📘 CCNA 200-301 v1.1
5.8 Compare authentication, authorization, and accounting concepts
Overview of AAA (Authentication, Authorization, and Accounting)
AAA is a security framework used in networking to control who can access network devices and resources, what they can do after accessing them, and to keep a record of everything they do.
In short:
- Authentication = Who are you?
- Authorization = What can you do?
- Accounting = What did you do?
AAA is used on devices like routers, switches, and firewalls to secure administrative access and user access. It can work with local databases or with external servers like RADIUS or TACACS+.
1. Authentication (Who are you?)
Authentication is the process of verifying the identity of a user or device before allowing access to the network or device.
Purpose:
To make sure that only authorized users or devices can log in or connect.
How it works:
- The user enters credentials, such as:
- Username and password
- Smart card or token
- Digital certificate
- The system checks these credentials against a database (either locally on the device or on a remote server).
- If the credentials are correct → access is granted.
If not → access is denied.
Example in a network device:
When a network administrator logs into a Cisco router, the router asks for:
Username: admin
Password: ********
The router checks these credentials using local authentication or through a AAA server.
Authentication methods in Cisco devices:
- Local authentication – usernames and passwords stored in the device configuration.
- Centralized authentication – uses an AAA server like RADIUS or TACACS+ to verify credentials.
2. Authorization (What can you do?)
Authorization decides what actions a user is allowed to perform after they have been authenticated.
Purpose:
To control user privileges and access levels after login.
How it works:
- After authentication, the device checks the authorization policies.
- These policies define what the user is allowed or not allowed to do.
Example:
- A network technician may be authorized to view configurations, but not to change them.
- A network administrator may have full privileges to configure and modify settings.
Types of authorization in networks:
- Command authorization – controls which commands a user can run.
- Service authorization – controls what network services a user can access (for example, SSH, Telnet, or VPN access).
How it’s configured:
Authorization can be done:
- Locally (using privilege levels on a Cisco device)
- Centrally (using a AAA server such as TACACS+ that defines user roles)
3. Accounting (What did you do?)
Accounting is the process of tracking and recording what a user does while connected to the network or device.
Purpose:
To keep logs for auditing, monitoring, and troubleshooting.
What it records:
- When the user logged in and logged out
- What commands they executed
- What resources or interfaces they accessed
- How much time or data they used (in case of network access)
Example:
When an administrator logs into a router and makes configuration changes, accounting can record:
User: admin
Login Time: 09:00
Command executed: interface g0/1
Command executed: shutdown
Logout Time: 09:10
This helps trace actions and detect unauthorized activities.
How AAA Works Together (AAA Process Flow)
Here’s how the three components work together in sequence:
- Authentication – The user tries to log in → device verifies identity.
- Authorization – Once verified → device checks what the user can do.
- Accounting – While user works → device records all actions.
Diagram (conceptually):
[User] → Authentication → Authorization → Accounting → [Logs]
AAA Implementation in Cisco Devices
Cisco devices use the AAA model to manage administrative access and network access control.
You can enable AAA using this command:
Router(config)# aaa new-model
This activates the AAA framework.
Then you can define:
- Authentication methods (local, RADIUS, TACACS+)
- Authorization methods
- Accounting methods
Example of local AAA configuration:
Router(config)# aaa new-model
Router(config)# aaa authentication login default local
Router(config)# username admin secret Cisco123
This means:
- AAA is enabled.
- Login authentication uses the local database.
- The user “admin” is defined with a password.
AAA Protocols: RADIUS and TACACS+
Cisco devices can use AAA servers to centralize authentication, authorization, and accounting.
RADIUS (Remote Authentication Dial-In User Service)
- Uses UDP (ports 1812, 1813)
- Combines authentication and authorization together.
- Encrypts only the password in packets.
- Commonly used for network access control (e.g., VPN, wireless clients).
- Open standard supported by many vendors.
TACACS+ (Terminal Access Controller Access Control System Plus)
- Uses TCP (port 49)
- Separates authentication, authorization, and accounting (AAA) — provides more control.
- Encrypts entire packet (more secure).
- Cisco proprietary (supported mainly on Cisco devices).
- Commonly used for device administration.
Comparison Table:
| Feature | RADIUS | TACACS+ |
|---|---|---|
| Transport Protocol | UDP | TCP |
| Encryption | Only password | Entire packet |
| AAA Separation | Combined (Auth + Authz) | Fully separated |
| Usage | Network access (VPN, wireless) | Device admin access |
| Vendor | Open standard | Cisco proprietary |
Benefits of Using AAA
- Centralized control of user access.
- Better security through individual user accounts (no shared passwords).
- Auditing and accountability through logs.
- Scalability – one AAA server can serve many devices.
- Simplified management – one location to add, remove, or modify users.
Summary Table
| AAA Component | Function | Example in IT Environment |
|---|---|---|
| Authentication | Verifies who the user is | Logging into a router with a username and password |
| Authorization | Determines what the user can do | Allowing admin to configure but not technician |
| Accounting | Tracks what the user does | Logging all commands executed on the router |
✅ Exam Tip for CCNA:
You should be able to:
- Explain what each AAA component does.
- Identify differences between RADIUS and TACACS+.
- Understand how AAA is implemented in Cisco devices.
- Recognize the flow: Authentication → Authorization → Accounting.
