It is important to remember that AAA is simply a grouping of three security functions—authentication,
authorization, and accounting. Most texts examine each component as an isolated process,
and although this is perhaps more accurate, here they have been placed into a three-step
process to better communicate the interactions between each service. For example, it is perfectly
valid to use only authentication and authorization while omitting accounting, but if you do so,
administrators will lose the auditing benefits that are provided by the auditing service.
Step 1: Authentication
Authentication
is the first facet of the three security elements, and it provides a basis for the remaining
two components. Authentication provides the “who” in the AAA model. Like journalists who
ask themselves the questions they must answer to make their story good (Who?, What?, Where?,
When?, and How?), administrators need to ask who is involved in their system; it is one of the fundamental
pieces of information they need to set up their system. Unfortunately, in computing, as in
non-computing situations, it can be fairly simple to lie about one’s identity.
To facilitate the authentication process, most systems require both a username and a
password—it is hoped the password will be maintained in confidence in order to preclude
the potential of compromise. By requiring two elements of identity, the computer-based
system doubles the likelihood that the user is accurately identified.
However, it is possible to obtain, lie about, or guess both pieces of information. The likelihood
of accurate authentication is stronger if a physical element is added. In non-computing situations,
this might include a passport or driver’s license; in the computer world, it might include a tokenbased
device. As presented in the CiscoSecure section of this chapter, there are many products that
can provide this service as a software receiver of the physical code card data.
Step 2: Authorization
After the identity of the user has been established, a decision must be made regarding what
rights that user can exercise. This is called
authorization
, and is assigned by the administrator
based on the requirements and business policies of the organization. An example of authorization
would include permissions to access a remote access device or the ability to print a file.
Because authentication and authorization are so involved and dependent on each other, they are
regarded as a single security component in most environments.
Step 3: Accounting
Whereas authentication and authorization work to prevent unauthorized access,
accounting
provides a means of verifying that only authorized users obtain access. In addition, accounting
is used to audit the actions of an authorized user.
An accounting record relies on the authenticity of the authentication process—a fraudulent
user might provide a valid login, but the accounting feature provides the audit trail required to
assess the damage. This log provides a record of when an activity occurred and what action was
performed—connecting to a router, for example.