Authentication, Authorization, and Accounting (AAA) is a security management framework for network access control. It determines which users can access the network and which resources or services are available to authorized users. This document introduces the three elements of AAA and its implementation, used protocols, as well as applications.
Three Elements of AAA
Authentication
Authentication: confirms the identities of users accessing the network and determines whether the users are authorized.
Authentication
The AAA server compares a user's authentication credentials with those stored in a database. If the credentials match, the user passes identity authentication and is permitted access to the network. If the credentials do not match, the user fails identity authentication and is denied access to the network. The following lists the typical authentication credentials:
Password
User name and password
Digital certificate
Authorization
Authorization: assigns differentiated rights to authorize users to use specific services.
Authorization
After a user passes identity authentication, the following items are authorized to the user:
Commands
Resources
Information
Authorization follows the least privilege principle. That is, users are granted only the permissions required for executing required functions to prevent any accidental or malicious network behavior.
Accounting
Accounting: records all the operations of a user during the network service process, including who, when, and what has been performed.
Accounting
Accounting records the used service type, start time, and data traffic to collect and record the network resource usage of the user for implementing time- or traffic-based accounting and network monitoring.
