Authentication Services (AAA)

The Authentication, Authorisation & Accounting (AAA) service is part of the essential 'glue' of a modern network. However it is an area that has traditionally received less emphasis than other areas of the IT infrastructure.

This situation is fast changing with the massive growth in mobility and cloud-based technology as two drivers worth mentioning. As more parts of the IT infrastructure leverage user and application aware technologies, the AAA service is playing the lead role in co-ordinating those services.

In particular new products offer vastly improved functionality such as the ability to automatically configure mobile devices and for guests to self-register.

AUTHENTICATION

Authentication is simply the process of checking a new user's credentials, that is, verifying their identity by way of a username and password or some other technique.

Authentication servers are hubs, communicating with the infrastructure providing network access, known as Network Access Devices (NAS), and then authenticating users and devices via your identity systems on behalf of those devices.

Network Access Devices include edge switches, mobility controllers, VPN servers and so on. Identity management systems include Microsoft Active Directory, Oracle Identify Management or standard LDAP.

AUTHORISATION

Authorisation is where we decide what IT resources a user or device - or combination thereof - can access. Authorisation occurs immediately after authentication.

The authorisation capability of AAA servers has grown massively in recent years. Authorisation can now take into account a wide range of factors, such as the user'sĀ  group memberships, physical location, whether they are wireless or wired, what device they are connecting from, what OS their device has and whether it is running an up-to-date Anti-Virus.

In simple terms the authorisation process simply maps an identity to a role for the duration of that connection. Network Access Devices are informed of the role decision and apply the network access policy based on role membership.

Some of the applications of authorisation include:

  • Providing different access to different groups of users, e.g. Executives, IT staff, Accounts, HR.
  • Differentiating between employees and guests
  • Implementing Network Access Control (NAC)
  • Blacklisting certain users or devices
  • Disallowing valid users on personal devices

ACCOUNTING

Accounting is the final key role for a AAA service. Accounting provides a detailed record of each logon and logoff event. This facilitates:

  • Audit Trails
  • Connection Histories
  • Bandwidth and Resource Usage, down to the user and device level
  • Capacity Planning, Usage trends
  • Event Correlation ā€“ mapping users to changing IP addresses
  • Third-Party device integration

The last point is a particularly useful feature of Accounting. The AAA server can forward accounting records containing identity and role information to third-party devices ā€“ beyond the actual authenticating Network Access Device ā€“ in order to apply policy elsewhere in your infrastructure.

For example Next-Generation Firewalls (link) and Packet Shapers (link) can apply their own policy to users' traffic based on the role provided by the AAA server, rather than requiring a secondary logon process.

GUEST ACCESS

A guest or 'captive' portal for web-based authentication can be centrally provided by the AAA service. This includes mechanisms for guests to self-register, or to delegate guest registration to internal staff.

BRING YOUR OWN DEVICE (BYOD)

The AAA service can also provide BYOD provisioning, such as automatically configuring mobile devices for corporate Wi-Fi access and generating and pushing client certificates to approved devices.

NETWORK ACCESS CONTROL (NAC)

MOBILE DEVICE MANAGEMENT (MDM)

Current AAA services includes internal NAC or device profiling capability, as well as the ability to co-ordinate with external NAC and MDM solutions.

SUMMARY

AAA servers are now important gatekeepers and policy implementation tools, co-ordinating a number of key components of the IT infrastructure to deliver services.

Did you know?

The current leading AAA platform is

  • Aruba ClearPass

Competitors include:

  • Open Systems Radiator
  • Cisco ACS / ISE

Many other platforms exist offering more limited AAA functionality than described here.

Our Authentication Services

BGC IT Solutions has designed, implemented and operated AAA services supporting 5000 concurrent devices and a large user base of 30,000.

We are well placed to deliver expertise in this area, and design a scalable maintainable service for your Wi-Fi, NAC or BYOD solution.

Did you know?

Authentication or AAA servers are sometimes referred to as RADIUS Servers, referring to the RADIUS protocol that is used to communicate with Network Access Devices (NAS).