CiscoAccessControlSecurity:AAAAdministrative
Services
ByBrandonCarroll
...............................................
Publisher:CiscoPress
PubDate:May27,2004
ISBN:1-58705-124-9
Pages:456
TableofContents|Index
Hands-ontechniquesforenablingauthentication,authorization,andaccounting
UnderstandthesecurityconceptsbehindtheAAAframework
Learnmessageformats,communication,andmessageencryptionusingthe
TACACS+andRADIUSprotocols
ConfigureandtroubleshootAAAonCiscorouters
UnderstandwheretopositionandinstalltheCSACSinyournetwork
ExploreandcustomizetheCSACSinterface
ConfigureCSACSuseraccounts,usergroups,andsharedprofilecomponents
AddAAAclientsandmanagenetworkconnections
Configureexternaldatabasesandperformdatabasereplicationandbackup
ExplorethevariousreportsandlogsavailableinCSACS
LearnhowAAAmodelsapplytoserviceproviderenvironments
InstallandconfigureCiscoAccessRegistrar
Asnetworkinfrastructuresevolve,itisincreasinglyimportantthataccesstovitalcorporate
resourcesisvigilantlymonitoredandcontrolled.TheCiscoidentitymanagementsolutions,
includingCiscoSecureAccessControlServer(CSACS),addressthisrequirement,enabling
security,control,andadministrationofthegrowingpopulationofusersthatconnectto
corporatenetworks.CSACS,anessentialcomponentoftheCiscoIdentityBased
NetworkingServices(IBNS)architecture,extendsaccesssecuritybycombining
authentication,userandadministratoraccess,andpolicycontrolfromacentralized
identity-networkingframework.Thisallowsgreaterflexibilityandmobility,increased
security,anduserproductivitygains.
CiscoAccessControlSecurityprovidesyouwiththeskillsneededtoconfigure
authentication,authorization,andaccounting(AAA)servicesonCiscodevices.Separated
intothreeparts,thisbookpresentshard-to-findconfigurationdetailsofcentralizedidentity
networkingsolutions.PartIprovidesanoverviewoftheAAAarchitecture,completewith
discussionsofconfiguringCiscoroutersforAAA.PartIIaddressesenterpriseAAA
managementwithCSACS,includinginstallation,configuration,andmanagementdetails.
PartIIIlooksatserviceproviderAAAmanagementwithCiscoAccessRegistrar.
Fullofdetailedoverviews,diagrams,andstep-by-stepinstructionsforenablingessential
accesscontrolsolutions,CiscoAccessControlSecurityisapracticaltoolthatcanhelp
enforceassignedaccesspoliciesandsimplifyusermanagement.
"Thisbookmanagestherarecombinationofbeinghighlyaccurateandtechnicallyastute,
whilemaintaininganeasyreadabilityandflow.Itisagreatguideforsystem
administratorslookingtodesignormanageareliable,scalable,andsecureAccessControl
deploymentforanysizeorganization."
-JeremySteiglitz,ACSGroupProductManager,CiscoSystems
ThisbookispartoftheNetworkingTechnologySeriesfromCiscoPress,whichoffers
networkingprofessionalsvaluableinformationforconstructingefficientnetworks,
understandingnewtechnologies,andbuildingsuccessfulcareers.
CiscoAccessControlSecurity:AAAAdministrative
Services
ByBrandonCarroll
...............................................
Publisher:CiscoPress
PubDate:May27,2004
ISBN:1-58705-124-9
Pages:456
TableofContents|Index
Copyright
AbouttheAuthor
AbouttheTechnicalReviewers
Acknowledgments
IconsUsedinThisBook
Introduction
HowThisBookIsOrganized
TargetAudience
FeaturesofthisBook
Troubleshooting
PartI.AAAOverview
Chapter1.Authentication,Authorization,andAccountingOverview
AuthenticationOverview
AuthenticationExample
AuthorizationOverview
AuthorizationExample
AccountingOverview
AccountingExample
CiscoDeviceSupportforAAA
Summary
EndNotes
Chapter2.TACACS+andRADIUS
ABriefOverviewofTACACS+
ABriefOverviewofRADIUS
TACACS+inDetail
RADIUSinDetail
Summary
EndNotes
Chapter3.AuthenticationConfigurationonCiscoRouters
LocalAuthentication
AuthenticationConfigurationsUsingCiscoSecureACSforWindowsServer
andCiscoSecureACSSolutionEngine
DebuggingAuthentication
AuthenticationCommandReferences
Summary
PartII.EnterpriseAAAandCiscoSecureAccessControlServer
Chapter4.EnterpriseAuthenticationServers
CiscoSecureAccessControlServerSoftwareandVersions
CiscoSecureSolutionEngine
Summary
Chapter5.DeployingCiscoSecureAccessControlServerforWindowsServer
WhatIsACS?
