Authentication, Authorization & Accounting (AAA)

Authentication, Authorization & Accounting (AAA)

Cisco ME 2600X Series Ethernet Access Switch Software Configuration Guide stated “AAA is an architectural framework for controlling a set of three independent security functions in a consistent manner.”, which indicates Authentication, Authorization & Accounting (AAA) combined together as an effective network and security management protocol. The 3 As in the AAA framework provide the following services:

Authentication: It is defined as a mechanism to identify the user as who they are or who they are claiming before granting access to resources (Computer, network, network services, devices, etc). There are a number of authentication types defined based on 3 categories:

  • Something you have (such as cell phone).
  • Something you are (such as fingerprint, iris recognition, face recognition).
  • Something you know (such as password).

Some of the authentication types are named below:

  • Static passwords -They do not change frequently unless it expires or the user changes it.
  • One-time-Passwords – They are used to confirm your personal credentials like ATM pin through email or SMS.
  • Digital Certificates – Such as X.509 to verify client and server identities and initiate secure SSL connections.
  • Biometrics Credential – Using Face Recognition, Fingerprints, etc to identify user identity.

Nowadays, we use Multi-factor Authentication (MFA) to make authentication mechanism more secure and difficult to break. To design an MFA method once can combine any of the 2 categories out of the 3 defined above to implement it efficiently. For example, using a Password with an OTP in order to login to your email is a more secure way of authentication rather than using just a password that can be guessed or stole by an attacker. MFA is also known as 2 Factor Authentication (2FA).

Authorization: It is defined as a process of providing access to resources based on the access rights of users. When the user has completed the authentication process successfully, it is then provided access to the right kind of sources or services he/she must have access to and restrict access to what he/she cannot have access to. For example, an employee who has newly join an organization, can authenticate himself into the company employee system but has access to only the required resources and will be denied access to other than them.

Authorization uses two important terminologies – SODs (Separation of Duties) and Least Privileges.

  • SODs – “The principle of separation of duties says that no user should have all the privileges necessary to complete a critical business function by themselves.” SODs were defined as an approach to reduce insider threats in an organization. This approach characterizes the fact that when a business-critical task is divided among multiple employees then the probability of risk and fraud minimizes since one employee will have all rights to implement it. Thus, it helps prevent fraud and abuse.
  • Least Privileges – It works on the principle of assigning the least number of access to a user to perform his/her actions. Any user should be given any additional access which is not required and perhaps can lead to cyber breaches. For example, If a user should have read-only access to a business-critical file but was anyhow granted write access as well and an attacker hacks his credentials and leverage the write access to enter malicious data into file which can further cause huge business losses.

Accounting: The Final ‘A’ of AAA has the purpose of sending and receiving critical server information like identity data usage, start and stop times. Moreover, used for auditing and reporting purposes. Accounting is used for logging information, tracking users, performing forensic investigation, detecting suspicious behavior, etc.

AAA’s functionality is utilized in Identity and Network Access Management. AAA uses protocols RADIUS ((Remote Authentication Dial-in User Service)) and TACACS+ (Terminal Access Controller Access-Control System) to authenticates the user to a network, that is from client to AAA server in a secure way.