Chapter 5. Authentication, Authorization, and Accounting

Chapter 3, "Accessing a Router," discussed some basic methods of securing access to your router, including using the username command to assign accounts to multiple administrators accessing your router. However, the authentication methods discussed in Chapter 3 do not scale well. If you have 100 routers, you probably do not want the hassle of maintaining all of these accounts on each of these routers.

Authentication, authorization, and accounting (AAA) enables you to centralize this process. Many companies centralize AAA functions by purchasing a security server that contains all of the security polices that define the list of users and what they are allowed to do. When authenticating or authorizing requests, routers forward these requests to the AAA server, which validates the requests. The AAA server then responds with its action, and the router either permits or denies the access or action.

This chapter focuses on using AAA to secure access to your router. It discusses how to use an AAA server to authenticate administrators when they access a router, authorize the commands they can execute, and keep an accounting record of their actions. The last part of this chapter discusses secure copy (SCP), which provides an encrypted and secure method of transferring files to and from a router (versus using TFTP, discussed in Chapter 3, which provides no security). SCP relies on AAA to assist in providing a secure connection.


Many components actually make up AAA (enough to fill a book by itself). However, this chapter focuses only on the AAA components necessary to authenticate users accessing a router, restrict their actions on a router, and log information related to these processes.