HowtoObtainACS
RequirementstoRunACSVersion3.2
InstallingACS
ReinstallingACSandUsinganExistingACSDatabase
PositioningACSinYourNetwork
Summary
Chapter6.GettingFamiliarwithCSACS
NavigatingtheHTMLInterface
StartingPointforConfiguringYourServer
ConfiguringYourInterface
PreparingtoAddUsers
Summary
Chapter7.ConfiguringUserAccounts
AddingUserstotheDatabase
UserChangeablePasswords
AuthenticatingUserstoaWindowsNT/2000Database
AdvancedConfigurations
Summary
EndNotes
Chapter8.ConfiguringUserGroups
Group-LevelConfigurationofACS
PPPCallbackConfiguration
ConfiguringNetworkAccessRestrictions
MaxSessions,UsageQuotas,andPasswordAgingRules
IPAssignmentandDownloadableACLs
UsingTACACS+forGroupConfiguration
Summary
EndNotes
Chapter9.ManagingNetworkConfigurations
ConfiguringaDistributedSystem
ConfiguringNetworkDeviceGroups
ConfiguringProxyDistributionTables
UsingRemoteAccounting
UsingNetworkDeviceSearches
CreatingaCompleteDistributedNetwork
ClientConfiguration
TroubleshootingNetworkConfigurations
Summary
Chapter10.ConfiguringSharedProfileComponents
DownloadableACLs
NetworkAccessRestrictions
ConfiguringNetworkAccessRestrictions
CommandAuthorizationSets
TroubleshootingExtendedConfigurations
CommonIssuesofNetworkAccessRestrictions
AndDoNotForgettheImportanceofDocumentation
Summary
Chapter11.SystemConfiguration
HowUsersInteractwithYourExternalDatabaseConfiguration
ExternalDatabaseConfiguration
DatabaseGroupMappings
UnknownUserPolicy
DatabaseReplication
SynchronizationofACSDevices
Summary
EndNotes
Chapter12.ReportsandLoggingforWindowsServer
ACSReports
LoggingAttributesinACSReports
ACSReports
RemoteLoggingwithACS
AdditionalLogsMaintainedbyACS
Summary
Chapter13.ExploringTACACS+AttributeValues
TACACS+AVPairsOverview
AttributesofTACACS+AVPairs
AVPairExamplePPPNetwork
UnderstandingTACACS+AVPairsintheACSInterface
Summary
PartIII.ServiceProviderAAAandtheCiscoAccessRegistrar
Chapter14.ServiceProviderAAAandtheCiscoCNSAccessRegistrar
ServiceProvider(SP)Model
ServiceProviderChallenge
ValueAddedServices
CiscoCNSAccessRegistrar
OptionsofAR
AR'sArchitecture
InstallationRequirementsforARonSolaris8
InstallingAR
AR'sSubdirectories
ConfiguringCiscoCNSAR
Summary
EndNotes
Chapter15.ConfiguringtheCiscoAccessRegistrar
UsingaregcmdtoConfigureAR
AR'sServerObjectHierarchy
ConfiguringtheACEISPasaBasicSite
ConfiguringAR'sAdministrators
ConfiguringtheRADIUSServer
ValidatingandSavingYourChangestoAR
TestingYourConfiguration
TroubleshootingYourConfigurationwithtrace
Summary
EndNotes
PartIV.Appendix
AppendixA.RADIUSAttributeTables
3000SeriesConcentratorVSAs
CiscoVPN5000ConcentratorRADIUSVSAs
CiscoBuildingBroadbandServiceManagerDictionaryofRADIUSVSA
IETFDictionaryofRADIUSAttributeValuePairs
MicrosoftRadiusVSAs
AscendRADIUS
NortelRADIUS
JuniperRADIUS
Index
Copyright
Copyright©2004CiscoSystems,Inc.
Publishedby:
CiscoPress
800East96thStreet
Indianapolis,IN46240USA
Allrightsreserved.Nopartofthisbookmaybereproducedor
transmittedinanyformorbyanymeans,electronicor
mechanical,includingphotocopying,recording,orbyany
informationstorageandretrievalsystem,withoutwritten
permissionfromthepublisher,exceptfortheinclusionofbrief
quotationsinareview.
