In preparation of your CCNA Security 640-553 exam, we want to make sure we cover the topics that you will encounter on your CCNA exam. So to assist you, below we will discuss the CCNA Security concept, the functions and importance of AAA. As you progress through your CCNA exam studies, I am sure with repetition you will find that all the topics become much easier. So even though this may be a difficult concept initially, keep at it as no one said getting your Cisco certification would be easy!

3.1    Explain the functions and importance of AAA

Authentication, authorization, and accounting provide security to Cisco IOS routers and network devices.

AAA provides a method for identifying users who are logged in to a router and have access to servers or concentrators. AAA also identifies the level of access that has been granted to each user and monitors user activity to produce accounting information.

Authentication: 

The process of validating the claimed identity of an end user or a device, such as a host, server, switch, router, and so on.

Authentication allows administrators to identify who can connect to a router by comparing the usernames and passwords of those seeking access with the usernames and passwords in an authorized list or database. Normally, when a user connects to a router remotely via Telnet, the user needs to supply only a password, and the administrator has no way of knowing the user's username. With AAA authentication, whenever a user logs on, the user must enter a username and a password, which have been assigned by the administrator.

Authorization: 

The act of granting access rights to a user, groups of users, system, or a process. Authorization is the second step in the AAA process.

Authorization allows administrators to control the level of access users have after they have successfully gained access to a device. For the sake of simplicity, this section focuses on accessing a router. Cisco IOS allows certain access levels (also called privilege levels) that control which Cisco IOS commands the user can issue. These levels range from 0 to 15. For example, a user with a privilege level of 0 cannot issue any Cisco IOS commands. A user with a privilege level of 15 can perform all valid Cisco IOS commands. The local database or remote security server (AAA server) can grant the required privilege levels. Remote security servers, such as RADIUS and TACACS+ (which are discussed later in the chapter), authorize users for specific rights by associating attribute-value (AV) pairs, which define those rights, with the appropriate user. AAA authorization works by assembling a set of attributes that describe the tasks the user is authorized to perform. These attributes are compared with the information contained in a database for a given user, and the result is returned to the AAA software to determine the user's actual capabilities and restrictions.

Accounting: 

The methods to establish who, or what, performed a certain action, such as tracking user connection and logging system users.

Accounting occurs after the authentication and authorization steps have been completed. Accounting allows administrators to collect information about users. More specifically, administrators can track which user logged in to which router, which CISCO IOS commands a user issued, and how many bytes were transferred during a user's session. Accounting information can be collected by a router or by a remote security server. For simplicity's sake, the output of the router command is displayed. The case study at the end of the chapter supplies more details on the AAA server output.

We hope you found this Cisco CCNA Security 640-553 certification article helpful. We pride ourselves on not only tons of free Cisco CCNA exam information, but also providing you with the real world Cisco CCNA skills to advance in your networking career as you exercise the many CCNA lab scenarios in our lab workbooks.