The acronym AAA, for Authentication, Authorisation and Auditin English Authentication, Authorization, Accounting, is a safety framework which controls access to IT resources, applies security policies and audits their use.
🎯 What is AAA for?
AAA and its combined processes play a major role in network management and cybersecurity by selecting users and monitoring their activity while they are connected.
The AAA framework and the resulting AAA security apply to various concepts:
- AAA frame (AAA Framework): this is the set of mechanisms and processes that implement the Authentication, Authorisation and Audit functions. It defines the architecture and components needed to control access to resources and ensure traceability of actions.
- AAA server (AAA Server): a dedicated server that centralises AAA functions. As an identity and access management tool (IAM), an AAA server receives authentication requests, verifies credentials, authorises access according to defined policies and logs events for auditing purposes. RADIUS and TACACS+ are examples of protocols used by AAA servers.
- AAA protocol (AAA Protocol): communication protocol used to transport authentication, authorisation and audit information between clients (for example, a router or Wi-Fi access point) and the AAA server. The most common examples are RADIUS, TACACS+ and Diameter.
- AAA customer (AAA Customer): network equipment (router, switch, access point, etc.) or an application that initiates authentication requests to the AAA server.
- AAA service (AAA Service): global service that provides authentication, authorisation and audit functions. It encompasses the infrastructure, protocols and policies in place.
How it works
How it works1. Authentication (Who are you?)
- Definition: Authentication is the process of verifying the identity of a user, device or process attempting to access a system. It involves proving that the entity is who it claims to be.
- How it works : authentication is based on the use of different factors :
- Password : secret information known to the user. (Knowledge factor)
- Smart card, token, badge : physical object that the user owns (possession factor)
- Biometric data (fingerprint, facial recognition, retinal scan) : physical characteristics unique to the user. (Inherent factor)
- Multi-factor authentication (MFA) : combination of at least two of these factors to enhance safety.
👉 Examples: entering a password to access an email account, using a code received by SMS in addition to the password (MFA), using a fingerprint to unlock a phone.
2. Authorisation (What are you allowed to do?)
- Definition: authorisation determines the actions that an authenticated user is allowed to perform once logged on to the system. It defines permissions and restrictions on access to resources.
- How it works : Authorisation is based on policies and rules that define access rights according to the user's role, membership group or other attributes.
👉 Examples: a user with an "administrator" role will have full access rights to the system, while a user with a "guest" role will have limited rights. Read-only access to a file, but no write access.
3. Audit (Who did what?) :
- Definition: Audit consists of recording and monitoring the activities of users and systems. It enables a record to be kept of events, accesses, modifications and actions carried out.
- How it works : auditing is based on the collection of logs (event logs) which record relevant information. These logs can be analysed to detect anomalies, intrusions or suspicious behaviour.
👉 Examples: logging user connections and disconnections, recording changes made to files, monitoring access to databases.
✔ Advantages of the AAA framework
- Enhanced security : By combining authentication, authorisation and audit, we can implement more robust access control and better traceability of actions.
- Centralised access management : makes it easier to administer access rights and implement security policies.
- Increased responsibility : the audit helps to identify the perpetrators of the actions and to make users accountable.
- Intrusion detection : analysis of audit logs can reveal intrusion attempts or malicious activity.
- Regulatory compliance : numerous regulations (RGPDHIPAA, etc.) require authentication, authorisation and audit mechanisms to be put in place.
📝 AAA protocols
There are several AAA protocols used in computer networks to implement Authentication, Authorisation and Audit functions. Here are the main types:
1. RADIUS (Remote Authentication Dial-In User Service) :
- Description : RADIUS is a standardised and widely used client/server protocol for authenticating and authorising access to networks. It is often used for remote access (VPNWi-Fi, etc.).
- How it works : a RADIUS client (generally a network device such as a router or Wi-Fi access point) transmits the user's authentication information to a RADIUS server. The server checks the information and returns a response authorising or refusing access. RADIUS uses UDP as its transport protocol.
Benefits : open standard, widely supported, scalable.
Disadvantages : less secure than TACACS+ because it encrypts only the password and not the entire communication.
2. TACACS+ (Terminal Access Controller Access-Control System Plus) :
- Description : TACACS+ is a Cisco proprietary protocol, but it has become a de facto standard. It offers greater security and flexibility than RADIUS.
- How it works : TACACS+ separates the authentication, authorisation and audit functions, enabling finer-grained access management. It uses TCP as the transport protocol and encrypts the entire communication.
Benefits : more secure than RADIUS (encryption more flexible for managing authorisations.
Disadvantages : which has historically been proprietary to Cisco, although open source implementations do exist.
RADIUS vs. TACACS+ :
| Features | RADIUS | TACACS+ |
| Transport protocol | UDP | TCP |
| Encryption | Password only | Comprehensive communication |
| AAA functions | Combined | Separate |
| Support | Open standard, wide support | Mainly Cisco, but open source implementations exist |
| Typical use | Network access (VPN, Wi-Fi), Internet access | Administration of network equipment (routers, switches) |
3. Diameter
- Description : Diameter is a more recent AAA protocol, designed to replace RADIUS. It offers more advanced features, particularly in terms of reliability, security and extensibility.
- How it works : Diameter uses TCP and offers more robust transport mechanisms than RADIUS. It also supports advanced features such as session management and real-time accounting.
Benefits : is more powerful and reliable than RADIUS, and supports advanced functions.
Disadvantages : more complex to implement than RADIUS.
Other AAA-related protocols and technologies :
- Kerberos : network authentication protocol that uses "tickets" to authenticate users and services. It is often used in Microsoft Active Directory.
- LDAP (Lightweight Directory Access Protocol) : directory protocol that provides access to directory services for authentication and authorisation.
- SAML (Security Assertion Markup Language) : open standard for exchanging authentication and authorisation data between different security domains. Used for Single Sign-On (SSO).
- OAuth (Open Authorization) and OpenID Connect (OIDC): Modern authorisation and authentication frameworks used to delegate access to resources without sharing credentials. Commonly used for web and mobile applications.
Choice of protocol
The choice of AAA protocol depends on the specific needs of the organisation:
- RADIUS : Simple, widely compatible solution for basic network access.
- TACACS+ : A more secure and flexible solution for managing network equipment.
- Diameter : A high-performance, scalable solution for complex environments.