PrintedintheUnitedStatesofAmerica1234567890
FirstPrintingJune2004
LibraryofCongressCataloging-in-PublicationNumber:
2002112745
WarningandDisclaimer
ThisbookisdesignedtoprovideinformationaboutAccess
ControlSecurity.Everyefforthasbeenmadetomakethisbook
ascompleteandasaccurateaspossible,butnowarrantyor
fitnessisimplied.
Theinformationisprovidedonan"asis"basis.Theauthor,
CiscoPress,andCiscoSystems,Inc.,shallhaveneitherliability
norresponsibilitytoanypersonorentitywithrespecttoany
lossordamagesarisingfromtheinformationcontainedinthis
bookorfromtheuseofthediscsorprogramsthatmay
accompanyit.
Theopinionsexpressedinthisbookbelongtotheauthorand
arenotnecessarilythoseofCiscoSystems,Inc.
TrademarkAcknowledgments
Alltermsmentionedinthisbookthatareknowntobe
trademarksorservicemarkshavebeenappropriately
capitalized.CiscoPressorCiscoSystems,Inc.,cannotattestto
theaccuracyofthisinformation.Useofaterminthisbook
shouldnotberegardedasaffectingthevalidityofany
trademarkorservicemark.
CorporateandGovernmentSales
CiscoPressoffersexcellentdiscountsonthisbookwhen
orderedinquantityforbulkpurchasesorspecialsales.For
moreinformation,pleasecontact:
U.S.CorporateandGovernmentSales1-800-382-3419
ForsalesoutsideoftheU.S.pleasecontact:
InternationalSales
FeedbackInformation
AtCiscoPress,ourgoalistocreatein-depthtechnicalbooksof
thehighestqualityandvalue.Eachbookiscraftedwithcare
andprecision,undergoingrigorousdevelopmentthatinvolves
theuniqueexpertiseofmembersfromtheprofessional
technicalcommunity.
Readers'feedbackisanaturalcontinuationofthisprocess.If
youhaveanycommentsregardinghowwecouldimprovethe
qualityofthisbook,orotherwisealterittobettersuityour
needs,youcancontactusthroughe-mailat
Pleasemakesuretoincludethe
booktitleandISBNinyourmessage.
Wegreatlyappreciateyourassistance.
Credits
Publisher
JohnWait
Editor-in-Chief
JohnKane
ExecutiveEditor
BrettBartow
CiscoRepresentative
AnthonyWolfenden
CiscoPressProgram
Manager
NannetteM.Noble
ProductionManager
PatrickKanouse
AcquisitionsEditor
BrettBartow
DevelopmentEditor
JillBatistick
ProjectEditor
SanDeePhillips
CopyEditor
KevinKent
TechnicalEditors
RandyIvener,SanjeevPatel,StevanPierce,Mark
Wilgus
TeamCoordinator
TammiBarnett
CoverDesigner
LouisaAdair
Composition
OctalPublishing,Inc.
Indexer
TimWright
CorporateHeadquarters
CiscoSystems,Inc.
170WestTasmanDrive
SanJose,CA95134-1706
USA
www.cisco.com
Tel:408526-4000
800553-NETS(6387)
Fax:408526-4100
EuropeanHeadquarters
CiscoSystemsInternationalBV
Haarlerbergpark
Haarlerbergweg13-19
1101CHAmsterdam
TheNetherlands
www-europe.cisco.com
Tel:310203571000
Fax:310203571100
AmericasHeadquarters
CiscoSystems,Inc.
170WestTasmanDrive
SanJose,CA95134-1706
USA
www.cisco.com
Tel:408526-7660
Fax:408527-0883
AsiaPacificHeadquarters
CiscoSystems,Inc.
CapitalTower
168RobinsonRoad
#22-01to#29-01
Singapore068912
www.cisco.com
Tel:+6563177777
Fax:+6563177799
CiscoSystemshasmorethan200officesinthefollowing
countriesandregions.Addresses,phonenumbers,andfax
numbersarelistedontheCisco.comWebsiteat
www.cisco.com/go/offices.
