🔐

AAA Framework Overview

Jul 23, 2025

Overview

This lecture explains the AAA framework—Authentication, Authorization, and Accounting—detailing how user access is managed, verified, and controlled on IT systems, including practical approaches for scaling authorization.

The AAA Framework

  • AAA stands for Authentication, Authorization, and Accounting.
  • Identification is the process where a user claims an identity, typically using a username.
  • Authentication verifies the user's identity by checking passwords or other authentication factors.
  • Authorization determines what resources or actions the authenticated user can access.
  • Accounting logs activities like login time, data transferred, and logout time.

Practical Example: VPN Access

  • Users connect to a VPN concentrator, providing a username and password for access.
  • The VPN concentrator relies on a central AAA server to validate user credentials.
  • If credentials match the database, the AAA server authorizes access and notifies the concentrator.

Device Authentication Using Certificates

  • Devices may use digital certificates for authentication instead of passwords.
  • Certificates are created and digitally signed by a Certificate Authority (CA).
  • The CA issues a device-specific certificate, confirming it is company-approved.
  • The certificate is verified during login to ensure device legitimacy.

Scalable Authorization Models

  • Authorization models assign access rights in ways that scale across many users and resources.
  • Without a model, rights are manually assigned, which is unmanageable in large organizations.
  • Authorization models use groups or roles (e.g., "shipping and receiving") to streamline permissions.
  • Users are assigned to groups, which are mapped to required resources, enabling easy management and scalability.

Key Terms & Definitions

  • Authentication — Proving user or device identity, usually via a secret (password) or digital certificate.
  • Authorization — Granting permission to access specific resources or perform actions.
  • Accounting — Tracking and recording user activities for security and auditing.
  • Certificate Authority (CA) — Entity that issues and verifies digital certificates for devices or users.
  • Abstraction (in Authorization) — Separating users from direct resource mapping to enable scalable access control using groups or roles.

Action Items / Next Steps

  • Review section 4.6 for a detailed list of authorization models.
  • Ensure understanding of how authentication and authorization models are set up in your environment.

Full transcript