In computer security, AAA stands for “authentication, authorization and accounting”. This article describes how security can be achieved through design and engineering. ...

Authentication 

Authentication refers to the confirmation that a user who is requesting services is a valid user of the network services requested. Authentication is accomplished via the presentation of an identity and credentials. Examples of types of credentials are passwords, one-time tokens, digital certificates, and phone numbers (calling/called).

Authorization 

Authorization refers to the granting of specific types of service (including "no service") to a user, based on their authentication, what services they are requesting, and the current system state. Authorization may be based on restrictions, for example time-of-day restrictions, or physical location restrictions, or restrictions against multiple logins by the same user. Authorization determines the nature of the service which is granted to a user. Examples of types of service include, but are not limited to: IP address filtering, address assignment, route assignment, QoS/differential services, bandwidth control/traffic management, compulsory tunneling to a specific endpoint, and encryption.

Accounting 

Accounting refers to the tracking of the consumption of network resources by users. This information may be used for management, planning, billing, or other purposes. Real-time accounting refers to accounting information that is delivered concurrently with the consumption of the resources. Batch accounting refers to accounting information that is saved until it is delivered at a later time. Typical information that is gathered in accounting is the identity of the user, the nature of the service delivered, when the service began, and when it ended.

The AAA is sometimes combined with auditing and accordingly becomes AAAA. Authentication (from Greek αυθεντικός; real or genuine, from authentes; author) is the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the thing are true. ... A password is a form of secret authentication data that is used to control access to a resource. ... In cryptography, a public key certificate (or identity certificate) is a certificate which uses a digital signature to bind together a public key with an identity — information such as a the name of a person or an organisation, their address, and so forth. ... In security engineering and computer security, authorization, is a part of the operating system that protects computer resources by only allowing those resources to be used by resource consumers that have been granted authority to use them. ... Wikibooks has more about this subject: Marketing In economics and marketing, a service is the non-material equivalent of a good. ... In computer security, logging (or signing) in and out is the process by which individual access to a computer system is controlled by identification of the user in order to obtain credentials to permit access. ... This article or section does not cite any references or sources. ... Route assignment, route choice, or traffic assignment concerns the selection of routes (alternative called paths) between origins and destinations in transportation networks. ... The abbreviation QOS could refer to one of several things: Quality of service, a measure of the reliability of a computer network Queen of the South F.C., a Scottish football club Quarterdeck Office Systems, a software company that is now part of Symantec This is a disambiguation page &#8212... In computer networking, bandwidth management is the process of measuring and controlling the communications (traffic, packets) on a network link, to avoid filling the link to capacity or overfilling the link, which would result in congestion and poor performance. ... In computer networking, bandwidth management is the process of measuring and controlling the communications (traffic, packets) on a network link, to avoid filling the link to capacity or overfilling the link, which would result in congestion and poor performance. ... A tunneling protocol is a network protocol which encapsulates one protocol or session inside another. ... An endpoint or end point is a mark of termination or completion. ... “Cipher” redirects here. ... It has been suggested that Accounting scholarship be merged into this article or section. ... A resource, also referred to as system resource, is any physical or virtual system component of a computer system with limited availability. ... Billing may mean: The process of sending accounts to customers for goods or services is called billing. ... Basic definition Audit is the examination of records and reports of a company, in order to check that what is provided is relevant and accurate. ...

Requirements

• RFC 2194 Review of Roaming Implementations
• RFC 2477 Criteria for Evaluating Roaming Protocols
• RFC 2881 Network Access Server Requirements Next Generation (NASREQNG) NAS Model
• RFC 2903 Generic AAA Architecture
• RFC 2904 AAA Authorization Framework
• RFC 2905 AAA Authorization Application Examples
• RFC 2906 AAA Authorization Requirements
• RFC 3169 Criteria for Evaluating Network Access Server Protocols
• RFC 3539 AAA Transport Profile
• RFC 1234 AAA Transport Profile

List of AAA Protocols

• RADIUS
• DIAMETER
• TACACS
• TACACS+

Other protocols used in combination with the above: Remote Authentication Dial In User Service (RADIUS) is an AAA (authentication, authorization and accounting) protocol for applications such as network access or IP mobility. ... DIAMETER is an AAA protocol (Authentication, Authorization and Accounting) succeeding its predecessor RADIUS. // The name is a pun on the RADIUS protocol, which is the predecessor (a diameter is twice the radius). ... Terminal Access Controller Access-Control System (TACACS) is a remote authentication protocol that is used to communicate with an authentication server commonly used in UNIX networks. ... In computer networking, TACACS+ (Terminal Access Controller Access-Control System Plus) is a protocol which provides access control for routers, network access servers and other networked computing devices via one or more centralized servers. ...

