The AAA Model: Authentication, Authorization, & Access Control (AAA)

What is the AAA model?

The AAA model, which stands for Authentication, Authorization, and Accounting, is a three-pronged framework used to control access to network resources, enforce access policies, and monitor user activity within a network. 

This model is integral to robust network security playing a crucial role in determining who can access the network, what they can do within it, and carefully loggin these activities.

How does AAA work? 

The AAA model implements a systematic process to control and grant user access to a network. Let's delve deeper into its three components: 

  • Authentication: Authentication is the first step in the AAA model. This involves verifying the identity of a user or device trying to access a network resource. This process leverages various methods such as with username and passwords, digital certificates, biometrics, and smart cards.
  • Authorization: Once a user is authenticated, the next step is authorization. This process involves granting or denying access to specific network resources based on the authenticated identity. Essentially, it sets permissions and privileges associated with a user's identity or role. Authorization is crucial in maintaining a secure network by ensuring that users only access the resources they are permitted to use.
  • Accounting: The final step in the AAA model is accounting. This involves tracking and logging user activities within a network. The accounting function allows network administrators to keep an audit trail of users actions, which can be useful for troubleshooting, analyzing usage trends, and detecting unusual activity that might indicate a security breach.

What are some common AAA protocols? 

Some of the most common AAA protocols include: 

  • RADIUS (Remote Authentication Dial-In User Service): RADIUS is a widely used AAA protocol that centralizes network authentication through a dedicated authentication server. The functionality of RADIUS hinges on three key elements which include a supplicant (user device or application), authenticator (router, switch, WAP), and the authentication server (the RADIUS server itself).
  • TACACS (Terminal Access Controller Access Control System): TACACS is another protocol primarily used to manage access to network devices such as routers, switches, and firewalls. It separates the AAA functions,  providing more granular control and flexibility in network access management. While RADIUS is capable of managing network device access, TACACS provides more detailed accounting, with audit logs of all user-executed commands.

What is the role of AAA in zero trust architecture? 

The AAA model serves as a cornerstone in the establishment and functioning of a zero trust network.

AAA plays a critical role in implementing zero trust by ensuring that every access request is authenticated, authorized, and tracked. This continual verification process aligns with the zero trust principle, contributing to the maintenance of a secure network environment. The AAA model is consequently integral to implementing an effective zero trust architecture.