Overview AAA

AAA refers to Authentication, Authorization, and Accounting. Since the network appeared, Authentication, Authorization, and Accounting mechanism has become the basis of the network operation. The using of the resources in the network needs to be managed by Authentication, Authorization, and Accounting. AAA adopts the client/server architecture. The client runs on NAS (Network Access Server) and the server manages the user information in a centralized manner. For the user, NAS is the server; for the server, NAS is the client.

Authentication means to authenticate the user when using the resources in the network system. During the process, get the ID information by interacting with the user and then submit to the authentication server; the latter checks and processes the ID information with the user information saved in the database, and then confirm whether the user ID is correct according to the processing result. Authorization means that the authorized user of the network system uses its resources by the specified mode. The process specifies the services and authorities that the authenticated user can use and own after being connected to the network, such as the authorized IP address. Accounting means that the network system collects and records the using of the user for the network resources, so as to charge the user for the network using fees, or used for auditing.

RADIUS is one protocol of the C/S architecture. Its client is the NAS server at first. RADIUS protocol authentication mechanism is flexible and can adopt PAP, CHAP or Unix login authentication mode. RADIUS is one expansible protocol and all its work is based on the vector of Attribute-Length-Value. The basic work principle of RADIUS is: The user is connected to NAS; NAS uses Access-Require packet to submit the user information to the RADIUS server, including user name, password, and so on. The user password is encrypted via MD5. The two parties use the share key, which is not spread via the network. RADIUS server checks the validity of the user name and password and provides one Challenge if necessary, requiring the further authentication for the user. We also can perform the similar authentication for NAS. If valid, return the Access-Accept packet to NAS, permitting the user to perform the next work. Otherwise, return the Access-Reject packet, refusing the user access. If permitting the access, NAS initiates the statistics request Account-Require to the RADIUS server. RADIUS server replies Account-Accept, beginning the statistics for the user. Meanwhile, the user can perform its own operations.

TACACS is one old authentication protocol for the Unix network. It permits the remote access server to transit the user login password to the authentication server. The authentication server decides whether the user can log in to the system. TACACS is one encryption protocol, but its security is poorer that TACACS+ and RADIUS. In fact, TACACS+ is one new protocol. TACACS+ and RADIUS replaces the earlier protocol in the present network. TACACS+ uses TCP, while RADIUS uses UDP. RADIUS combines the authentication and authorization from the user aspect, while TACACS+ separates the two operations.