F AAA Concepts: Authentication, Authorization, and Accounting - The Network DNA: Networking, Cloud, and Security Technology Blog
Home / Unlabelled / AAA Concepts: Authentication, Authorization, and Accounting

AAA Concepts: Authentication, Authorization, and Accounting

February 10, 2026

AAA Concepts: Authentication, Authorization, and Accounting

AAA Concepts: Authentication, Authorization, and Accounting

AAA (Authentication, Authorization, and Accounting) is a framework for intelligently controlling access to computer resources, enforcing policies, auditing usage, and providing the information necessary to bill for services. It is a more scalable and centralized approach to device access control compared to local passwords.

Authentication

Authentication verifies the identity of a user or device. It answers the question: "Who are you?" Common authentication methods include:

  • Local: Uses a local database on the device (as shown with login local).
  • RADIUS (Remote Authentication Dial-In User Service): A client/server protocol that runs at the application layer and uses UDP. It is commonly used for authenticating remote users and network access.
  • TACACS+ (Terminal Access Controller Access-Control System Plus): A Cisco proprietary protocol that provides separate authentication, authorization, and accounting services. It uses TCP and is often preferred for device administration due to its granular authorization capabilities.

Authorization

Authorization determines what an authenticated user is permitted to do. It answers the question: "What are you allowed to do?" This can include granting specific command privileges, access to certain network segments, or specific network services. TACACS+ is particularly strong in providing granular command authorization.

Accounting

Accounting tracks user activity, including what resources they accessed, when they accessed them, and for how long. It answers the question: "What did you do?" This information is crucial for auditing, billing, and security forensics. Accounting records can include login/logout times, commands executed, and amount of data transferred.


Securing the Management Plane

The management plane refers to the part of a network device that is used for managing and monitoring the device itself. Securing this plane is paramount to prevent unauthorized configuration changes or denial of management access. Key aspects include:

  • Using SSH instead of Telnet: Encrypts management traffic, preventing eavesdropping.
  • Implementing Management VLANs: Isolating management traffic from user data traffic.
  • Applying Access Control Lists (ACLs): Restricting management access to specific IP addresses or subnets.
  • Role-Based Access Control (RBAC): Assigning different privilege levels to users based on their roles.
  • Out-of-Band Management: Using a separate, dedicated network for management traffic, physically or logically separated from the production network.
  • SNMP Security: Securing Simple Network Management Protocol (SNMP) with strong community strings or SNMPv3 with authentication and encryption.
By implementing these measures, network administrators can significantly reduce the risk of unauthorized access and manipulation of critical network infrastructure.