Cisco Systems 4 Monitoring AAA Configurations

CHAPTE R

22-1

Cisco Prime Network 4.0 User Guide

OL-29343-01

Monitoring AAA Configurations

AAA refers to Authentication, Authorization, and Accounting, which is a security architecture for

distributed systems that determines the access given to users for specific services and the amount of

resources they have used.

• Authentication—This method identifies users, including their login and password, challenge and

response, messaging support, and encryption. Authentication is the way to identify a subscriber

before providing access to the network and network services.

• Authorization—This method provides access control, including authorizati on for a s ubscribe r or

domain profile. AAA authorization sends a set of attributes to the service describing the services

that the user can access. These attributes determine the user’s actual capabilities and restrictions.

• Accounting—This method collects and sends subscriber usage and access information used for

billing, auditing, and reporting. For example, user identities, start and stop times, performed actions,

number of packets, and number of bytes. Accoun ting enables an oper ator to a nalyze t he services that

the users access as well as the amount of network resources they co nsum e. Ac count ing r ecor ds

comprise accounting Attribute Value Pairs (AVPs) and are stored on the accounting server. This

accounting information can then be analyzed for network management, client billing, and/or

auditing.

This chapter contains the following topics:

• Supported Network Protocols, page 22-1

• Viewing AAA Configurations in Prime Network Vision, page 22-2

• Configuring AAA Groups, page 22-12

AAA supports the following protocols:

• Diameter—This is a networking protocol that provides centralized AAA management f or de vices to

connect and use a network service, and an alternative to RADIUS. Diameter Applicatio ns can extend

the base protocol, by adding new commands and/or attributes.

• Remote Authentication Dial In User Service (RADIUS)—This is a networking protocol that

provides centralized AAA management for devices to connect and use a network service. RADIUS

is a client/server protocol that runs in the application layer, using UDP as transport. The Remote

Access Server (RAS), the Virtual Private Netwo rk (VPN) serv er, th e network swit ch with port-based

authentication, and the Network Access Server (NAS), are all gateways that control access to the

network, and all have a RADIUS client component that communicates with the RADIUS server.