and remote authorization.

Not authorized

That is, no authorization is performed on users. There is no restriction on user access, and users can access any service they want.

Local authorization

Authorization is performed based on the relevant authorization attributes configured on the NAS storage.

Remote authorization

Configure authorization information according to the remote server, configure authorization level, etc.

Special note: If an authorization scheme uses multiple authorization methods, they will take effect in the configuration order, just like authentication. For example, if you configure remote authorization first and then local authorization, if there is a problem with the remote authorization method, you will request local authorization instead.

About Billing

Billing is to record a user's use of a service or access to a resource. Unlike authentication and authorization, there is no local billing method. There are only: no billing and remote billing.

No charge

Internet access is completely free, and services are all free, such as a company's portal, government portal, etc.

Remote Billing

The user's online time or service time is recorded through a remote server to calculate the cost of the service. For example, we can record the host name, online start time, service time, and upstream and downstream traffic during the service period. In this way, we can calculate the traffic cost or service cost.

AAA domain

After talking about authentication, authorization, and accounting, let's take a closer look at the concept of AAA domains. In fact, AAA manages users based on domains, that is, different domains can be associated with different authentication, authorization, and accounting schemes.

In a computer network, each host belongs to its own domain. As shown in the figure below, PC1 belongs to areaA, and PC2 belongs to areaB. If you do not configure the domain where the device belongs, the default domain is used by default.

Summarize

The above is all about AAA authentication. For specific authentication configuration, you can first configure the domain authentication scheme, and then configure the domain authorization scheme and authorization method.

The article comes from: ​​IT Yizhichan ​​. If you wish to reprint this article, please contact [IT Yizhichan] Toutiao account.