AAA Framework
Authentication, Authorization, and Accounting β a security model controlling access to systems. Often preceded by Identification, making it IAAA in practice.
Identification
The first step in access control. A user or system claims an identity (e.g., enters a username). The system records the claim but does not yet verify it.
Authentication
The process of verifying that the claimed identity is legitimate. Achieved through authentication factors: passwords, biometrics, smart cards, certificates, or MFA.
Authorization
After authentication, the system determines what resources the verified user or device is permitted to access. Defines permissions and access rights.
Accounting
Tracking and recording user/device activities: login time, logout time, duration, data transferred. Creates an audit trail for security monitoring and incident investigation.
Multi-Factor Authentication (MFA)
Requiring two or more verification factors to authenticate. Factors: something you know (password), something you have (token/device), something you are (biometric).
Authentication Factor
A category of evidence used to verify identity. The three main factors: knowledge (password/PIN), possession (smart card, phone), and inherence (biometric β fingerprint, face).
Certificate Authority (CA)
A trusted entity that creates, signs, and manages digital certificates. Organizations often run their own internal CA to authenticate devices and services.
Digital Certificate (device auth)
A digitally signed document installed on a device that proves it belongs to the organization. The CA's signature allows other systems to verify the certificate's authenticity automatically.
VPN Concentrator
A device that manages VPN connections. Acts as the access point where users/devices connect. Passes authentication requests to the AAA server (e.g., RADIUS) for validation.
RADIUS
Remote Authentication Dial-In User Service. A protocol and server that centralizes AAA functions. The VPN concentrator sends credentials to RADIUS; RADIUS checks the database and returns approve/deny.
Authorization Model
An abstraction layer between users and resources that defines access rights through roles, groups, or attributes. Replaces direct user-to-resource mappings for scalability and manageability.
Role-Based Access Control (RBAC)
An authorization model where permissions are assigned to roles (e.g., "Shipping", "Finance") and users are assigned to roles. New users inherit all role permissions automatically.
Abstraction (authorization)
The layer between users and resources that simplifies access management. A role or group acts as the abstraction β administrators manage the group, not individual user-resource mappings.
Audit Log
A chronological record of system events, user actions, and access attempts. The output of the Accounting component. Used for security investigations, compliance, and anomaly detection.
Credential
Information used to authenticate identity. Examples: username/password pair, digital certificate, biometric data, hardware token.