AAA Framework: Authentication, Authorization, and Accounting (RADIUS, TACACS+)

The AAA framework — Authentication, Authorization, and Accounting — is the foundation of access control in network security. AAA protocols like RADIUS and TACACS+ manage who can access the network, what they can do, and track their activity.

The Three As of AAA

Authentication — verifies who the user is. Users present credentials (password, certificate, biometric) and the system validates them. Authentication answers: 'Who are you?' Common methods: passwords, tokens, smart cards, biometrics, and certificates.

Authorization — determines what the authenticated user is allowed to do. Based on policies and access control models (RBAC, ABAC). Authorization answers: 'What can you access?' Can include read/write/execute permissions, network access levels, and application access.

Accounting — tracks what the user does. Logs the user's activities: when they logged in/out, what resources they accessed, how long they were connected, and what actions they performed. Accounting answers: 'What did you do?' Used for auditing, billing, and non-repudiation.

  • Authentication: verify identity (who are you?)
  • Authorization: determine permissions (what can you access?)
  • Accounting: log activity (what did you do?)
  • All three are required for complete access control

RADIUS (Remote Authentication Dial-In User Service)

RADIUS is a networking protocol that provides centralized AAA management for network devices. It authenticates users connecting to a network and authorizes their access.

RADIUS uses UDP (ports 1812 for authentication, 1813 for accounting). The RADIUS server stores user credentials and policies; network devices (NAS — Network Access Server) forward authentication requests to the RADIUS server.

RADIUS encrypts only the password in the access-request packet — the rest of the packet (username, authorization data) is sent in cleartext. This is a limitation.

Common RADIUS use cases: 802.1X network authentication, VPN authentication, Wi-Fi access (WPA2-Enterprise), and network device administration.

  • RADIUS: centralized AAA for network devices
  • Uses UDP ports 1812 (auth) and 1813 (accounting)
  • Encrypts password only — username and authorization data in cleartext
  • Widely used for 802.1X, VPN, and Wi-Fi authentication

TACACS+ (Terminal Access Controller Access-Control System Plus)

TACACS+ is a Cisco-developed AAA protocol. Unlike RADIUS, TACACS+ encrypts the entire packet body (not just the password), providing better security.

TACACS+ uses TCP (port 49), making it more reliable than RADIUS (which uses UDP). TACACS+ separates authentication, authorization, and accounting into separate functions — allowing different servers for each.

Key difference from RADIUS: TACACS+ encrypts ALL traffic between client and server, while RADIUS only encrypts the password. TACACS+ is commonly used for network device administration (router/switch access), while RADIUS is used for user network access (VPN, Wi-Fi).

  • TACACS+: Cisco AAA protocol — encrypts entire packet
  • Uses TCP port 49 — more reliable than RADIUS (UDP)
  • Separates authentication, authorization, and accounting
  • Commonly used for network device administration access
  • RADIUS vs TACACS+: RADIUS = user access (VPN, Wi-Fi), TACACS+ = admin access (routers, switches)

Kerberos

Kerberos is a network authentication protocol that uses tickets instead of passwords. It was developed at MIT and is the default authentication protocol in Microsoft Active Directory.

Kerberos components: Key Distribution Center (KDC) — the central authentication server, Ticket Granting Ticket (TGT) — initial ticket obtained when user authenticates, and Service Tickets — used to access specific services.

Kerberos authentication flow: (1) User authenticates to KDC with password, (2) KDC issues a TGT (encrypted with the user's password hash), (3) User requests access to a service by presenting TGT to KDC, (4) KDC issues a Service Ticket (encrypted with the service's secret key), (5) User presents Service Ticket to the service, which decrypts it and grants access.

Kerberos provides mutual authentication (both user and service verify each other) and uses timestamps to prevent replay attacks.

  • Kerberos: ticket-based authentication — no passwords sent over the network
  • KDC: central authentication server (domain controller in Active Directory)
  • TGT: initial ticket, obtained after password authentication
  • Service Ticket: used to access specific network services
  • Mutual authentication: both parties verify each other's identity

Exam Tip

RADIUS vs TACACS+ is a classic exam comparison: RADIUS uses UDP, encrypts password only, used for user network access. TACACS+ uses TCP, encrypts everything, used for device admin. Kerberos uses tickets (TGT and service tickets) — understand the flow.