What is AAA?

Authentication, authorization, and accounting is a triple-threat security software system implemented on all ASE products. The main function of AAA is to govern which users are allowed network access, which services they are allowed to use, and to keep track of what users do while on the network. AAA is made up of three independent, configurable security measures: authentication, authorization, and accounting.

Authentication

ASE offers multiple methods for allowing an admin to be authenticated for switch access. All client access methods can be modified. Available clients within the ASE switch product line consist of console, Telnet, SSH and HTTP/HTTPS.

In the 1560 GUI this can been found in Configuration > Security > Switch > Auth Method

In the 1570/1760 GUI this can be found Switch > Security > Management > Auth Method

In the CLI example below, the console client is accessible by local users configured on the switch. The Telnet client is disabled. SSH access will be granted to RADIUS authenticated users first, followed by TACACS users and, finally, those users configured locally. Lastly, HTTP (GUI) users will authenticate via RADIUS first, followed by those configured locally.

!
aaa authentication login console local
no aaa authentication login telnet
aaa authentication login ssh radius tacacs local
aaa authentication login http radius local
!

In order to use any other authentication mechanism other than local, an external server will need to be configured. Below is an example of a simple configuration referencing a separately configured RADIUS server.

!
radius-server attribute 4 <NAS-IP-Address management ip>
radius-server attribute 32 <NAS-Identifier name/word>
radius-server host <ip address of radius server> key <supersecretpassword>
!

Priveleged Exec Access                              

When an administrator connects to the switch with the above configuration, by default, only EXEC mode access will be allowed. There are three methods allowing an administrator access to Privileged EXEC mode

1. Configuring a global local ENABLE password.  *Less Secure

!
enable password level 15 <supersecretpassword>
!

2. Configuring a global "Enable" user in Radius. *Less Secure                                               

When the adminstrator types enable into the command prompt a request is sent to the RADIUS server with the following credentials.

User-Name = $enab15$
User-Password = <password user typed in>

While more secure than storing the enable password locally, you can only define 1 enable user and password.

3. Using privilege levels to control access to certain features of the switch. The desired privilege level of the user can be stored in RADIUS as an attribute. *Most Secure

In this scenario, a privilege level for the user must be established. Privilege levels are pre-determined and have been assigned to different functions within the switch, 1-15, with 1 being the lowest privilege level and 15, the highest. We will not go into depth in this article on privilege levels, but these levels can be customized in the GUI or CLI of the switch. Privilege level 15 will be assigned in the below RADIUS response for our user.

NOTE: Within the configuration of the RADIUS server, a reply attribute must be setup that defines the privilege level for the user. Adtran uses the common attribute Cisco-AVPair. RADIUS server user example below.

              User-Name = Adtran
              Cleartext-Password = supersecretpassword
              Cisco-AVPair = shell:priv-lvl=15

NOTE about http/https access.
     When using AAA with a Radius or Tacacs server for http/https access you will need to use the privelege level attribute mentioned above for them to have full access to the GUI. The  enable password level 15 <supersecretpassword> only applies and works for console, ssh, and telnet clients.