Argentina•Australia•Austria•Belgium•Brazil•Bulgaria•
Canada•Chile•ChinaPRC•Colombia•CostaRica•Croatia•
CzechRepublicDenmark•Dubai,UAE•Finland•France•
Germany•Greece•HongKongSAR•Hungary•India•
Indonesia•Ireland•Israel•ItalyJapan•Korea•Luxembourg
•Malaysia•Mexico•TheNetherlands•NewZealand•Norway
•Peru•Philippines•Poland•PortugalPuertoRico•Romania•
Russia•SaudiArabia•Scotland•Singapore•Slovakia•
Slovenia•SouthAfrica•Spain•SwedenSwitzerland•Taiwan
•Thailand•Turkey•Ukraine•UnitedKingdom•UnitedStates
•Venezuela•Vietnam•Zimbabwe
Copyright©2003CiscoSystems,Inc.Allrightsreserved.CCIP,
CCSP,theCiscoArrowlogo,theCiscoPoweredNetworkmark,
theCiscoSystemsVerifiedlogo,CiscoUnity,FollowMe
Browsing,FormShare,iQNetReadinessScorecard,Networking
Academy,andScriptSharearetrademarksofCiscoSystems,
Inc.;ChangingtheWayWeWork,Live,Play,andLearn,The
FastestWaytoIncreaseYourInternetQuotient,andiQuick
StudyareservicemarksofCiscoSystems,Inc.;andAironet,
ASIST,BPX,Catalyst,CCDA,CCDP,CCIE,CCNA,CCNP,Cisco,
theCiscoCertifiedInternetworkExpertlogo,CiscoIOS,the
CiscoIOSlogo,CiscoPress,CiscoSystems,CiscoSystems
Capital,theCiscoSystemslogo,EmpoweringtheInternet
Generation,Enterprise/Solver,EtherChannel,EtherSwitch,Fast
Step,GigaStack,InternetQuotient,IOS,IP/TV,iQExpertise,
theiQlogo,LightStream,MGX,MICA,theNetworkerslogo,
NetworkRegistrar,Packet,PIX,Post-Routing,Pre-Routing,
RateMUX,Registrar,SlideCast,SMARTnet,StrataViewPlus,
Stratm,SwitchProbe,TeleRouter,TransPath,andVCOare
registeredtrademarksofCiscoSystems,Inc.and/orits
affiliatesintheU.S.andcertainothercountries.
AllothertrademarksmentionedinthisdocumentorWebsite
arethepropertyoftheirrespectiveowners.Theuseoftheword
partnerdoesnotimplyapartnershiprelationshipbetweenCisco
andanyothercompany.(0303R)
PrintedintheUSA
Dedications
Thisbookisdedicatedtomydaughter,Victoria,
Whoismymotivation,
And,
Tomyfamily,
MymomDebbie,mydadSonny,mybrothersMykelandJason,
mysisterTiffany,andmygrandparentsJimandShirley,
Whoseencouragementandsupporthavebeenmydrivingforce.
AbouttheAuthor
BrandonJ.Carrollhasbeeninthenetworkingindustryfor
morethansixyears.HeisacertifiedCiscoSystemsinstructor
withAscoltaTrainingCompany,whereheteachesmanyofthe
certifiedCiscocourses.PriortojoiningAscolta,hewasanADSL
specialistwithGTENetworkServices,aswellasatechnical
lead/trainer,afieldengineer,andcustomerzonetechnician.He
haspublishedproprietarydocumentationinternallytoGTE,and
hasalsodonein-housecoursedevelopment.Brandonholds
CCNA,CCNP,andCSS-1certifications.
AbouttheTechnicalReviewers
RandyIvener,CCIENo.10722,isasecurityspecialistwith
CiscoSystemsAdvancedServices.HeisaCISSPandASQ
CSQE.Randyhasspentseveralyearsasanetworksecurity
consultanthelpingcompaniesunderstandandsecuretheir
networks.Hehasworkedwithmanysecurityproductsand
technologiesincludingfirewalls,VPNs,intrusiondetection,and
authenticationsystems.Beforebecomingimmersedinsecurity,
hespenttimeinsoftwaredevelopmentandasatraining
instructor.RandygraduatedfromtheU.S.NavalAcademyand
holdsamaster'sdegreeinbusinessadministration.
SanjeevPatelhasbeenworkinginthenetworkingindustryfor
10years.Hestartedhiscareerinnetworkandsystemssupport.
CurrentlyheworksinProductMarketingatCiscoSystemsasa
technicalmarketingengineerandsupportstheCiscoCNS
AccessRegistrarfamilyofproducts.
StevanPierceisanetwork/securityconsultantcurrentlyunder
contractontheTexasMedicaid&HealthcarePartnership
(TMHP).HiscertificationsincludeCCDPandCCNPalongwith
severalthird-partycertifications.
