The IAAA Flow
Identification β AAAIdentification
Claim identity (username)
β
Authentication
Prove identity (password, cert, MFA)
β
Authorization
What can you access?
β
Accounting
Log what you did
VPN Authentication Flow (with RADIUS)
Client
User on internet
β sends credentials β
VPN Concentrator
Receives login request
β passes to β
RADIUS Server
Validates credentials
β approved β
File Server
User gains access
The VPN concentrator does NOT hold user credentials β it passes them to the RADIUS server for validation.
Authorization: No Model vs. With Model
| Aspect | No Authorization Model | With Authorization Model (RBAC) |
|---|---|---|
| Structure | User β Resource (direct) | User β Role/Group β Resource |
| Scalability | β Poor β grows exponentially | β Excellent β add user to role = done |
| Auditability | β Hard to know why access exists | β Clear β role defines all access |
| Adding a new user | Assign permissions individually to each resource | Assign to role β inherits all permissions |
| Changing a resource's permissions | Update every user individually | Update the role once |
Memory Aids
IAAA Order
ID first β Auth second β Authz third β Accounting last. Cannot authorize before authenticating. Cannot authenticate without identifying first.
Auth-n vs Auth-z
AuthentiCATION = verify identity (WHO are you?). AuthoriZATION = verify rights (WHAT can you do?).
Accounting β Finance
In IT, Accounting = audit logging. Tracks login times, session duration, data volumes. Not financial accounting.