Introduction to AAA
AAA is the abbreviation for Authentication, Authorization and Accounting:
- Authentication: Authenticates users' identities.
- Authorization: Grants certain privileges according to the configuration.
- Accounting: Records the fees users should pay for their network resource usage.
System supports the following authentication methods:
- Local authentication: Configures user information (including username, password and properties) on security devices. Local authentication is fast, and can reduce operation cost, but the amount of information that will be stored is limited by the hardware of the device. By default, system uses local authentication.
- External authentication: System also supports external authentication over RADIUS and LDAP protocol. User information is stored in an external RADIUS or LDAP server, and security devices authenticate users by the RADIUS or LDAP server.
System supports the following authorization methods:
- Local authorization: Authorizes user privileges according to the configurations of security devices.
- Authorization after external authentication: RADIUS/LDAP authentication is mapped to an authorization.
External Authentication Procedure
When a user has established a connection from a terminal to a security device and gained access or management privilege, the security device can authenticate the user via the configured RADIUS or LDAP server. The diagram below shows the external authentication procedure:
As shown above, the procedure is:
- The user sends username and password to the security device.
- The security device receives the username and password, and send an authentication request to the RADIUS/LDAP server.
- If the request is legal, the RADIUS/LDAP server performs authentication. If passed, the RADIUS/LDAP server returns the information configured by the user to the security device, otherwise returns denial information. The security between the security device and RADIUS/LDAP server is guaranteed by the shared secret (secret key or cipher text).
