AAA Protocol (Authentication, Authorization and Accounting)

AAA stands for "Authentication, Authorization and Accounting", is a term for a framework for intelligently controlling access to computer resources, enforcing policies, auditing usage, and providing the information necessary to bill for services. These combined processes are considered important for effective network management and security.

Authentication :

• Refers to confirmation that a user who is requesting a service is a valid user.
• Accomplished via the presentation of an identity and credentials.
• Examples of credentials are passwords, one-time tokens, digital certificates, and phone numbers (calling/called).

Authorization :

• Refers to confirmation that a user who is requesting a service is a valid user.
• Accomplished via the presentation of an identity and credentials.
• Examples of credentials are passwords, one-time tokens, digital certificates, and phone numbers (calling/called).

Accounting :

• Refers to the tracking of the consumption of network resources by users.
• Typical information that is gathered in accounting is the identity of the user, the nature of the service delivered, when the service began, and when it ended.
• May be used for management, planning, billing etc.

AAA Protocols:

• Terminal Access Controller Access Control System (TACACS): TACACS is a remote authentication protocol that is used to communicate with an authentication server commonly used in UNIX networks. TACACS allows a remote access server to communicate with an authentication server in order to determine if the user has access to the network. Unix daemon is TACACSD and runs on port 49. It uses TCP.
• TACACS+ : TACACS+ is a protocol which provides access control for routers, network access servers and other networked computing devices via one or more centralized servers. It uses TCP and provides separate authentication, authorization and accounting services. Port is 49.

For session request:

1. An administrator logs in to a network device.

2. The network device sends a TACACS+ access request to ACS.

3. ACS uses an identity store to validate the user's credentials.

4. ACS sends a TACACS+ response to the network device that applies the decision. The response includes parameters, such as the privilege level that determines the level of administrator access for the duration of the session.

For command authorization:

1. An administrator issues a command at a network device.

2. The network device sends a TACACS+ access request to ACS.

3. ACS optionally uses an identity store to retrieve user attributes for inclusion in policy processing.

4. The TACACS+ response indicates whether the administrator is authorized to issue the command.

• RADIUS : Remote Authentication Dial In User Service is an AAA protocol for applications such as Network Access or IP Mobility. We will see more about RADIUS in subsequent chapters.

.

• DIAMETER : Diameter is a planned replacement of RADIUS.

TACACS+ and RADIUS Protocol Comparison  

Point of Comparison	TACACS+	RADIUS
Transmission Protocol	TCP—Connection-oriented transport-layer protocol, reliable full-duplex data transmission.	UDP—Connectionless transport-layer protocol, datagram exchange without acknowledgments or guaranteed delivery. UDP uses the IP to get a data unit (called a datagram) from one computer to another.
Ports Used	49	Authentication and Authorization: 1645 and 1812 Accounting: 1646 and 1813.
Encryption	Full packet-body encryption.	Encrypts only passwords up to 16 bytes.
AAA Architecture	Separate control of each service: authentication, authorization, and accounting.	Authentication and authorization combined as one service.
Intended Purpose	Device management.	User access control.

Usage of AAA servers in LDAP Networks:

AAA servers in CDMA data networks are entities that provide Internet Protocol (IP) functionality to support the functions of authentication, authorization and accounting. The AAA server in the CDMA wireless data network architecture is similar to the HLR in the CDMA wireless voice network architecture.

Types of AAA servers :

• Access Network AAA (AN-AAA) – Communicates with the RNC in the Access Network (AN) to enable authentication and authorization functions to be performed at the AN. The interface between AN and AN-AAA is known as the A12 interface.
• Broker AAA (B-AAA) – Acts as an intermediary to proxy AAA traffic between roaming partner networks (i.e., between the H-AAA server in the home network and V-AAA server in the serving network). B-AAA servers are used in CRX networks to enable CRX providers to offer billing settlement functions.
• Home AAA (H-AAA) – The AAA server in the roamer's home network. The H-AAA is similar to the HLR in voice. The H-AAA stores user profile information, responds to authentication requests, and collects accounting information.
• Visited AAA (V-AAA) – The AAA server in the visited network from which a roamer is receiving service. The V-AAA in the serving network communicates with the H-AAA in a roamer's home network. Authentication requests and accounting information are forwarded by the V-AAA to the H-AAA, either directly or through a B-AAA.

Current AAA servers communicate using the RADIUS protocol. As such, TIA specifications refer to AAA servers as RADIUS servers. However, future AAA servers are expected to use a successor protocol to RADIUS known as Diameter.

The behavior of AAA servers (radius servers) in the CDMA2000 wireless IP network is specified in TIA-835.