AAA

アクセス元の正当性を確認するための認証

Authorization: 認可

何の実行を許可するかの権限割り当て

Accounting: アカウンティング

ユーザの履歴を記録

table:RADIUSとTASCACS+の違い

プロトコル 標準化 使用ポート 暗号化

code:cisco

edge-sw01(config)#aaa new-model # AAA有効化

# 認証タイプ

edge-sw01(config)#aaa authentication ?

arap Set authentication lists for arap.

attempts Set the maximum number of authentication attempts

banner Message to use when starting login/authentication.

dot1x Set authentication lists for IEEE 802.1x. # IEEE 802.1x

enable Set authentication list for enable. # 特権モード

eou Set authentication lists for EAPoUDP

fail-message Message to use for failed login/authentication.

login Set authentication lists for logins. # ログイン認証

onep Set authentication lists for ONEP

password-prompt Text to use when prompting for a password

ppp Set authentication lists for ppp.

rejected Set blocking action for failed logins

sgbp Set authentication lists for sgbp.

suppress Do not send access request for a specific type of user.

username-prompt Text to use when prompting for a username

# リスト種類

edge-sw01(config)#aaa authentication login ?

WORD Named authentication list (max 31 characters, longer will be rejected).

default The default authentication list. # 全ての回線(aux, console,vty, ...)

# method種類

edge-sw01(config)#aaa authentication login default ?

cache Use Cached-group

enable Use enable password for authentication. # enableパスワードを使用

group Use Server-group

krb5 Use Kerberos 5 authentication.

krb5-telnet Allow logins only if already authenticated via Kerberos V Telnet.

line Use line password for authentication. # lineパスワードで指定

local Use local username authentication. # ローカルデータベースを使用

local-case Use case-sensitive local username authentication.

none NO authentication. # 認証なし

passwd-expiry enable the login list to provide password aging support

# method(group)の種類

edge-sw01(config)#aaa authentication login default group ?

WORD Server-group name

ldap Use list of all LDAP hosts.

radius Use list of all Radius hosts.

tacacs+ Use list of all Tacacs+ hosts.