AAA: Authentication, Authorization, Accounting (people & systems)

1.2 Summarize fundamental security concepts

📘CompTIA Security+ (SY0-701)

1. Understanding AAA is essential for the Security+ exam because almost every security system uses it, including VPNs, servers, network devices, applications, cloud services, and identity platforms.

What Is AAA?

AAA stands for Authentication, Authorization, and Accounting.

It is a security framework used in IT to:

  1. Verify identities
  2. Control access
  3. Track user activity

AAA ensures that only the right people or systems get access and that their actions can be traced.

Why Is AAA Important? (Purpose of AAA)

The main purposes of AAA are:

1. Control who can access systems

Organizations need to make sure only authorized users (employees, admins, devices) can log into networks, servers, cloud services, or applications.

2. Limit what users are allowed to do

Even if someone logs in successfully, they should only be allowed to perform tasks related to their job.

Example:
A help desk technician should not have the same permissions as a system administrator.

3. Track user activity

AAA helps organizations know:

  • Who logged in
  • When they logged in
  • What actions they performed
  • What systems they accessed

This is essential for:

  • Detecting attacks
  • Investigating incidents
  • Meeting compliance requirements

1. Authentication (Who are you?)

Definition

Authentication is the process of verifying the identity of a user, system, or device before allowing access.

This answers the question:
“Can you prove you are who you claim to be?”

How authentication works

When a person or device tries to access a system, it must provide credentials. If the credentials match what the system has stored, authentication is successful.

Types of Authentication Factors

Security+ requires knowing the three main factors:

  1. Something you know
    • Passwords
    • PINs
    • Security questions
  2. Something you have
    • Smart cards
    • One-time password tokens
    • Authentication apps (e.g., TOTP codes)
  3. Something you are (biometrics)
    • Fingerprint scans
    • Face recognition
    • Retina or iris scans

Multi-Factor Authentication (MFA) uses two or more different factors.
Example: Password (something you know) + mobile authenticator code (something you have)

Authentication in IT environments

  • Logging into Windows or Linux systems with username/password
  • VPN login using MFA
  • Wi-Fi access using enterprise authentication (RADIUS)
  • Cloud services (Microsoft 365, AWS, Google Workspace) requiring MFA

Common Authentication Protocols (Exam Content)

  • LDAP – Directory authentication for Active Directory
  • Kerberos – Secure ticket-based authentication used in AD
  • RADIUS – Central authentication for network devices and VPNs
  • TACACS+ – Used by network administrators for device access

2. Authorization (What are you allowed to do?)

Definition

Authorization defines what actions and resources a user or system is permitted to access after authentication.

This answers the question:
“Now that I know who you are, what can you do?”

How authorization works

Once authentication succeeds, the system checks what the user is allowed to access based on:

  • Roles
  • Policies
  • Permissions
  • Security groups

Types of access control models (Required for Security+)

  1. RBAC (Role-Based Access Control)
    • Permissions are assigned based on job roles.
    • Example: Help Desk role vs. System Administrator role.
  2. ABAC (Attribute-Based Access Control)
    • Uses attributes like user department, device type, location, or time.
  3. DAC (Discretionary Access Control)
    • The owner of data decides who else can access it.
  4. MAC (Mandatory Access Control)
    • Access is controlled by strict policies and labels (high security environments).

Authorization in IT environments

  • File server permissions: Some users can read files, others can modify or delete them.
  • Network device access: Network administrators may have full access while junior admins only have read-only access.
  • Database access: A developer may access a test database but not the production database.
  • Cloud access: A finance user can access billing data but not server configurations.

Authorization ensures least privilege, meaning users only get the minimum access required for their job.

3. Accounting (What did you do?)

Definition

Accounting tracks and records user actions and system activities for:

  • Security investigations
  • Compliance requirements
  • Auditing
  • Troubleshooting

This answers the question:
“What did the user or system do while they were logged in?”

What accounting typically includes

  • Logon and logoff times
  • Commands executed
  • Files accessed or changed
  • Remote login activity
  • Configuration changes on network devices
  • Data transferred over VPN sessions

Accounting in IT environments

  • Syslog servers storing logs from firewalls, switches, routers
  • Windows Event Logs tracking authentication and system activity
  • RADIUS accounting showing user VPN session details
  • SIEM systems collecting and analyzing logs for security alerts

Why accounting is important

  • Helps detect unauthorized access
  • Supports incident response
  • Provides evidence for audits or investigations
  • Ensures compliance with regulations (HIPAA, PCI-DSS, GDPR)

How AAA Works Together

The AAA process typically follows this order:

  1. Authentication
    The system checks who you are.
  2. Authorization
    The system checks what you are allowed to do.
  3. Accounting
    The system records what you did.

Example in an IT environment

A network administrator logs into a router:

  1. They authenticate with a username, password, and MFA.
  2. Their role is checked; they are authorized to change configurations.
  3. All changes they make are logged to a Syslog or SIEM system for accounting.

This combination ensures security, traceability, and control.

AAA and Centralized Access Control

Most organizations use centralized AAA systems for efficient management. Common systems include:

RADIUS

  • Used for Wi-Fi, VPNs, network devices
  • Handles authentication, authorization, and accounting
  • Supports centralized user authentication

TACACS+

  • Used mostly for managing administrator access to routers and switches
  • Separates authentication and authorization, giving more control
  • Encrypts the entire communication session

Both are important for the Security+ exam.

Key Points to Remember for Exam Success

Accounting logs are essential for incident response and compliance

Authentication = identity verification

Authorization = permission control

Accounting = activity tracking

AAA applies to people AND systems

MFA increases authentication strength

RADIUS and TACACS+ are key AAA protocols

Authorization typically uses RBAC, ABAC, MAC, DAC

Leave a Reply

Your email address will not be published. Required fields are marked *

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by