MarkWilgusworksforCiscoSystems,Inc.,wherehehas
servedastheleadtechnicalwriterforCiscoSecureACSforthe
pastfivemajorreleases.HealsodevelopsXML-basedwriting
solutionsforCiscotechnicaldocumentation.Priortoworkingfor
CiscoSystems,Markworkedasatechnicalwriterandsoftware
configurationengineerforEclipsysCorporation,Motorola,and
BloodSystems,Inc.Hereceivedamasteroffineartsdegree
andabachelorofartsdegreefromArizonaStateUniversity,
wherehealsotaughtwritingcoursesforfouryears.
Acknowledgments
TherearesomanypeoplethatIregardasmyreasonforthis
book.Iwouldnotfeelrightwithoutmentioningthemandhow
mucheachoneofthemhasinspiredmeinsomewayor
another.
AscoltaTrainingCompany,foryoursupportalongtheway,
especiallyIreneKinoshita,TedWagner,WilliamKivlen,Jack
Wood,KevinMasui,DennisOgata,ColbyMorita,AnnMattair,
KarlHoma,ChrisSmith,HilsonShen,FredCutaran,Randi
Rubenstein,JohnRauma,andtherestofthegang!
TheVerizonGang,especiallyGilLeonforgivingaFieldTechthe
chancetocrossovertothedataside,MattCummingsandVirgil
MillerforhelpingmetoremembertoNEVEReraseFlash!Ialso
wanttomentionRobertAlanizforhelpingmeoutinapinch,
DanaChristensenforalwaysbeingthere,BruceCain,Mack
Brown,RandyKwan,EdwardVillaflor,ShawnSchneider,Earl
Aboytes,KenSchwartz,LoriScott,SteveScott,PaulScott,and
therestofthegang.
ThiswouldnotbecompletewithoutmentioningBrettBartow,
forputtingupwithmymisseddeadlinesandmillionsof
questionsoverthelastyear.Yoursupporthaskeptmeontrack
andhasmadethisoneofthebestexperiencesinmylife.Ialso
wanttomentionmydevelopmenteditor,JillBatistick,forbeing
sopatientandkeepingmyspiritsupwhenIbegantowearthin,
andmytechnicaleditors,MarkWilgus,RandyIvner,Stevan
Pierce,andSanjeevPatel,fordoingsuchagreatjobatkeeping
mestraight.
Thankyouallsomuch!
IconsUsedinThisBook
Youwillseeanumberoficonsthroughoutthisbook.The
followinglegendgivesdetailastowhattheseiconsrepresent.
[Viewfullsizeimage]
Introduction
Thisbookisfocusedonprovidingtheskillsnecessaryto
successfullyconfigureauthentication,authorization,and
accounting(AAA)servicesonCiscodevicesusingexternal
authenticationserverssuchasCiscoSecureAccessControl
ServerandtheCiscoAccessRegistrar.Thegoalsofthisbook
areasfollows:
ProvideageneraloverviewoftheAAAarchitecture
ProvideageneralconfigurationoverviewofAAAonCisco
routers
ProvidedetaileddiscussionontheTACACS+andRADIUS
protocols
Provideinstallationandconfigurationexamplesand
explanationsfortheCiscoSecureAccessControlServer
(ACS)
Provideinstallationandconfigurationexamplesand
explanationsfortheCiscoCNSAccessRegistrar(AR)
HowThisBookIsOrganized
Thisbookisseparatedintothreelogicalparts.Thefirstpartisa
basicoverviewofAAA.Inthispart,youwilllearnhowtheAAA
architectureisbuilt.YouwilllearnhowtoconfigureaCisco
routertosupporttheAAAframework,aswellassome
commandsyntax.
ThesecondpartisanoverviewtoenterpriseAAAmanagement
usingtheACS.Inthispart,youwillinstallACS,configureusers,
groups,andsharedprofilecomponents,aswellasanumberof
otherconfigurationoptionsintheACSHTMLinterface.Youwill
performdatabasebackup,replication,andRDBMS
synchronization.Thispartwillteachyouthecaveatstowatch
outforandhowtotroubleshootconfigurations.
Inthethirdandfinalpart,youwilllearnaboutserviceprovider
AAAmanagementusingtheAR.Inthispart,youwilllearnthe
roleofaserviceproviderintheAAAenvironment,aswellasthe
architecturethattheARisbuiltupon.Youwillwalkthroughan
installoftheARonaSolarissystem,aswellasconfigurea
basicsiteforlocaluserauthentication.Thisbookisdesignedto
giveageneralunderstandingastotheaspectsofCisco'sAAA
implementationatanylevel.
