securitya-plusBeginner22 min read

What Is Authentication Authorization and Accounting? Security Definition

Also known as: Authentication Authorization and Accounting, AAA security, AAA certification exam, AAA CompTIA, AAA vs RADIUS

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

AAA stands for Authentication, Authorization, and Accounting. Authentication checks your identity, like showing your ID card. Authorization decides what you are allowed to do, like which rooms you can enter. Accounting keeps a record of everything you do, like a logbook of your actions.

Must Know for Exams

AAA is a core topic on the CompTIA A+, Network+, and Security+ certification exams. On the A+ exam, AAA is introduced as a fundamental security concept. Questions may ask you to define each of the three components or identify which AAA component is being described in a scenario. For example, a question might describe a user who enters a password and is allowed access to a system, and then ask whether that scenario illustrates authentication, authorization, or accounting.

On the Network+ exam, AAA appears in the context of network access control, remote authentication, and device management. Candidates are expected to understand protocols like RADIUS and TACACS+, and to know that RADIUS combines authentication and authorization, while TACACS+ separates them. Questions may ask you to select the appropriate protocol for a given scenario, such as choosing RADIUS for wireless authentication or TACACS+ for network device administration.

On the Security+ exam, AAA is a major domain objective under Identity and Access Management (IAM). You must understand the difference between AAA and the related concepts of identification, authentication, and authorization. Security+ questions often present a detailed scenario involving a user accessing a secure server and ask you to identify which step failed. You may also need to know about multifactor authentication (MFA) as a way to strengthen authentication, as well as how accounting logs are used for auditing and compliance.

Across all three exams, AAA is frequently tested using scenario-based questions. You might be given a description of a user connecting to a VPN, and then asked to name the AAA component that determines whether the user can access the internal network. Another common question pattern asks you to order the AAA steps correctly. Understanding the flow from authentication to authorization to accounting is essential for answering these questions correctly.

Simple Meaning

Imagine you are going to a large office building that has many different rooms and floors. The first thing you must do when you arrive is prove who you are. You show your employee badge or scan your fingerprint at the front door. This step is authentication. It is the process of verifying that you are really who you say you are. The system checks your credentials against a database of known users. If your credentials match, the system says yes, you are a valid user.

Once you are inside the building, you cannot go everywhere. Some rooms are for managers only. Some floors require special clearance. The security system checks a list of permissions that are associated with your identity. For example, your badge might let you enter the main office and the break room, but not the server room or the CEO's office. This step is authorization. It decides what resources you can use and what actions you can perform, such as reading a file, printing a document, or installing software.

Finally, every time you enter a room or use a resource, the system records the event. It notes the time, the door you opened, and how long you stayed. This record is kept for later review, such as when an audit is done or when a security incident is investigated. This step is accounting. It creates a trail of activity that can be used to track usage, bill for services, or detect unusual behavior. In IT, the same three steps apply to users accessing networks, servers, applications, and cloud services. AAA is the foundation of security and access control in almost every modern system.

Full Technical Definition

Authentication, Authorization, and Accounting, commonly abbreviated as AAA, is a security architecture framework that provides centralized access control, policy enforcement, and usage tracking for network devices, servers, and applications. It is most commonly implemented using the Remote Authentication Dial-In User Service (RADIUS) protocol or the Diameter protocol, though other protocols like TACACS+ (Terminal Access Controller Access-Control System Plus) and LDAP (Lightweight Directory Access Protocol) are also used in specific environments.

Authentication is the process of verifying the identity of a user, device, or service. It typically involves one or more factors: something you know (password or PIN), something you have (smart card or token), or something you are (biometric like fingerprint or iris scan). In enterprise networks, authentication is often handled by a centralized server that checks credentials against an identity store such as Active Directory, an LDAP directory, or a database of user accounts. Protocols like EAP (Extensible Authentication Protocol) are used to carry authentication messages between the client and the server.

Authorization follows successful authentication. It determines what resources and operations the authenticated entity is permitted to access. Authorization policies are defined by administrators and stored on the AAA server. For example, a user might be authorized to access the internet but not to administrative functions on a router. In RADIUS, authorization attributes are sent back to the network access server (NAS) in the form of vendor-specific attributes (VSAs) and standard attributes like service type, filter ID, and session timeout. These attributes enforce the allowed level of access.

