What Is AAA Security? | Fortinet (2024)

Authentication involves a user providing information about who they are. Users present login credentials that affirm they are who they claim. As an identity and access management (IAM) tool, a AAA server compares a user’s credentials with its database of stored credentials by checking if the username, password, and other authentication tools align with that specific user.

The three types of authentication include something you know, like a password, something you have, like a Universal Serial Bus (USB) key; and something you are, such as your fingerprint or other biometrics.

Authorization follows authentication. During authorization, a user can be granted privileges to access certain areas of a network or system. The areas and sets of permissions granted a user are stored in a database along with the user’s identity. The user’s privileges can be changed by an administrator. Authorization is different from authentication in that authentication only checks a user’s identity, whereas authorization dictates what the user is allowed to do.

For example, a member of the IT team may not have the privileges necessary to change the access passwords for a company-wide virtual private network (VPN). However, the network administrator may choose to give the member access privileges, enabling them to alter the VPN passwords of individual users. In this manner, the team member will be authorized to access an area they were previously barred from.

Accounting keeps track of user activity while users are logged in to a network by tracking information such as how long they were logged in, the data they sent or received, their Internet Protocol (IP) address, the Uniform Resource Identifier (URI) they used, and the different services they accessed.

Accounting may be used to analyze user trends, audit user activity, and provide more accurate billing. This can be done by leveraging the data collected during the user’s access. For example, if the system charges users by the hour, the time logs generated by the accounting system can report how long the user was logged in to the router and inside the system, and then charge them accordingly.

AAA is a crucial part of network security because it limits who has access to a system and keeps track of their activity. In this way, bad actors can be kept out, and a presumably good actor that abuses their privileges can have their activity tracked, which gives administrators valuable intelligence about their activities.

There are two main types of AAA for networking: network access and device administration.

RADIUS is a networking protocol that performs AAA functions for users on a remote network using a client/server model. RADIUS simultaneously provides authentication and authorization to users trying to access the network. RADIUS also takes all AAA data packets and encrypts them, providing an extra level of security.

RADIUS works in three phases: the user sends a request to a network access server (NAS), the NAS then sends a request for access to the RADIUS server, which responds to the request by either accepting it, rejecting it, or challenging it by asking for more information.

Similar to RADIUS, TACACS+ uses the client/server model to connect users. However, TACACS+ enables more control regarding the ways in which commands get authorized. TACACS+ works by providing a secret key known by the client and the TACACS+ system. When a valid key is presented, the connection is allowed to proceed.

TACACS+ separates the authentication and authorization processes, and this differentiates it from RADIUS, which combines them. Also, TACACS+, like RADIUS, encrypts its AAA packets.