Think of going to a theme park. First, they check your ticket to make sure you’re really a guest (that’s authentication). Then, the ticket says which rides you’re allowed on — maybe you have a VIP pass or a basic pass (that’s authorization). Finally, the park keeps track of which rides you went on and when (that’s accounting). Computers use these same three steps to keep track of who’s using them and what they’re doing.
The AAA (Authentication, Authorization, and Accounting) framework defines how users are identified, what they are permitted to do, and how their actions are tracked. AAA is implemented through protocols like RADIUS, TACACS+, and Kerberos and underpins identity and access management across enterprise environments.
Key Concepts
Authentication — verifying the identity of a user, device, or service (see authentication)
Something you know (password), something you have (token), something you are (biometric)
Authorization — determining what an authenticated entity is allowed to do (see authorization)
Enforced through access control models (RBAC, ABAC, MAC, DAC)
Accounting — logging and tracking user activities for audit and forensic purposes
Includes session duration, commands executed, data accessed, and resource usage
RADIUS (Remote Authentication Dial-In User Service) — UDP-based, encrypts only the password, commonly used for network access (Wi-Fi, VPN)
Combines authentication and authorization in a single step
TACACS+ (Terminal Access Controller Access-Control System Plus) — TCP-based, encrypts the entire payload, separates AAA functions independently
Preferred for device administration (switches, routers, firewalls)
Kerberos — ticket-based authentication protocol used in Active Directory environments; uses port 88
Exam Tips
RADIUS vs. TACACS+
Feature
RADIUS
TACACS+
Protocol
UDP (1812/1813)
TCP (49)
Encryption
Password only
Full packet
AAA Separation
Combined auth/authz
Separate
Best for
Network access
Device admin
Remember
“RADIUS for Remote users, TACACS+ for Terminal/device administration.” The exam loves comparing these two.
Connections
Authentication component detailed in authentication with methods like mfa and sso
Q1. A network administrator wants to centrally manage login access for all 200 switches and routers in the enterprise. The solution must encrypt the entire authentication session and allow granular control over which commands each admin can execute. Which protocol is BEST suited for this requirement?
A. RADIUS
B. TACACS+
C. Kerberos
D. LDAP
Show Answer B. TACACS+
TACACS+ encrypts the entire payload (not just the password) and separates authentication, authorization, and accounting, making it ideal for device administration with granular command-level control. RADIUS only encrypts the password and combines authentication/authorization, making it less suitable for device admin. Kerberos is a ticket-based protocol used primarily in Active Directory environments, not for network device management. LDAP is a directory service protocol, not an AAA protocol.
Q2. A company deploys a wireless network and needs to authenticate employees connecting via Wi-Fi and VPN. The chosen protocol should use UDP and handle large volumes of remote user connections efficiently. Which AAA protocol MOST likely meets this need?
A. TACACS+
B. RADIUS
C. Kerberos
D. SAML
Show Answer B. RADIUS
RADIUS uses UDP (ports 1812/1813), combines authentication and authorization in a single step, and is the standard protocol for network access scenarios like Wi-Fi and VPN. TACACS+ uses TCP and is preferred for device administration rather than network access. Kerberos is used in Active Directory environments for domain authentication, not typically for Wi-Fi/VPN. SAML is a federation protocol for web-based single sign-on, not a network access protocol.
Q3. After a data breach, an incident response team needs to determine exactly which files a compromised user account accessed and when. Which component of the AAA framework PRIMARILY provides this information?
A. Authentication
B. Authorization
C. Accounting
D. Access control
Show Answer C. Accounting
Accounting is the AAA component responsible for logging and tracking user activities, including session duration, commands executed, data accessed, and timestamps — exactly what investigators need for forensic analysis. Authentication only verifies identity at login time. Authorization defines permissions but does not track what was actually accessed. Access control is a broader concept that encompasses authorization models but does not specifically refer to activity logging.
Q4. An organization uses RADIUS for VPN authentication and TACACS+ for switch management. A security auditor notes that RADIUS only encrypts the password field during transmission. Which security risk does this PRIMARILY introduce?
A. Unauthorized command execution on network devices
B. Exposure of usernames and accounting data in transit
C. Inability to separate authentication from authorization
D. Incompatibility with multi-factor authentication
Show Answer B. Exposure of usernames and accounting data in transit
RADIUS encrypts only the password, leaving usernames, accounting data, and other attributes visible in transit, which could be captured through network sniffing. Unauthorized command execution relates to authorization controls, not encryption scope. While RADIUS does combine authentication and authorization, that is a design characteristic rather than a risk introduced by partial encryption. RADIUS fully supports MFA — the encryption limitation does not affect MFA compatibility.
Scenario
See case-aaa-framework for a practical DevOps scenario applying these concepts.