, Wi-Fi access points, and VPN servers all offer network access.
When these devices are used to control access to a network, for example a Wi-Fi access point with WPA2 Enterprise security implemented or an Ethernet switch with 802.1x (EAP) port-based authentication enabled, they are referred to as a Network Access Server (NAS).
All these devices need to exercise some form of control to ensure proper security and usage. This requirement is commonly described as Authentication, Authorization, and Accounting (AAA). AAA is also sometimes referred to as the Triple A Framework. AAA is a high-level architecture model, which can be used for specific implementations.
AAA is specified through various RFCs. Generic AAA Architecture is specified in RFC 2903. There are also RFCs that cover different AAA aspects.
Authentication
Authentication is usually the first step taken in order to gain access to a network and the services it offers. This is a process to confirm whether the credentials which Alice provided are valid. The most common way to provide credentials is by a username and password. Other ways such as one-time tokens, certificates, PIN numbers, or even biometric scanning can also be used.
After successful authentication a session is initialized. This session lasts until the connection to the network is terminated.
Note
Who is Alice?
Alice and Bob are placeholder names. In fact there is a whole character set, each representing a specific role. We will use the following placeholder names:
Alice: A user who wants access to our network
Bob: Another user who wants access to our network
Isaac: The Internet Service Provider (ISP)/our network
You can read more about them on Wikepedia: http://en.wikipedia.org/wiki/Alice_and_Bob.
The following image illustrates an authentication process by using the common activity of drawing money from an ATM as an example. This in essence lets you gain access to the bank's network (although it is limited in the extreme).
Authorization
Authorization is a means by which Isaac controls the usage of the resources. After Alice has authenticated herself, Isaac can impose certain restrictions or grant certain privileges. Isaac can, for instance, check from which device Alice accesses the network and based on this make a decision. He can limit the number of open sessions that Alice can have, give her a pre-determined IP Address, only allow certain traffic through, or even enforce Quality of Service (QoS) based on an SLA.
Authorization usually involves logic. If Alice is part of the student group then no Internet access is allowed during working hours. If Bob accessed the network through a captive portal then a bandwidth limit is imposed to prevent him from hogging the Internet connection.
Logic can be based on numerous things. Authorization decisions for instance can be based on group membership or the NAS through which you connect or even the time of day when you access our resources.
If we take the previous ATM example we can see that if Alice does not have an overdraft facility she will be limited on the amount of money she can withdraw.
Accounting
Accounting is a means of measuring the usage of resources. After Isaac has established who Alice is and imposed proper control on the established session, he can also measure her usage. Accounting is the ongoing process of measuring usage.
This allows Isaac to track how much time or resources Alice spends during an established session. Obtaining accounting data allows Isaac to bill Alice for the usage of his resources. Accounting data is not only useful to recover costs but it allows for capacity planning, trend analysis, and activity monitoring.
When Alice wants to check her usage and availability of money the ATM offers this functionality. The Bank of Isaac can also monitor her account and discover if she is usually broke before the end of the month. They can then offer her an overdraft facility.
RADIUS is a protocol which is used to provide AAA on TCP/IP networks. The next section will continue with more on the RADIUS protocol.