Accounting is the collection and logging of session information. It tracks when a session starts, when it ends, the amount of data transferred, the duration of the session, and which resources were accessed. This data is stored centrally and can be used for billing, capacity planning, security auditing, and compliance reporting. RADIUS accounting packets are sent from the NAS to the RADIUS accounting server at the start and end of each session, as well as periodically during the session.

In real IT environments, AAA is used for a wide range of scenarios. Remote access VPN users authenticate to a corporate network through a RADIUS server. Wireless network access points use AAA to authenticate clients before granting them network access. Network device administrators authenticate to routers and switches using TACACS+ or RADIUS, which also authorizes specific command sets. Public cloud providers like AWS and Azure implement AAA through Identity and Access Management (IAM) services, which authenticate users, authorize actions via policies, and log all API calls via audit trails like CloudTrail.

Real-Life Example

Think about how you enter a secure parking garage in a large city. First, you pull up to the entrance gate. There is a card reader and a keypad. You swipe your access card or enter a code. This is authentication. The garage system checks your card number against its database of registered users. If your card is valid and has not expired, the gate opens. The system has just confirmed you are an authorized person.

Once inside, you drive up to the second floor. That floor has a gate that only allows monthly pass holders. You swipe your card again, and the system checks your authorization. It sees that your account includes access to the second floor. The gate opens. This is authorization. If your account only included ground floor access, the second floor gate would stay closed, and you would have to park on the ground floor.

Now, every time you enter or leave, the garage system records the date, time, and location of the event. At the end of the month, the garage owner runs a report that shows how many times you came, how long you stayed, and whether you exceeded your allowed hours. This is accounting. It is used to generate your monthly bill and to check for any suspicious activity, like someone using your card at odd hours.

Mapping this to IT: The access card is your username and password. The garage database is the AAA server. The gate controllers are network devices like routers or switches. The recorded entry and exit times are the accounting logs. This same pattern applies when you log into a corporate network, access a cloud application, or connect to a Wi-Fi hotspot.

Why This Term Matters

AAA is a core security concept because it enforces three critical principles of information security: identification, access control, and accountability. Without authentication, anyone could claim to be anyone else, and an attacker could impersonate a legitimate user. Without authorization, once a user is authenticated, they would have unrestricted access to all systems, which could lead to data breaches or accidental damage. Without accounting, there would be no way to know who did what, when, and for how long, making it impossible to investigate security incidents or to enforce usage policies.

In practical IT work, AAA is used daily by system administrators, network engineers, and security professionals. For example, when a network engineer configures a router to use AAA for administrative access, they ensure that only authenticated users can log in, that each user has a specific privilege level, and that every command they type is logged. This is essential for compliance with regulations like PCI-DSS, HIPAA, and SOX, which require strict access controls and audit trails.

AAA also enables centralized management. Instead of configuring usernames and passwords on every device individually, an organization can maintain a single AAA server or directory service that all devices query. This simplifies user management, reduces errors, and allows for quick revocation of access when an employee leaves the company. In cloud environments, AAA is the foundation of IAM policies that control who can launch virtual machines, read databases, or delete storage buckets.

From a troubleshooting perspective, understanding AAA is crucial. If a user cannot access a network resource, the issue might be authentication failure (wrong credentials or account locked), authorization failure (user authenticated but not allowed to access), or an accounting problem (system not properly logging or tracking usage). Without a clear understanding of the three A's, diagnosing access issues becomes much harder.

How It Appears in Exam Questions

AAA appears in exam questions in several distinct patterns. The most common is the definition or identification question. The exam presents a short description and asks you to choose the correct AAA component. For example, Which AAA component verifies the identity of a user? with answer options like Authentication, Authorization, Accounting, or Access Control. Another variation asks you to match actions to components, such as A user is granted permission to read a file matches Authorization.

Scenario questions are very common. A typical scenario might describe an employee using a badge to enter a building, then going to a restricted area where the badge is checked again, and finally the system records the entry time. The question asks which AAA components are illustrated in the scenario. You must identify that the first check is authentication, the second check is authorization, and the recording is accounting.

