Authorization, Authentication, Accounting

RADIUS is one of a number of Authentication, Authorization, and Accounting (AAA) protocols. Other examples of AAA protocols include TACACS+ and Diameter.

AAA defines an architecture that authenticates and grants authorization to users and accounts for their activity. When AAA is not used, the network architecture is "open", where anyone can gain access and do anything, without any tracking. The open network architecture is commonly used in small businesses, where access to an office can be physically controlled. The open network architecture is poorly suited to ISPs, where access needs to be strictly controlled and accounted for.

It is possible to incorporate only a portion of AAA in a system. For example, if a company is not concerned about billing users for their network usage, they may decide to both authenticate and authorize users, but ignore user activity and not deal with accounting. Similarly, a monitoring system will look for unusual user activity (accounting), but may delegate the authentication and authorization decisions to another part of the network.

Without AAA, a network administrator would have to statically configure a network. Even in the earliest days of dialup access, network administrators found a static model inadequate. AAA ensures the flexibility of network policies. AAA also gives network administrators the ability to move systems; without AAA, they would have to clearly define connectivity options.

Today, the proliferation of mobile devices, diverse network consumers, and varied network access methods combine to create an environment that places greater demands on AAA. AAA has a part to play in almost all the ways we access a network: wireless hotspots use AAA for security; partitioned networks require AAA to enforce access; all forms of remote access use AAA to authorize remote users.

The following sections describe each part of the AAA solution, and how each one works.