What is AAA?

AAA, which stands for Authentication, Authorization, and Accounting, serves as a vital management mechanism for network security.

• Authentication confirms the identity of remote users accessing the network and verifies whether the visitor is a legitimate user of the network.
• Authorization grants different permissions to individual users and restricts the services that users can access.
• Accounting records all operations performed by users when utilizing network services, encompassing the type of service utilized, commencement time, data traffic, and more, for the purpose of collection and recording.

How does AAA work?

The AAA system adopts a client/server structure, which is not only simple but also flexible and allows for centralized management of user information.

As illustrated in the diagram above, the fundamental implementation process of AAA is as follows:

• Before users can access the network, they need to establish a connection with the AAA client.
• The responsibility of the AAA client is to transmit the user’s authentication credentials to the AAA server.
• The AAA server authenticates and authorizes the user based on their credentials, returning the authentication and authorization results to the AAA client.
• Based on the server’s response, the AAA client determines whether to grant user access.

The AAA client operates on a NAS device (network access server), which can be a router, switch, or another device providing network access services. The AAA server encompasses the authentication server, authorization server, and accounting server, responsible for the centralized management of user information. Depending on the specific communication protocols utilized by AAA, AAA servers can be categorized as RADIUS servers, TACACS servers, and more.

What are the AAA protocols?

RADIUS & FreeRADIUS

RADIUS (Remote Authentication Dial In User Service) protocol is a distributed, client/server structure of the information interaction protocol that protects the network from unauthorized access to the interference, often used in both the requirements of a higher level of security, but also allows remote user access to a variety of network environments. RADIUS uses UDP (User Datagram Protocol) as the transmission protocol, which has good real-time; it also supports the retransmission mechanism and the standby server mechanism, which has good reliability; the implementation is relatively simple, and it is suitable for multi-threaded structure on the server side when there is a large number of users.

The RADIUS protocol can be categorized into an authentication protocol and a accounting protocol, defined through IETF RFC 2865 and RFC 2866, respectively. Since the definition of the RADIUS protocol predates the AAA framework model, the RADIUS protocol does not separate authentication and authorization, but rather handles both authentication and authorization in the same process.

FreeRADIUS

The world’s most powerful radius server is the open-source freeradius, which serves as the basis for many other radius servers. FreeRadius consists of a radius server and radius-client, capable of supporting radius protocol network devices for authentication accounting. Common open-source router operating systems like Openwrt and DD-wrt also support radius protocol, PPPOE, hotspot, VPN, and other servers for account management authentication and accounting.

TACACS

TACACS (Terminal Access Controller Access-Control System) is a computer protocol used for authentication, allowing a remote access server to communicate with an authentication server on a UNIX network.

With the rise of cloud computing, organizations are increasingly relying on network devices and emphasizing information security. Independent authentication, authorization, and accounting services fulfill the requirements for device access management and security, achieving centralized management of network devices, device login authentication, and verification of all login activities. As a result, vendors have expanded the TACACS protocol to cater to specific needs. For example, Cisco has developed TACACS+ and Huawei has introduced HWTACACS, which gradually replaces the old TACACS protocol and is incompatible with it.

LDAP

LDAP, short for Lightweight Directory Access Protocol, is a directory access communication protocol based on TCP/IP. It is commonly used for user services like single sign-on and domain verification, which require frequent reading and less writing.

LDAP functions similar to a database, with a client side and a server side. The server side is responsible for storing resources, while the client side handles operations such as adding, deleting, modifying, and querying.

Microsoft’s Active Directory is a Windows implementation of LDAP. It provides the required tree database for LDAP and handles tasks like parsing request data, querying the database, and returning results.

OpenLDAP, on the other hand, is an open source implementation of the LDAP protocol that is compatible with Linux. When we refer to an LDAP Server, it generally means a server that has programs like Active Directory and OpenLDAP installed and configured.

More Expanded Reading:

How to configure AAA authentication using REERADIUS server on Asterfusion Enterprise SONiC switches

FreeRADIUS-based User Authentication With Asterfusion SONiC Campus Access Switches (cloudswit.ch)