• PPP
• EAP
• PEAP
• LDAP

In computing, the Point-to-Point Protocol, or PPP, is commonly used to establish a direct connection between two nodes. ... Extensible Authentication Protocol, or EAP, is a universal authentication framework frequently used in wireless networks and Point-to-Point connections. ... Protected Extensible Authentication Protocol, Protected EAP, or simply PEAP (pronounced peep), is a method to securely transmit authentication information, including passwords, over wireless networks. ... The Lightweight Directory Access Protocol, or LDAP (IPA: ), is an application protocol for querying and modifying directory services running over TCP/IP.[1] A directory is a set of information with similar attributes organized in a logical and hierarchical manner. ...

Usage of AAA servers in CDMA data networks

AAA servers in CDMA data networks are entities that provide Internet Protocol (IP) functionality to support the functions of authentication, authorization and accounting. The AAA server in the CDMA wireless data network architecture is similar to the HLR in the CDMA wireless voice network architecture. Code division multiple access (CDMA) is a form of multiplexing and a method of multiple access to a physical medium such as a radio channel, where different users use the medium at the same time thanks to using different code sequences. ... The Internet Protocol (IP) is a data-oriented protocol used for communicating data across a packet-switched internetwork. ... The GSM Core network is the heart of a GSM system, the most common mobile phone system in the world. ...

Types of AAA servers include the following:

• Access Network AAA (AN-AAA) – Communicates with the RNC in the Access Network (AN) to enable authentication and authorization functions to be performed at the AN. The interface between AN and AN-AAA is known as the A12 interface.
• Broker AAA (B-AAA) – Acts as an intermediary to proxy AAA traffic between roaming partner networks (i.e., between the H-AAA server in the home network and V-AAA server in the serving network). B-AAA servers are used in CRX networks to enable CRX providers to offer billing settlement functions.
• Home AAA (H-AAA) – The AAA server in the roamer's home network. The H-AAA is similar to the HLR in voice. The H-AAA stores user profile information, responds to authentication requests, and collects accounting information.
• Visited AAA (V-AAA) – The AAA server in the visited network from which a roamer is receiving service. The V-AAA in the serving network communicates with the H-AAA in a roamer's home network. Authentication requests and accounting information are forwarded by the V-AAA to the H-AAA, either directly or through a B-AAA.

Current AAA servers communicate using the RADIUS protocol. As such, TIA specifications refer to AAA servers as RADIUS servers. However, future AAA servers are expected to use a successor protocol to RADIUS known as DIAMETER. The Radio Network Controller (or RNC) is the governing element in the UMTS radio access network (UTRAN) responsible for control of the Node-Bs, that is to say the base stations which are connected to the controller. ... The introduction to this article provides insufficient context for those unfamiliar with the subject matter. ... Remote Authentication Dial In User Service (RADIUS) is an AAA (authentication, authorization and accounting) protocol for applications such as network access or IP mobility. ... The Telecommunications Industry Association (TIA) is the leading trade association for the information and communications technology (ICT) industry, with 600 member companies that manufacture or supply the products and services used in global communications across all technology platforms. ... DIAMETER is an AAA protocol (Authentication, Authorization and Accounting) succeeding its predecessor RADIUS. // The name is a pun on the RADIUS protocol, which is the predecessor (a diameter is twice the radius). ...

The behavior of AAA servers (RADIUS servers) in the CDMA2000 wireless IP network is specified in TIA-835. CDMA2000 is a hybrid 2. ...

External links

• The webpage of the Authentication, Authorization and Accounting IETF working group
• Open Source Java IMS Diameter AAA solution