2.2.2. Authentication, Authorization, and Accounting (AAA)

💡 First Principle: AAA is the access control lifecycle: prove who you are (authentication), determine what you're allowed to do (authorization), then record what you did (accounting). Every access decision follows this sequence, whether logging into a laptop or accessing a cloud database.

Authenticating people uses the factors from Phase 1: something you know (password), something you have (token, smart card), something you are (biometric). MFA combines two or more different factor categories. The exam also tests authenticating systems — servers use certificates, API keys, and mutual TLS to prove their identity to each other.

Authorization models determine access after identity is verified. The key concept is that authorization is separate from authentication — proving your identity doesn't mean you should access everything. The principle of least privilege states that users should receive only the minimum permissions necessary for their role. Detailed authorization models (MAC, DAC, RBAC, ABAC) appear in Phase 5.

Accounting creates the audit trail. Every login, file access, and configuration change should be logged. Without accounting, you can't detect insider threats, investigate breaches, prove compliance, or perform forensics. SIEM systems aggregate and correlate these logs for analysis.

AAA protocols implement this framework for network devices:

TACACS+ separates authentication, authorization, and accounting into individual transactions, giving granular control over each step. RADIUS combines authentication and authorization into a single transaction. For managing who can run which commands on a router, TACACS+ is preferred. For controlling who can connect to the network, RADIUS is standard.

⚠️ Exam Trap: AAA extends beyond usernames and passwords. The exam tests AAA in context of RADIUS and TACACS+ protocols (network device authentication) and cloud IAM services. "Accounting" means logging and auditing — not financial accounting.