Chapter 4 Β· Helper 2

Concept Map

Visual flows for the AAA framework, VPN authentication, and authorization models.

The IAAA Flow

Identification β†’ AAA

Identification

Claim identity (username)

β†’

Authentication

Prove identity (password, cert, MFA)

β†’

Authorization

What can you access?

β†’

Accounting

Log what you did

VPN Authentication Flow (with RADIUS)

Client

User on internet

β†’ sends credentials β†’

VPN Concentrator

Receives login request

β†’ passes to β†’

RADIUS Server

Validates credentials

β†’ approved β†’

File Server

User gains access

The VPN concentrator does NOT hold user credentials β€” it passes them to the RADIUS server for validation.

Authorization: No Model vs. With Model

AspectNo Authorization ModelWith Authorization Model (RBAC)
StructureUser β†’ Resource (direct)User β†’ Role/Group β†’ Resource
Scalability❌ Poor β€” grows exponentiallyβœ… Excellent β€” add user to role = done
Auditability❌ Hard to know why access existsβœ… Clear β€” role defines all access
Adding a new userAssign permissions individually to each resourceAssign to role β€” inherits all permissions
Changing a resource's permissionsUpdate every user individuallyUpdate the role once

Memory Aids

IAAA Order

ID first β†’ Auth second β†’ Authz third β†’ Accounting last. Cannot authorize before authenticating. Cannot authenticate without identifying first.

Auth-n vs Auth-z

AuthentiCATION = verify identity (WHO are you?). AuthoriZATION = verify rights (WHAT can you do?).

Accounting β‰  Finance

In IT, Accounting = audit logging. Tracks login times, session duration, data volumes. Not financial accounting.