Avatar of Centamin-SGM
Centamin-SGM
 asked on

Authentication, Authorization, Accounting procedures from Microsoft side.

Hi All,

you all know about AAA  from Cisco side, that you can authenticate, authorize, and Account all access to the Network device through radius, or tacacs+ server.
the same thing happens from Microsoft side. such as every access the user can make to any resource is controlled through active directory, which in my point of view is AAA schema. the user first authenticates to the server required, then get authorized to access the required resources, then his access is getting logged.

what I'm looking for is. any articles or documents that provides detailed explanation about the procedures used for AAA from Microsoft side. like Exchange, File Server, print server, SharePoint resources access rules.

any help is appreciated.

Regards,
Maher
Software FirewallsOS SecuritySecurity

Avatar of undefined
Last Comment
Centamin-SGM

8/22/2022 - Mon
btan

Microsoft has a listing of Infrastructure Planning and Design (IPD) for its portfolio which is useful. You may want to check out the NAP, Forefront Identity mgmt, Forefront UAG. I see the NAP as the first guardian to route as RADIUS  (with NAP incorporated with necessary extension DLLs) for other AAA entity check if need to and enforce consistent NAP client to be check prior to granting access to resource mentioned with a cleared remediation health state (using Network Access Protection)
http://msdn.microsoft.com/en-us/library/cc196387.aspx

e.g. NPS architecture
http://technet.microsoft.com/en-us/library/dd197439(v=ws.10).aspx
e.g. Example 1: Validate Health of NAP Client for IPsec Communication
http://msdn.microsoft.com/en-us/library/hh872011.aspx
Centamin-SGM

ASKER
Thanks btan for your comment,
but actually, I have Cisco ISE installed and Access control is already applied.
and I use Cisco ISE as a radius server for authenticating device Admins too.
what I'm trying to clarify is that, when the end user wants to access any resource in the network, there many steps required for the user to get access.
1. authentication through active directory.
2. authorization to get access to whatever the resources required.
3. accounting of what he has done.

that's what I'm looking for, the hierarchy of authentication, Authorization, accounting from Microsoft view.

thanks and regards.
ASKER CERTIFIED SOLUTION
Rich Rumble

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Centamin-SGM

ASKER
Thanks rich,
now I've got the point.

Regards,
Maher
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
Rich Rumble

Microsoft has advice on doing these activities, but not the holistic approach of AAA.They recommend you do them around critical infrastructure and data, but AAA isn't how they label it. The concepts are the same, but then the auditing piece, at least where you and I would review what happened, isn't easy without a SEIM or some 3rd party log parsing software.
-rich
btan

in fact NPS is ike ISE on the basic AAA. so the IDP will still help.

1. ISE will perform LDAP call to AD which will then verify against the credential pass over, this will be as per like "login" into your machine in domain. The LDAP filter CN for matching username tends to be the usual "cn=user" group, with the attribute as per in the entity field such as displayname etc. There is no much different from Microsoft usual AD check. Probably to note that the DNS, NTP will need to be synchronised as well since ISE is supposed to joined the AD domain too.

2. ISE ACL is based on RADIUS-vendor dictionaries that comes with Microsoft support as well. So when access to the authenticated user is successful, it is as if the login is alright and when the usual Windows security permission for file/folder (NTFS) will apply with ISE passing the identity to the resource requested.

3. Accounting is the usual audit log and security/appl/system event log that the domain controller will be tracking as well.
Centamin-SGM

ASKER
Thanks Guys for your support.

much appreciated.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.