Configuration and troubleshooting questions appear more on Network+ and Security+. For example, you might be told that a user can authenticate to a RADIUS server but still cannot access a network resource. The question asks for the most likely cause. The answer would be an authorization issue, such as missing permissions in the RADIUS policy. Another question might describe a network administrator who logs into a router and sees that previous commands are not being logged. The question asks what AAA component is not functioning correctly, and the answer is accounting.

Protocol-related questions are also common. You may be asked to compare RADIUS and TACACS+. For instance, Which protocol separates authentication and authorization? TACACS+. Or, Which protocol encrypts the entire authentication packet? TACACS+. Or, Which protocol is most commonly used for wireless network authentication? RADIUS. Sometimes questions ask about the port numbers used by RADIUS (UDP 1812 for authentication, UDP 1813 for accounting) or by TACACS+ (TCP 49).

Finally, some questions test your understanding of AAA as a framework. For example, A company wants to ensure that all user activity is logged for compliance purposes. Which AAA component should they focus on? Answer: Accounting. These questions are designed to see if you can apply the framework to real-world needs.

Practise Authentication Authorization and Accounting Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

Situation: Maria works for a mid-sized company and is trying to access the company's internal HR portal from her laptop. She opens a web browser and navigates to the portal's URL. The portal displays a login screen asking for her username and password. Maria enters her credentials and clicks submit. The portal checks her username and password against the company's Active Directory server. The server confirms the password matches. This is authentication.

Once authenticated, the portal checks Maria's employee profile. The portal has a list of roles and permissions. Maria's profile indicates she is in the HR department and has the role of HR Specialist. The portal looks at the authorization rules: HR Specialists can view employee records but cannot modify salary information or delete records. The portal then loads the main page showing only the features Maria is allowed to use. This is authorization. Maria can see the employee directory and time-off requests, but the buttons to edit salaries are grayed out.

As Maria uses the portal, the system logs every action she takes. It records the time she logged in, the pages she visited, the specific employee records she viewed, and when she logged out. These logs are stored securely and are later used for an audit to ensure that only authorized users accessed sensitive data. This is accounting. If a security incident occurs, the accounting logs will show exactly which records Maria viewed, providing a trail for investigation.

Application to AAA: In this scenario, authentication happened when Maria provided her password and the system verified it. Authorization occurred when the system decided what parts of the portal she could see based on her role. Accounting took place as the system logged her activity. All three steps worked together to keep the HR portal secure and auditable.

Common Mistakes

Confusing authentication and authorization.

Authentication is about who you are, while authorization is about what you are allowed to do. They are separate processes. A user can be authenticated but not authorized to access a resource.

Remember: authentication is proving identity (show your ID), authorization is granting permission (what doors you can open).

Thinking accounting is the same as auditing.

Accounting is the collection and logging of usage data. Auditing is the review and analysis of that data. Accounting provides the raw material for audits, but they are not the same process.

Accounting is like a security camera that records video. Auditing is like a security guard watching the footage later to find problems.

Believing RADIUS provides all three AAA functions equally.

RADIUS combines authentication and authorization in a single packet, but accounting is handled separately using different packets and ports. TACACS+ separates all three functions into different packets.

Know that RADIUS bundles authentication and authorization, while accounting is separate. TACACS+ separates all three.

Assuming a user who is authenticated is automatically authorized.

Authentication only confirms identity. A system may authenticate a user but then deny access to a specific resource because the user does not have the required permissions. The two steps are independent.

Always treat authentication and authorization as separate gates. Passing the first gate does not guarantee passing the second.

Forgetting accounting when thinking about AAA.

Many learners focus on authentication and authorization and overlook accounting. But accounting is essential for compliance, billing, and security investigations.

When studying AAA, always remind yourself of the three A's. Use the mnemonic 'Who, What, When' (Who you are, What you can do, When you did it).

Exam Trap — Don't Get Fooled

An exam scenario describes a user who successfully logs into a system but cannot access a specific file. The question asks which AAA component failed. Many learners choose 'Authentication' because they think the login was successful, so authentication is fine.

