🔐

AAA Framework and Authorization Overview

Feb 23, 2025

Understanding the AAA Framework and Authorization Models

The AAA Framework

  • Identification: User claims to be a particular identity by providing a username.
  • Authentication: Proves user identity using passwords and additional factors.
  • Authorization: Determines the resources a user can access.
  • Accounting: Logs user actions such as login time, data sent/received, and logout time.
  • Encompasses the entire security process on a system.

Practical Example: VPN Access

  • Client Login Process:
    • User on the internet accesses a VPN concentrator.
    • User provides a username and password.
    • Information is sent to a centralized AAA server.
  • AAA Server Role:
    • Verifies the username and password against its database.
    • Approves credentials and communicates the result back to the VPN concentrator.

Device Authentication

  • Challenge: Verifying if a computer should be authorized on a network.
  • Solution:
    • Use of certificates, which are digitally signed.
    • Certificate Authority (CA) manages certificates.
    • Certificates are used as authentication factors, verifying device legitimacy.

Certificate Authority (CA)

  • Role:
    • Manages and creates certificates for devices.
    • Ensures certificates are digitally signed and verifiable.
  • Structure:
    • CA has its own certificate signed by a root CA.
    • Device certificates are signed by the CA.

Authorization Models

  • Purpose: To scale user and resource access efficiently.
  • Implementation:
    • Uses roles, organizations, and attributes to define access rights.
    • Example: Shipping and receiving department requires multiple permissions.
  • Scalability Issue:
    • Manually setting rights and permissions is difficult for large organizations.

Role-Based Access Control (RBAC)

  • Process:
    • Create groups with predefined access rights.
    • Example: The shipping and receiving group has specific permissions.
  • Benefits:
    • Simplifies administration by grouping users with similar roles.
    • Supports large infrastructures with simple abstractions.
  • Example:
    • Add users to the shipping and receiving group to automatically grant necessary permissions.
    • Efficiently scales to tens or hundreds of resources and users.

Full transcript