What is AAA?
Here AAA stands for Authentication, Authorization, and Accounting.
AAA is a security framework that controls access to computer resources, enforces policies, and audits usage. The combined processes of AAA framework play a major role in your network management and cybersecurity, by screening users and keeping track of their activity while they are connected to your network.
You whole Identity And Access Management (IAM) is the product of this framework.
1. Authentication
Authentication is about asking a user to provide information about 'Who' they are. They have to present their login credentials to affirm they are who they claim. Then your AAA server (read, IAM solution or server) will match their credentials with its database of stored credentials, by comparing username, password, and other MFA tokens with the specific user in question.
Three types of authentication tools are: something you know (e.g., password), something you have (e.g., USB key), and something you are (e.g., your fingerprint or other biometrics).
2. Authorization
Authorization cannot exist without authentication.
Authorization is about granting some specific privileges to users allowing them access to systems, network or other digital resources. The areas and sets of permissions granted a user are stored in a database along with the user’s identity.
You can change a user's privileges, if you are an administrator.
Authorization is different from authentication in that authentication only checks a user’s identity, whereas authorization stipulates what that user is allowed to do.
For example, a member of your IT team may not have the privileges necessary to change the access passwords for your company-wide VPN. However, as the network administrator, you may choose to give that team-member access privileges, enabling him to alter the VPN passwords of individual users. In this manner, that team member will be authorized to access an area he was previously barred from.
3. Accounting
Accounting is about keeping track of your users' activity while they are logged in to your network. It dictates that you are tracking information, such as:
-
How long they were logged in?
-
The data they sent or received
-
Their Internet Protocol (IP) address
-
URLs they used
-
Different services they accessed, etc.
Accounting is important to analyze users' activity trends, audit their activity, and so on. This can be done by leveraging the data collected during the user’s access.
So many services which are subscription-based with some usage-limitations, accounting is must, otherwise you won't be able to bill your users or customers properly. Online advertising on platforms such as Facebook, Google, Linkedin etc, is example of these sort of accounting.
Accounting is so critical that it becomes the basis of Network Access Monitoring too. In this way, bad actors can be kept out, and a presumably good actor that abuses their privileges can have their activity tracked, which gives administrators valuable intelligence about their activities.
-
Types of AAA Protocols
Following protocols that incorporate the elements of AAA to ensure identity security:
1. Remote Authentication Dial-In User Service (RADIUS)
RADIUS is a networking protocol that performs AAA functions for users on a remote network using a client/server model. This protocol provides authentication and authorization to your users simultaneously who are trying to access your network. It takes all AAA data packets and encrypts them, providing an extra level of security.
RADIUS works in three phases:
-
The user sends a request to a Network Access Server (NAS)
-
The NAS then sends a request for access to the RADIUS server
-
Then RADIUS server responds to the request by either accepting it, rejecting it, or challenging it by asking for more information.
2. Diameter Protocol
Diameter is a AAA protocol that works with Long-Term Evolution (LTE) and multimedia networks. Diameter is an evolution of RADIUS and is very well known in Telecom industry. They have been using this protocol for long. However, Diameter is custom-designed to optimize LTE connections and other kinds of mobile networks.
3. Terminal Access Controller Access-Control System Plus (TACACS+)
Similar to RADIUS, TACACS+ uses the client/server model to connect users. However, TACACS+ enables more control regarding the ways in which commands get authorized.
TACACS+ works by providing a secret key known by the client and the TACACS+ system. When a valid key is presented, the connection is allowed to proceed.
TACACS+ separates the authentication and authorization processes, and this differentiates it from RADIUS, which combines them.
TACACS+, also encrypts its AAA packets.
-
Why is AAA so important?You may not realize but AAA framework also impacts your 'Device Administration' too. Device administration involves the control of access to sessions, network device consoles, secure shell (SSH), and more.
This type of access is different from network access because it does not limit who is allowed into the network but rather 'which' devices they can have access to.
Most Networking and IT guys know about AAA framework, but some of them fail to realize that the same AAA framework become the fundamental when they approach Zero Trust Network Access. In ZTNA, all of your users and devices are, by default, distrusted and not allowed to access your systems, unless they prove their authentication and authorization rights.
As the basis of IAM and NAC, AAA framework ensures that every unauthorized user is restricted from accessing your network.
-
Importance of AAA to Network Access Control
AAA Framework is the cornerstone of Network Access Control (NAC).
NAC is also known as Network Admission Control. NAC is the process of RESTRICTING all unauthorized users and devices from gaining access to your corporate or private network. It ensures that only those users who are authenticated, and those devices that are authorized and compliant with your security policies can enter your network.
People factor is covered well by using the principles of AAA framework. But what about devices?
Most BYOD and IoT devices have already increased the numbers of your endpoints considerably. These devices along with other network devices present you a considerable challenge to you also, because you would not have resources to manually configure ALL the devices in use. That's why you need some NAC solution.
NAC solutions offer you more control over devices. The automated features of a NAC solution are a sizable benefit, reducing your time and associated costs with authenticating and authorizing your users and determining that their devices are compliant.
With more endpoints, your attack surface increases, which means more opportunities for threat-actors to gain access to your network. You can configure your NAC solution to detect any unusual or suspicious network activity and respond with immediate action, such as isolating the device from the network to prevent the potential spread of the attack.
These solutions can UNCOVER previously unknown devices that may have gained access to SOME parts of the network. You will be able to adjust security policies accordingly.
-
What Are the Advantages of Network Access Control?-
Control the users entering the corporate network
-
Control access to the applications and resources users aim to access
-
Allow contractors, partners, and guests to enter the network as needed but restrict their access
-
Segment employees into groups based on their job function and build role-based access policies
-
Protect against cyberattacks by putting in place systems and controls that detect unusual or suspicious activity
-
Automate incident response
-
Generate reports and insights on attempted access across the organization
-
Kindly write 
your comments on the posts or topics, because when you do that you help me greatly in 
designing new quality article/post on cybersecurity.
your comments on the posts or topics, because when you do that you help me greatly in designing new quality article/post on cybersecurity.You can also share with all of us if the information shared here helps you in some manner.
Life is small and make the most of it!
Also take care of yourself and your beloved ones…
With thanks,
Meena R.
___
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM