Log in / Register

Home arrow Computer Science arrow The InfoSec Handbook
< Prev   CONTENTS   Next >

AAA Framework

Authentication, Authorization, and Accounting (AAA), shown in Figure 4-7, is a security framework to support secured access to a network through the security services – Authorization, Authentication, and Accounting.

Figure 4-7. AAA configuration

Authentication refers to the process of identifying and verifying a particular user by his profile such as the user name, password, phone number, digital signature, and digital certificates. Authentication is the way a user is identified and verified prior to being allowed access to particular resources inside an organizational network and its resources. After the authentication, a user's authorized credentials are checked to provide the secured access.

Authorization determines whether a particular user is authorized to perform certain activities on the resources. Typically, this function is inherited from authentication when a user logs on to an application or a network. When a user logs on to the network, he is checked for his authorization credentials such as time restrictions, resource access restrictions, multiple access or single access, and same user logging from multiple locations at the same time.

Accounting provides resource utilization information related to users for the purpose of billing and cost allocation. By enabling the accounting feature, you can collect user identities, number of bytes transmitted and received, commands executed on the servers, and start and end times, for the purpose of a security audit.

AAA uses protocols such as RADIUS, TACACS+, or Kerberos to administer access controls. A typical configuration of AAA is as shown in Figure 4-7.


Remote Authentication Dial-in-User Service (RADIUS) is a protocol enabling centralized AAA for network access. RADIUS protocol supports authentication, authorization, and accounting for remote dial-in access, virtual private network (VPN) access, Digital Subscriber Line (DSL) access, and other network access. The RADIUS protocol is described in RFC 2865 and RFC 2866.

RADIUS is a client/server protocol. A central RADIUS server authenticates RADIUS clients which try to access the network and its resources. The RADIUS server maintains user profiles and server access information in a central database, thus providing better access control security. It also allows companies to setup and maintain policies that can be applied to each user and to track resource usage for billing and for recording network statistics.

TACACS (Terminal Access Control System) is an authentication protocol commonly used in UNIX networks to allow a remote user to access the network after authenticating his login credentials. RADIUS uses UDP whereas TACACS+ uses TCP. Hence, many system administrators recommend TACACS+ because TCP is a reliable protocol.

RADIUS combines authentication and authorization in a user profile, whereas TACACS+ separates the two functions. For more details, you can refer to RFC 1492.

Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >
Business & Finance
Computer Science
Language & Literature
Political science