This one will be fairly short and crosses over with notes I’ve already made on EAP Types for CCNP Wireless Security.
AAA – Authentication, Authorisation and Accounting
This concept provides a framework that many a security policy is written around.
This covers initial access to a network through some as basic as a pre-shared key (PSK) up to multi-factor authentication using usernames, smart cards, passwords and even bio metrics these days.
The main issue with multi-factor authentication is each time you require more auth you increase the overhead on either the server-side, client-side or both.
An example would be using a smart card to initially authenticate to a network by plugging it in to your computer but then requiring a username and password as well.
This is more secure than just a username/password combo but requires the user to ensure they always have the smart card available.
The smart cards require programming and also replacing if lost which causes additional overhead on each end and is still not an infallible solution.
All companies want to be secure but quite often there’s a battle between the security department who want to lock everything down and the management staff who want to make accessing the corporate network with BYOD devices hassle-free.
Authorisation ensures that even if someone is authenticated to the network it doesn’t necessarily mean they can access everything once there.
Generally it is enforced through Active Directory via RADIUS/LDAP.
An example would a laptop connected to the wireless through a domain machine account – a user on that laptop would then need to have the correct rights to access network shares or they will be denied.
The chapter here notes that whilst RADIUS is no mandatory, the 802.11-2007 WLAN standard that defines a Robust Secure Network (RSN) specifies 802.1X must be used. Important to remember I think as RSN is an important topic.
Fairly self explanatory this one – it’s an audit trail of what resources were accessed by whom at what time!
This can be manipulated depending upon per-vendor RADIUS custom attributes for example Cisco have custom attributes for their voice gateways to track 2 way calls.
That’s not a wireless example to show how accounting is used with other technologies.
Go to the EAP Types post for more on Layer 2 Authentication.