Chapter 4 Β· Flashcards

AAA Framework Flashcards

Click any card to reveal its definition.

0 / 16 flipped
Identification
Tap to reveal
Claiming an identity β€” e.g. typing a username. System records the claim but does NOT verify it yet.
Authentication
Tap to reveal
PROVING your claimed identity is legitimate. Via password, biometric, smart card, certificate, or MFA.
Authorization
Tap to reveal
After authentication: what are you ALLOWED to access? Defines permissions based on roles, attributes, or policies.
Accounting
Tap to reveal
Tracking what authenticated users DID. Login/logout times, data transferred, session duration. Creates audit logs.
MFA
Tap to reveal
Multi-Factor Authentication β€” requires 2+ factors: something you KNOW (password), HAVE (token/device), or ARE (biometric).
Certificate Authority (CA)
Tap to reveal
Trusted entity that creates and signs digital certificates. Organizations often run their own CA to authenticate devices without passwords.
RADIUS
Tap to reveal
Centralized AAA server protocol. VPN concentrators pass credentials to RADIUS for validation. RADIUS stores all user/device credentials.
VPN Concentrator
Tap to reveal
Device that manages VPN connections. Receives login requests and passes them to the AAA server. Does NOT store credentials itself.
Authorization Model
Tap to reveal
An abstraction layer between users and resources. Users assigned to roles/groups, which have defined permissions. Replaces direct user-to-resource mapping.
RBAC
Tap to reveal
Role-Based Access Control. Permissions assigned to roles; users assigned to roles. Adding a user to a role instantly grants all role permissions.
Abstraction
Tap to reveal
The intermediate layer (role/group) between users and resources. Separates identity from access rights. Makes large-scale management feasible.
What does Accounting record?
Tap to reveal
Login time, logout time, session duration, data sent, data received. NOT financial accounting β€” IT audit logging.
Why can't devices use passwords?
Tap to reveal
Systems can't type passwords, and storing passwords on field devices creates security risks. Solution: install a CA-signed digital certificate on the device instead.
Authentication vs. Authorization
Tap to reveal
Authentication = WHO are you? (identity verification). Authorization = WHAT can you do? (access rights). Authentication always comes first.
Problem without Authorization Model
Tap to reveal
Direct user-to-resource mapping doesn't scale. Hard to audit, hard to manage. Adding one user requires setting individual permissions for every resource they need.
Who validates credentials in VPN auth?
Tap to reveal
The AAA server (e.g., RADIUS), NOT the VPN concentrator itself. The concentrator passes credentials to RADIUS and waits for the approve/deny response.