What is Authentication, Authorization, and Accounting (AAA)?
Authentication, authorization, and accounting (AAA) is a security framework that controls access to computer resources, enforces policies, and audits usage. AAA and its combined processes play a major role in network management and cybersecurity by screening users and keeping track of their activity while they are connected.
Authentication involves a user providing information about who they are. Users present login credentials that affirm they are who they claim. As an identity and access management (IAM) tool, a AAA server compares a user’s credentials with its database of stored credentials by checking if the username, password, and other authentication tools align with that specific user.
The three types of authentication include something you know, like a password, something you have, like a Universal Serial Bus (USB) key; and something you are, such as your fingerprint or other biometrics.
Authorization follows authentication. During authorization, a user can be granted privileges to access certain areas of a network or system. The areas and sets of permissions granted a user are stored in a database along with the user’s identity. The user’s privileges can be changed by an administrator. Authorization is different from authentication in that authentication only checks a user’s identity, whereas authorization dictates what the user is allowed to do.
For example, a member of the IT team may not have the privileges necessary to change the access passwords for a company-wide virtual private network (VPN). However, the network administrator may choose to give the member access privileges, enabling them to alter the VPN passwords of individual users. In this manner, the team member will be authorized to access an area they were previously barred from.
Accounting keeps track of user activity while users are logged in to a network by tracking information such as how long they were logged in, the data they sent or received, their Internet Protocol (IP) address, the Uniform Resource Identifier (URI) they used, and the different services they accessed.
Accounting may be used to analyze user trends, audit user activity, and provide more accurate billing. This can be done by leveraging the data collected during the user’s access. For example, if the system charges users by the hour, the time logs generated by the accounting system can report how long the user was logged in to the router and inside the system, and then charge them accordingly.
Why Is the AAA Framework Important in Network Security?
AAA is a crucial part of network security because it limits who has access to a system and keeps track of their activity. In this way, bad actors can be kept out, and a presumably good actor that abuses their privileges can have their activity tracked, which gives administrators valuable intelligence about their activities.
There are two main types of AAA for networking: network access and device administration.
Network access involves blocking, granting, or limiting access based on the credentials of a user. AAA verifies the identity of a device or user by comparing the information presented or entered against a database of approved credentials. If the information matches, access to the network is granted.
Device administration involves the control of access to sessions, network device consoles, secure shell (SSH), and more. This type of access is different from network access because it does not limit who is allowed into the network but rather which devices they can have access to.
Types of AAA Protocols
There are several protocols that incorporate the elements of AAA to ensure identity security.
Remote Authentication Dial-In User Service (RADIUS)
RADIUS is a networking protocol that performs AAA functions for users on a remote network using a client/server model. RADIUS simultaneously provides authentication and authorization to users trying to access the network. RADIUS also takes all AAA data packets and encrypts them, providing an extra level of security.
RADIUS works in three phases: the user sends a request to a network access server (NAS), the NAS then sends a request for access to the RADIUS server, which responds to the request by either accepting it, rejecting it, or challenging it by asking for more information.
The Diameter protocol is a AAA protocol that works with Long-Term Evolution (LTE) and multimedia networks. Diameter is an evolution of RADIUS, which has long been used for telecommunications. However, Diameter is custom-designed to optimize LTE connections and other kinds of mobile networks.
Terminal Access Controller Access-Control System Plus (TACACS+)
Similar to RADIUS, TACACS+ uses the client/server model to connect users. However, TACACS+ enables more control regarding the ways in which commands get authorized. TACACS+ works by providing a secret key known by the client and the TACACS+ system. When a valid key is presented, the connection is allowed to proceed.
TACACS+ separates the authentication and authorization processes, and this differentiates it from RADIUS, which combines them. Also, TACACS+, like RADIUS, encrypts its AAA packets.
How Fortinet Can Help
In a zero-trust network access (ZTNA) system, all users and devices are distrusted by default and cannot be allowed to access the system until they have adequately proven their authentication and authorization rights. This is often accomplished using two-factor authentication (2FA).
The Fortinet ZTNA framework utilizes AAA, as it applies stringent controls to identity and access management. Further, FortiAuthenticator uses AAA services to ensure that unauthorized users are restricted from accessing your network.