Chapter 4 Β· AAA Framework

Carlos and the Permission Chaos

Carlos joins MegaLogistics as IT Admin with 800 users, no authorization model, and a network that can't tell who should access what.

The Inbox of Doom

Carlos opened his laptop on his first day at MegaLogistics to find 47 access requests waiting. Warehouse staff needed shipping system access. Finance needed payroll. IT wanted server management rights. Every request was a manual task: find the user, find the resource, assign permissions. One by one.

"There's no authorization model," he said to his manager. "Every user is directly mapped to every resource they need. It's chaos."

"That's why we hired you," she replied.

πŸ’‘ The AAA Framework Authentication, Authorization, and Accounting β€” but the process actually starts with Identification. Together these four steps control who can access what, verify they are who they claim to be, define what they're allowed to do, and record everything they do.

Who Are You?

Carlos started with the basics. Every access request begins with identification β€” the user claims an identity. "When you type your username," he explained at the all-hands meeting, "you're telling the system who you are. The system doesn't know yet if you're really that person. It just records the claim."

Identification was simple: a username, an account ID, a device name. The system noted the claim without yet validating it.

Prove It

Authentication was the next step. "This is where we verify the claim," Carlos told the team. "A password proves you know a secret only the real user should know. A fingerprint proves your biometrics match. A one-time code from your phone proves you have a physical device."

He deployed RADIUS β€” a centralized Authentication, Authorization, and Accounting server. When warehouse staff logged into the VPN, the VPN concentrator passed their credentials to RADIUS. RADIUS checked the database. Approved. The concentrator then granted access.

But people weren't the only things that needed authentication. MegaLogistics had 300 remote scanners and printers β€” devices in warehouses across the country. "A printer can't type a password," Carlos noted. "But it can present a certificate."

He set up a Certificate Authority (CA) and generated signed digital certificates for every device. Each certificate β€” signed by the MegaLogistics CA β€” proved the device was company-owned. The VPN concentrator could now verify any device's certificate against the CA's signature automatically.

πŸ”‘ Authentication Methods

  • Passwords / MFA β€” for human users
  • Digital Certificates β€” for devices (systems can't type passwords)
  • Certificate Authority (CA) β€” trusted entity that signs and manages certificates
  • RADIUS β€” centralized AAA server that validates credentials

What Are You Allowed to Do?

Authentication confirmed identity. Now came authorization β€” determining what each authenticated user could actually access. Carlos stared at the old system: 800 users, hundreds of resources, each mapped directly. "If I change one resource's permissions," he muttered, "I need to update 300 users who access it."

He replaced it with an authorization model. Instead of User β†’ Resource, he created groups: Warehouse, Finance, IT, HR. He assigned permissions to groups, not individuals. When a new warehouse employee joined, Carlos added them to the Warehouse group β€” instantly inheriting all the right permissions. One action. Done.

"This scales," he told his manager. "It doesn't matter if we have 800 users or 8,000."

πŸ—‚οΈ Authorization Models

  • No model: User β†’ Resource directly (doesn't scale, hard to audit)
  • With model: User β†’ Role/Group β†’ Resource (scalable, clear, easy to manage)
  • Role-Based (RBAC): permissions assigned to roles; users assigned to roles
  • Attribute-Based: access based on user attributes, resource attributes, environment

Record Everything

The final layer was accounting β€” tracking what everyone did. RADIUS logged every login attempt: timestamp, username, session duration, data transferred, logout time. "If there's ever a security incident," Carlos explained, "we can trace exactly who accessed what and when."

Three months later, an inventory discrepancy triggered an investigation. Carlos pulled the RADIUS logs, found that a single account had accessed the inventory database at 3 AM from an unusual IP address, downloaded 5GB of records, and disconnected. The logs told the whole story. Accounting had done its job.

βœ… The Core Lesson IAAA: Identification (claim identity) β†’ Authentication (prove identity) β†’ Authorization (what are you allowed?) β†’ Accounting (what did you do?). Each step builds on the previous. You cannot authorize before you authenticate, and you cannot authenticate without identification.