Skip to main content

CompTIA A+

Authentication, Authorization, and Accounting (AAA)

17 min read

AAA stands for Authentication, Authorization, and Accounting—three related security functions that control access to network resources and track user activity. These three components work together to ensure that only legitimate users access systems, that they can only perform actions they're permitted to do, and that their activities are recorded for security and compliance purposes.

AAA provides the foundation for network security in organizations of all sizes. Whether you're logging into a workstation, connecting to a VPN, or accessing a wireless network, AAA processes are working behind the scenes to verify your identity, determine your access rights, and log your actions.

The Three Components of AAA

Authentication

Authentication answers the question "Who are you?" It's the process of verifying that users are who they claim to be before granting access to systems or resources.

Authentication typically relies on one or more factors. Something you know includes passwords, PINs, and security questions. Something you have includes smart cards, security tokens, mobile phones, and key fobs. Something you are includes biometric identifiers like fingerprints, facial recognition, iris scans, and voice patterns. Somewhere you are uses location data such as GPS coordinates or IP address geolocation. Something you do includes behavioral biometrics like typing patterns and mouse movements.

Single-factor authentication uses only one factor, typically a password. While simple to implement, it's vulnerable if that single factor is compromised.

Multi-factor authentication (MFA) requires two or more different factors, dramatically improving security. A common example combines a password (something you know) with a code sent to your phone (something you have). Even if an attacker steals your password, they can't access your account without also having your phone.

Two-factor authentication (2FA) is a subset of MFA using exactly two factors. The terms are often used interchangeably in casual conversation.

Authorization

Authorization answers the question "What are you allowed to do?" After authentication confirms your identity, authorization determines which resources you can access and what actions you can perform.

Authorization decisions are typically based on user accounts, group memberships, roles, or attributes. A regular employee might have access to shared files and email, while an administrator has access to server configurations and user management tools. Authorization ensures users can only access resources appropriate for their job function.

Common authorization models include Discretionary Access Control (DAC), where resource owners control access permissions. Mandatory Access Control (MAC) uses security labels and clearance levels enforced by the system. Role-Based Access Control (RBAC) assigns permissions based on job roles rather than individual users. Attribute-Based Access Control (ABAC) makes decisions based on multiple attributes including user, resource, and environmental factors.

The principle of least privilege guides authorization decisions—users should have only the minimum access necessary to perform their job functions. This limits damage if an account is compromised.

Accounting

Accounting answers the question "What did you do?" It tracks and records user activities for security monitoring, troubleshooting, compliance, and billing purposes.

Accounting logs capture information such as who accessed a resource, when access occurred, what actions were performed, how long the session lasted, and how much data was transferred. These records create an audit trail that can be reviewed during security investigations or compliance audits.

Accounting data serves multiple purposes. Security teams use it to detect suspicious behavior and investigate incidents. Compliance officers demonstrate adherence to regulations. Network administrators troubleshoot access issues. Service providers bill customers based on resource usage.

AAA Protocols

Several protocols implement AAA functionality across networks.

RADIUS

RADIUS (Remote Authentication Dial-In User Service) is the most widely used AAA protocol. Originally designed for dial-up connections, RADIUS now secures wireless networks, VPNs, and network device access.

RADIUS uses UDP ports 1812 for authentication and 1813 for accounting. Legacy implementations may use ports 1645 and 1646 instead. RADIUS encrypts only the password in authentication packets, leaving other data unencrypted.

In a typical RADIUS deployment, a user attempts to connect to a network access server (NAS) such as a wireless access point or VPN concentrator. The NAS forwards the authentication request to the RADIUS server. The RADIUS server verifies credentials, often by checking against Active Directory or another directory service. The server returns an accept or reject response to the NAS. If accepted, the user gains network access with appropriate authorization settings.

RADIUS is commonly used for wireless network authentication using WPA2/WPA3-Enterprise, VPN authentication, network device administration access, and ISP customer authentication.

TACACS+

TACACS+ (Terminal Access Controller Access-Control System Plus) is Cisco's proprietary AAA protocol, commonly used for managing access to network infrastructure devices like routers and switches.

TACACS+ uses TCP port 49 and encrypts the entire packet payload, providing better security than RADIUS. It also separates authentication, authorization, and accounting into distinct processes, allowing more granular control.

Organizations often use TACACS+ for network administrator access to infrastructure devices while using RADIUS for general user authentication. This separation allows different policies for privileged administrative access versus regular user access.

Key differences between RADIUS and TACACS+: RADIUS uses UDP while TACACS+ uses TCP. RADIUS encrypts only passwords while TACACS+ encrypts the entire payload. RADIUS combines authentication and authorization while TACACS+ separates all three AAA functions. RADIUS is an open standard while TACACS+ is Cisco proprietary.

Kerberos

Kerberos is an authentication protocol used extensively in Windows Active Directory environments. Rather than sending passwords across the network, Kerberos uses tickets to prove identity.

When a user logs into a Windows domain, they authenticate to the Key Distribution Center (KDC), which runs on domain controllers. The KDC issues a Ticket Granting Ticket (TGT) that proves the user's identity. When accessing resources, the user presents the TGT to obtain service tickets for specific servers.

This lesson is part of ExamWizardz Pro

Unlock every lesson, unlimited practice tests, and the AI tutor.

See Pro pricing

or start with a free account