1Configuring AAAOverviewAuthentication, Authorization, and Accounting (AAA) provides a uniform framework for implementingnetwork access management. It specifies the following security functions:• Authentication—Identifies users and verifies their validity.• Authorization—Grants different users different rights and controls their access to resources andservices. For example, you can use this function to grant a user who has successfully logged in to thedevice read and print permissions to the files on the device, and prevent a guest from reading orprinting the files.• Accounting—Records network usage details of users, including the service type, start time, andtraffic. This function enables time-based and traffic-based charging and user behavior auditing.Typically, AAA uses a client/server model. The client runs on the access device, or the network accessserver (NAS), which authenticates user identities and controls user access. The server maintains userinformation centrally. See Figure 1.Figure 1 AAA network diagramA user who wants to access networks or resources beyond the NAS sends its identity information to theNAS, which transparently passes the user information to the servers. The servers perform userauthentication, authorization, and accounting and return the result to the NAS. Based on the result, theNAS determines whether to permit or deny the access request.AAA has various implementations, including RADIUS, HWTACACS, and LDAP, of which RADIUS is mostoften used.The network in Figure 1 has one RADIUS server and one HWTACACS server. You can use differentservers to implement different security functions. For example, you can use the HWTACACS server forauthentication and authorization, and use the RADIUS server for accounting.You can choose the three security functions provided by AAA as needed. For example, if your companyonly wants employees to be authenticated before they access specific resources, you only need to deployan authentication server. If network usage information is needed, you must also configure an accountingserver.Remote user NAS RADIUS serverHWTACACS serverInternetNetwork