TargetAudience
Thisbookistargetedtowardthefollowingpeople:
NetworkSecurityProfessionalstaskedwiththe
implementationandmanagementusingACSorAR
ThosewhoarepursuingtheirCCSP,orCiscoQualified
Specialist,andwanttogainmoredetailedknowledgeof
AAA
Non-CCIEsandCCIEsinotherdisciplinesworkingtoward
theirCCIENetworkSecurityCertifications
AlthoughthisbookdoesnotprovidealltheanswerstoAAA
implementationandmanagement,itisintendedtobridgethe
gapbetweenthesoftwareconfigurationofACSandARandthe
configurationoftheCiscorouterIOS.
FeaturesofthisBook
ThisbookcontainsdiscussionontheextendedfeaturesofACS
aswellasAR.Thisbookalsocombinesconfigurationexamples
withastep-by-stephow-toforeachitem.Thisbookusesa
"groundup"approach.Youwillnotconfigureadeviceuntilit
hasbeenbuiltfromthegroundup.Thiswillassistinyou
installationandimplementationprocess.
Asyouworkthroughthebook,you'llnotethatshorthand
commandsaresometimesusedinthecodeexamples.In
addition,commentswithincodemostoftenappearontheline
thattheyaredescribing.Thisformatwasusedbytheauthor
wasclarityandconciseness.
Troubleshooting
Manysectionsofthisbookincludetroubleshootingtipsand
trickstoassistinthecommonconfigurationmistakesthatare
made.Thiswilleasethepainofgettingusedtoyetanother
productthatyouhavetomanageinyoursecurenetwork
environment.
PartI:AAAOverview
Chapter1Authentication,Authorization,andAccounting
Overview
Chapter2TACACS+andRADIUS
Chapter3AuthenticationConfigurationonCiscoRouters
Chapter1.Authentication,Authorization,
andAccountingOverview
Inthischapter,youlearnthefollowingtopics:
Authenticationoverview
Authenticationexample
Authorizationoverview
Authorizationexample
Accountingoverview
Accountingexample
Ciscodevicesupport
Authentication,authorization,andaccounting(AAA)isawayto
controlwhoisallowedtoaccessyournetwork(authenticate),
whattheycandowhiletheyarethere(authorize),andtoaudit
whatactionstheyperformedwhileaccessingthenetwork
(accounting).
AAAcanbeusedinInternetProtocolSecurity(IPSec)to
providepresharedkeysduringtheInternetSecurityAssociation
andKeyManagementProtocol(ISAKMP)processortoprovide
per-userauthentication,knownasXAUTH,duringISAKMP.AAA
canbeusedtoprovideamechanismforauthorizingcommands
thatadministratorsenteratthecommandlineofaCiscodevice.
Thisiscalledcommand-lineauthorization.AAAisalsoseenina
VirtualPrivateDial-UpNetworking(VPDN)tunnelsetup
betweentworouters.
Itisoverallaverysimpleprocesstoconfigure.Infact,itis
easilycomparabletoday-to-dayscenariossuchasgaining
accesstogolfclubsorsittinginfirstclassonacommercial
airline.Ineachofthesesituations,youmustprovidesometype
ofproofastoyourrighttoenterthegolfcluborsitinanice
comfortablefirst-classseat.
Ineachofthefollowingsections,youseemorespecificdetails
onthefunctionsofAAA.Throughoutthecourseofthisbook,
youlearnhowtotakethefunctionsofAAAandimplementa
localsolution,providingausernameandpasswordthatis
actuallystoredonaCiscodevice,andanetwork-widesolution,
usinganexternalauthenticationserversuchastheCisco
SecureAccessControlServer(CSACS)forWindowsServerand
CiscoAccessRegistrarfortheserviceproviderenvironment.
TIP
AAAisdiscussedinanumberofRequestsForComments
(RFCs).RFC2903discussesthegeneralAAAarchitecture.This
isan"experimental"RFC.Sincethen,AAAhasbeenmore
clearlydefinedinotherRFCs.OtherRFCsincludeRFC2924,
AccountingAttributesandRecordFormats;RFC2975,
IntroductiontoAccountingManagement;RFC2989,Criteriafor
EvaluatingAAAProtocolsforNetworkAccess;andRFC3127,
Authentication,Authorization,andAccounting:Protocol
Evaluation.AgreatdealofinformationonAAAcanbeobtained
at />