But the real issue is authorization. Read the scenario carefully. If the user successfully logged in, authentication worked. If the user cannot access a specific resource after logging in, the problem is authorization.

Always check the sequence: authentication first, then authorization. If authentication passed, the next issue is authorization.

Commonly Confused With

Authentication Authorization and AccountingvsIdentification

Identification is the act of claiming an identity, such as providing a username. Authentication is proving that you are that identity, such as providing the correct password. Identification happens before authentication.

Saying 'I am Alice' is identification. Showing a photo ID that matches Alice is authentication.

Authentication Authorization and AccountingvsAccess Control List (ACL)

An ACL is a list of rules that define permissions for users or groups. It is a tool used to implement authorization. AAA is a broader framework that includes authentication, authorization, and accounting, while an ACL is just one part of the authorization component.

AAA decides who can enter a building and logs their entries. An ACL is like a list on a specific door that says only managers can enter that room.

Authentication Authorization and AccountingvsMultifactor Authentication (MFA)

MFA is a specific method of strengthening authentication by requiring two or more factors (password plus a code from a phone). AAA includes authentication as one of its three components, but AAA also covers authorization and accounting. MFA is just one type of authentication mechanism within AAA.

AAA is the full security system for a building. MFA is like requiring both a key card and a fingerprint to open the front door.

Authentication Authorization and AccountingvsSingle Sign-On (SSO)

SSO allows a user to authenticate once and then access multiple systems without re-entering credentials. SSO focuses on the authentication process across systems. AAA is a broader framework that includes authorization and accounting as well. SSO can use AAA as the underlying authentication mechanism.

SSO is like a master key that opens multiple doors after you prove your identity once. AAA is the entire system that checks your key, decides which doors you can open, and logs when you use the key.

Step-by-Step Breakdown

1

Step 1: User or device requests access

The process begins when a user tries to connect to a network, log into an application, or access a resource. For example, a user opens a VPN client and enters their credentials. The request is sent to a network access server or a service that will initiate the AAA process.

2

Step 2: Authentication challenge

The AAA server or the service receives the request and challenges the user to prove their identity. This is typically done by asking for a password, a PIN, a biometric scan, or a token code. The server checks the provided credential against its stored records.

3

Step 3: Authentication decision

If the credential matches, the server sends a success message, often called an Access-Accept packet in RADIUS. If the credential does not match, the server sends an Access-Reject packet, and the user is denied access. This step completes the authentication phase.

4

Step 4: Authorization enforcement

Once authenticated, the server checks the user's profile or policy to determine what resources and actions the user is allowed to access. The server then sends authorization attributes back to the network device or application. For example, it might specify that the user can browse the web but cannot access the database server.

5

Step 5: Access granted based on authorization

The network device or application uses the authorization attributes to enforce the allowed level of access. The user is now connected or logged in, but only to the resources permitted by the authorization policy.

6

Step 6: Accounting begins

At the moment access is granted, the AAA server starts logging accounting data. An accounting start packet is sent, recording the session ID, user identity, timestamp, and the network address or device used. This marks the beginning of the accounting record.

7

Step 7: Session in progress with periodic updates

While the user is connected, the network device may send periodic accounting updates to the server. These updates report ongoing usage, such as the amount of data transferred or the duration of the session. This helps maintain an accurate record, especially for billing or capacity monitoring.

8

Step 8: Session termination and accounting stop

When the user disconnects or the session ends, the network device sends an accounting stop packet. This packet includes the final usage statistics, such as total session time, data in and out, and the reason for termination. The AAA server then closes the accounting record.

9

Step 9: Logging and storage

All accounting records are stored centrally, often in a database or a log file. These records can be reviewed by administrators, used for reporting, or exported to a Security Information and Event Management (SIEM) system for analysis.

10

Step 10: Audit and review (optional but common)

Periodically, security teams or auditors review the accounting logs to verify that access policies are being followed, to detect suspicious activity, or to generate compliance reports. This step is not part of the AAA process itself but is a key use of the accounting data.

