CCNP Chapter 4: AAA & Identity Management

Authentication, Authorization, and Accounting (AAA)

AAA is a security framework that controls who can access the network (authentication), what they can do (authorization), and keeps a record of their activity (accounting). Implementing AAA improves visibility and control over user activities and helps meet compliance requirements.

Common protocols used in AAA are RADIUS and TACACS+. RADIUS combines authentication and authorization but encrypts only passwords, while TACACS+ separates all three and encrypts the entire packet.

Router(config)# aaa new-model
Router(config)# aaa authentication login default group radius local
Router(config)# radius-server host 192.168.1.10 key MySecretKey

Identity-Based Networking and 802.1X

Identity-based networking assigns network access permissions based on user identity. One common method to implement this is 802.1X, a port-based access control protocol that requires devices to authenticate before accessing the network. It uses an authentication server, such as RADIUS, to validate credentials.

Switch(config)# dot1x system-auth-control
Switch(config-if)# authentication port-control auto
Switch(config-if)# dot1x pae authenticator

Cisco Identity Services Engine (ISE)

Cisco ISE is a centralized policy platform that enables identity-based network access. It provides profiling, posture assessment, guest access, BYOD control, and policy enforcement in wired, wireless, and VPN environments.

ISE integrates with Active Directory for user authentication and applies policies based on user role, device type, time, and location.