When an user enter his credentials the process happens in below mentioned way:
Authentication enables a way to identifying user, by making the user to enter valid credentials before access is granted. This process is based on criteria that every user have a unique set of conditions to fulfill inorder to gain access. AAA server checks the user's credentials stored in a database.User receives access to the network when the credential matches. If the credentials mismatch then the process of authentication fails and access to network is denied.
After authentication, user needs to gain authorization so that he/she could perform necessary tasks. Once the user gains access to a system, he/she might try running some commands. Here the process of authorization decides, is user authorized to run commands?
Authorization may be defined as the process where policies are enforced. This process determines:
What is the nature of activity
Resources provided to user
Services provided to user
When AAA is working Authorization follows authentication. Once the user is authenticated,authorization is checked which might be of different type for different level.
In the end Accounting from "AAA" starts the process of providing logs of the activites done by the user. Accounting logs the:
Usage information: later the information received through "Usage Information" is utilized for control, billing, Trend analysis
Utilization of Resources
Capacity planning activities
RADIUS accounting for VPN Clients that terminate on PIX version 6.3 and earlier is currently not supported with Cisco Secure Access Control Server (ACS) for Windows. You can only log the information of the pass-through traffic on PIX versions later than 6.3.
The PIX does not account for the management traffic. It can send the information regarding authentication but not for the RADIUS accounting on ACS for Windows.
This is a limitation of PIX versions 6.3 and earlier, not of ACS for Windows. A feature request has been filed for this. However, no workaround is yet available.
For more information on the feature request, refer to Cisco bug ID CSCdu01327.