Practical Mini-Lesson

AAA is not just a theoretical concept; it is implemented in almost every IT environment. As a professional, you need to know how to configure and troubleshoot AAA in common systems. The most widespread implementation is RADIUS, which is used for wireless network authentication (WPA2-Enterprise), VPN access, and network device administration. To set up a basic RADIUS system, you need a RADIUS server (like FreeRADIUS or Microsoft Network Policy Server) and a RADIUS client (the network device, such as a wireless access point or a VPN gateway).

When configuring a RADIUS client, you must define the IP address of the RADIUS server and a shared secret password. This shared secret is used to encrypt communication between the client and server. The client sends authentication requests to the RADIUS server on UDP port 1812, and accounting requests on UDP port 1813. The server checks the credentials against an identity source like Active Directory, and then returns an Access-Accept with authorization attributes or an Access-Reject.

One common problem is a RADIUS authentication failure. This can be caused by a mismatch in the shared secret, incorrect IP address, or the user account being disabled in Active Directory. Another issue is that a user authenticates successfully but cannot access certain resources. This often points to an authorization policy misconfiguration. For instance, the RADIUS server may send back attributes that place the user in a specific VLAN, but if the VLAN does not have the required permissions, the user will be isolated.

Accounting is often overlooked, but it is critical for troubleshooting and compliance. If accounting logs are not being written, check that the accounting ports are open and that the RADIUS server is configured to accept accounting packets. Many organizations use accounting data to track billable usage for clients, or to detect anomalous behavior such as a user logging in at 3 AM.

AAA connects to broader IT concepts like identity management, directory services, and security compliance. It is a foundational building block for zero trust architectures, where every access request must be authenticated, authorized, and logged, regardless of whether the user is inside or outside the corporate network. Understanding AAA gives you a strong framework for designing and maintaining secure networks.

Memory Tip

Three A's of security: Authenticate who you are, Authorize what you can do, Account for what you did. Think of a guard at a gate who checks your ID (authenticate), then checks a list of allowed rooms (authorize), and then writes your visit in a logbook (account).

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms

Frequently Asked Questions

What is the difference between RADIUS and TACACS+?

RADIUS combines authentication and authorization into a single packet, while TACACS+ separates them into different packets. RADIUS uses UDP (ports 1812/1813), while TACACS+ uses TCP (port 49). TACACS+ encrypts the entire packet body, while RADIUS only encrypts the password.

Do all three AAA components have to be used together?

No, they can be used independently. Some systems only use authentication and authorization without accounting. However, for complete security and auditability, using all three is recommended.

Is AAA the same as Identity and Access Management (IAM)?

No, AAA is a component of IAM. IAM is a broader discipline that includes user provisioning, role management, identity governance, and policy administration, of which AAA is a part.

What is a common example of an AAA failure?

A user types the correct password (authentication succeeds) but then tries to access a network drive and gets an access denied error. This is an authorization failure because the user is not in the correct group or permission list.

Why is accounting important for security?

Accounting logs provide a record of who did what and when. They are essential for detecting unauthorized access, investigating incidents, meeting compliance requirements, and billing users for resource usage.

What protocol is most commonly used for AAA in wireless networks?

RADIUS is the most common protocol for AAA in wireless networks, especially with WPA2-Enterprise and 802.1X authentication.

Can AAA be used for cloud services?

Yes, cloud providers like AWS and Azure use AAA principles. For example, AWS IAM authenticates users, authorizes actions via policies, and logs all API calls in CloudTrail (accounting).

Summary

Authentication, Authorization, and Accounting is a foundational security framework that controls access to networks, systems, and data. Authentication verifies who you are, authorization determines what you are allowed to do, and accounting records what you actually did. Understanding the distinct roles of each component is critical for IT professionals who design, configure, or troubleshoot secure environments.

On certification exams, AAA is tested through definition questions, scenario analysis, and protocol comparisons across A+, Network+, and Security+. Remember that authentication always comes first, followed by authorization, with accounting running in the background. The most common mistake is confusing authentication with authorization, but a simple check of whether the user's identity was already proven can clarify which step failed.

For exam success, focus on the flow of AAA, the differences between RADIUS and TACACS+, and the practical application of each component in real-world scenarios like VPN access, wireless security, and device administration. AAA is not just a test topic; it is a daily reality for anyone managing access in IT.