AAA

Updated on Mar 28, 2024 by

 141

What Is AAA?

Authentication, Authorization, and Accounting (AAA) form a security management framework governing network access control. It defines which users have network access and identifies the resources or services accessible to authorized users. This document presents an overview of AAA's three components, their implementation, associated protocols, and applications.

Three Elements of AAA

Authentication

Authentication: validates the identities of users who access the network and determines whether they are authorized.

The AAA server validates a user's authentication credentials by checking them against stored information in a database. Successful authentication grants the user access to the network, while failed authentication results in denial of access. The common authentication credentials are outlined below.

· Password
· User name and password
· Digital certificate

Authorization

Authorization: grants users differentiated rights to access specified services.

Once a user successfully completes identity authentication, they are granted authorization for the following:

· Commands
· Resources
· Information

This authorization adheres to the principle of least privilege, meaning users receive only the permissions necessary for executing required functions. This minimizes the risk of accidental or malicious network behavior.

Accounting

Accounting: tracks all of a user's operations during the network service process, including who, when, and what was done.

Accounting captures service usage details, start times, and data traffic to track and record a user's network resource consumption for time- or traffic-based accounting and network monitoring purposes.

How Does AAA Work?

The AAA system employs a client/server structure known for its simplicity, scalability, and centralized user information management.

AAA framework

AAA framework

As shown in the figure above, the basic AAA implementation process is:

1. Users connect to the AAA client before gaining network access.
2. The AAA client forwards user authentication credentials to the AAA server.
3. The AAA server validates and approves user access based on provided credentials, relaying authentication and authorization outcomes to the AAA client.
4. The AAA client decides on network access permissions following authentication and authorization results.

Within the AAA framework:

· The AAA client operates on a Network Access Server (NAS), such as a router or switch, providing network access services.
· The AAA server handles user authentication, authorization, accounting, and centralized user information management.
· Depending on the communication protocols, AAA servers are categorized as Remote Authentication Dial-In User Service (RADIUS) or Terminal Access Controller Access Control System (TACACS) servers.

What Protocols Are Used in AAA?

AAA uses many protocols to carry out authentication, authorization, and accounting functions.

RADIUS:

RADIUS is a widely adopted protocol supported by major device vendors, prevalent in live networks. It combines authentication and authorization, creating a challenge in distinguishing between the reasons for access denial.

TACACS, TACACS+:

TACACS, originating in the 1980s, saw extensions by vendors like Cisco (TACACS+) . TACACS+, offering enhanced security, command authentication, and event recording, makes it suitable for identity authentication of login users.

LDAP and AD:

LDAP, implemented on the TCP/IP suite, acts as a database storing hierarchical data. It handles authentication and authorization through bind and query operations, often used in single sign-on scenarios. AD, an LDAP application instance, integrates the Kerberos protocol for added security in the Windows operating system.

Diameter:

Diameter, an IETF-defined AAA protocol succeeding RADIUS, addresses its limitations. It supports mobile IP, multiple interfaces, and mobile agents, promising a significant role in advancing future mobile communication and broadband access systems.

What Are the Applications of AAA?

In terms of user access modes, the application scenarios for AAA are as follows:

· Login User Management:

This scenario deals with users who directly log in to a device using methods like a console port or STelnet. AAA ensures high security by controlling which users can access the device, specifying permissible post-login commands, and logging user operations.
· NAC User Access Control:

Network Admission Control (NAC) users access the network via 802.1X authentication, MAC address authentication, or Portal authentication. These users, whether wired or wireless, navigate diverse networks like enterprise campuses, educational institutions, medical facilities, or shopping malls. Given their varying access types, changing physical locations, and distinct privilege levels, AAA collaborates with NAC to effectively safeguard the security of these users.