The acronym AAA stands for “Authentication, Authorization, and Accounting”. It defines an architecture which authenticates and grants authorization to users and, and afterwards accounts for their activity. When AAA is not used, the architecture is described as “open”, where anyone can gain access and do anything, without any tracking.
The responsibilities of of each component can be summarized as follows:
- Authentication: Is this a valid user for this system?
- Authorization: What permissions and access does this user have?
- Accounting: What did this user do on the system?
It is possible to incorporate only a portion of AAA in a system. For example, if a company is not concerned about billing users for their network usage, they may decide to both authenticate and authorize users, but ignore user activity and not bother with accounting. Similarly, a monitoring system will look for unusual user activity (accounting), but may cede the authentication and authorization decisions to another part of the network.
What are the benefits of AAA?
AAA ensures the flexibility of network policies and gives administrators the ability to move systems.
AAA has been in common use since the early 1990s for medium to large networks. Generally speaking, small organizations can be managed without an AAA system, particularly where access to the network is largely constrained by physical access. The threshold for needing the flexibility and scalability that AAA provides is usually around 40-50 users.
What are some examples of AAA?
RADIUS is one of a number of Authentication, Authorization, and Accounting protocols. FreeRADIUS is an open source implementation of the RADIUS protocol and is the most popular RADIUS server in the world. Another example of an AAA protocol is Diameter.
Where is AAA used?
Today, the proliferation of mobile devices, diverse network consumers, and varied network access methods combine to create an environment that places greater demands on AAA. AAA has a part to play in almost all the ways we access a network: wireless hotspots use AAA for security; partitioned networks require AAA to enforce access; all forms of remote access use AAA to authorize remote users.