π― Trick 1 β Accounting is NOT Finance
The exam describes: "A system that tracks login times, session duration, and data transferred." Students sometimes answer "auditing" or confuse this with financial systems. What is the correct AAA term?
In IT security, Accounting = audit logging of user/device activity. It has nothing to do with finance. On the exam: if a question mentions tracking login time, logout time, or data volume β that's Accounting. Not Auditing, not Monitoring (though monitoring is related), not Authorization.
π― Trick 2 β Authentication vs. Authorization Order
A system grants a user access to a file before verifying their credentials. What security principle is violated?
You CANNOT authorize before authenticating. If a system grants access before verifying identity, it may allow unauthenticated access to protected resources. This is a fundamental design flaw in access control systems.
π― Trick 3 β RADIUS Holds Credentials, Not the VPN
An admin says: "Our VPN concentrator validates all user credentials." A colleague says: "No it doesn't β RADIUS does." Who is right?
The VPN concentrator receives login requests but does NOT have a credential database. It passes the credentials to the RADIUS server, which validates them and responds with Access-Accept or Access-Reject. This separation is important β centralizing authentication in RADIUS means you only manage credentials in one place, regardless of how many VPN concentrators you have.
π― Trick 4 β Direct Mapping Trap
An organization has 50 users and 10 resources. Without an authorization model, how many individual permission assignments are needed if every user needs access to every resource?
With RBAC and one role covering all users: 10 assignments to the role + 50 user-to-role assignments = 60 total. At 500 users and 100 resources: 50,000 direct assignments vs. just 150 with RBAC. This is why authorization models are essential β the scale argument is a core exam talking point.
π― Performance Task β Design AAA for a Remote Worker
Design a complete AAA flow for a remote employee connecting to the corporate network. Include: what device they use, how they identify, how they authenticate, how authorization is managed, and what is logged.
Authentication: VPN client sends username + password + MFA token to VPN concentrator β concentrator forwards to RADIUS β RADIUS validates against Active Directory β returns Access-Accept.
Device Authentication: Laptop presents CA-signed certificate β VPN concentrator verifies against corporate CA β confirms device is company-owned.
Authorization: RADIUS assigns user to their role group (e.g., "Engineering"). RBAC policy grants Engineering access to code repos, dev servers, internal wikis β but NOT finance or HR systems.
Accounting: RADIUS logs login time, IP address, session duration, data transferred. Active Directory logs all resource accesses. Logs sent to SIEM for analysis.
π― Trick 5 β "Authentication" vs "Authentication Factor"
A question asks: "A user provides a fingerprint and a PIN to log in. How many authentication factors are used?" Students often answer "1 because they're both for authentication."
β’ Fingerprint = something you ARE (inherence factor)
β’ PIN = something you KNOW (knowledge factor)
Each factor category counts separately. Using two different categories = MFA (multi-factor authentication). Using two PINs would still be only one factor TYPE (both knowledge-based). The exam often tests whether you understand factor categories, not just the count of inputs.