In computer security, AAA stands for “authentication, authorization and accounting”.
Authentication refers to the confirmation that a user who is requesting services is a valid user of the network services requested. Authentication is accomplished via the presentation of an identity and credentials. Examples of types of credentials are passwords, one-time tokens, digital certificates, and phone numbers (calling/called).
Authorization refers to the granting of specific types of service (including “no service”) to a user, based on their authentication, what services they are requesting and the current system state. Authorization may be based on restrictions; for example time-of-day restrictions, physical location restrictions or restrictions against multiple logins by the same user. Authorization determines the nature of the service which is granted to a user. Examples of types of service include, but are not limited to: IP address filtering, address assignment, route assignment, QoS/differential services, bandwidth control/traffic management, compulsory tunneling to a specific endpoint and encryption.
Accounting refers to the tracking of the consumption of network resources by users. This information may be used for management, planning, billing and/or other purposes. Real-time accounting refers to accounting information that is delivered concurrently with the consumption of the resources. Batch accounting refers to accounting information that is saved until it is delivered at a later time. Typical information that is gathered in accounting is the identity of the user, the nature of the service delivered, when the service began and when it ended.
Some ISPs (commonly modem, DSL, or wireless 802.11 services) require you to enter a username and password in order to connect to the Internet. Before access to the network is granted, this information is passed to a Network Access Server (NAS) device over the Point-to-Point Protocol (PPP) and then to a RADIUS server over the RADIUS protocol. The RADIUS server checks that the information is correct using authentication schemes like PAP, CHAP or EAP. If accepted, the server will then authorize access to the ISP system and select an IP address, L2TP parameters, etc.
The RADIUS server will also be notified if and when the session starts and stops, so that the user can be billed accordingly; or the data can be used for statistical purposes.
Additionally, RADIUS is widely used by VoIP service providers. It is used to pass login credentials of a SIP end point (like a broadband phone) to a SIP Registrar using digest authentication, and then to RADIUS server using RADIUS. Sometimes it is also used to collect call detail records (CDRs) later used, for instance, to bill customers for international long distance.
RADIUS was originally developed by Livingston Enterprises for their PortMaster series of Network Access Servers, but later (1997) published as RFC 2058 and RFC 2059 (current versions are RFC 2865 and RFC 2866). Now, several commercial and open-source RADIUS servers exist. Features can vary, but most can look up the users in text files, LDAP servers, various databases, etc. Accounting tickets can be written to text files, various databases, forwarded to external servers, etc. SNMP is often used for remote monitoring. RADIUS proxy servers are used for centralized administration and can rewrite RADIUS packets on the fly (for security reasons, or to convert between vendor dialects).