AAA protocol
Encyclopedia
In computer security
, AAA commonly stands for authentication, authorization and accounting.
refers to the process where an entity's identity is authenticated, typically by providing evidence that it holds a specific digital identity
such as an identifier and the corresponding credentials. Examples of types of credentials are password
s, one-time token
s, digital certificates, and phone numbers (calling/called).
function determines whether a particular entity is authorized to perform a given activity, typically inherited from authentication when logging on to an application or service. Authorization may be determined based on a range of restrictions, for example time-of-day restrictions, or physical location restrictions, or restrictions against multiple access by the same entity or user. Typical authorization in everyday computer life is for example granting read access to a specific file for authenticated user. Examples of types of service include, but are not limited to: IP address
filtering, address assignment, route assignment, quality of Service/differential services, bandwidth
control/traffic management, compulsory tunneling to a specific endpoint, and encryption
.
consumption by users for the purpose of capacity and trend analysis, cost allocation, billing
. In addition, it may record events such as authentication and authorization failures, and include auditing functionality, which permits verifying the correctness of procedures carried out based on accounting data. Real-time accounting refers to accounting information that is delivered concurrently with the consumption of the resources. Batch accounting refers to accounting information that is saved until it is delivered at a later time. Typical information that is gathered in accounting is the identity of the user or other entity, the nature of the service delivered, when the service began, and when it ended, and if there is a status to report.
data networks are entities that provide Internet Protocol
(IP) functionality to support the functions of authentication, authorization and accounting. The AAA server in the CDMA wireless data network architecture is similar to the HLR in the CDMA wireless voice network architecture.
Types of AAA servers include the following:
Current AAA servers communicate using the RADIUS
protocol. As such, TIA
specifications refer to AAA servers as RADIUS servers. However, future AAA servers are expected to use a successor protocol to RADIUS known as Diameter.
The behavior of AAA servers (RADIUS servers) in the CDMA2000
wireless IP network is specified in TIA-835.
Computer security
Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
, AAA commonly stands for authentication, authorization and accounting.
Authentication
AuthenticationAuthentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...
refers to the process where an entity's identity is authenticated, typically by providing evidence that it holds a specific digital identity
Digital identity
Digital identity is the aspect of digital technology that is concerned with the mediation of people's experience of their own identity and the identity of other people and things...
such as an identifier and the corresponding credentials. Examples of types of credentials are password
Password
A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource . The password should be kept secret from those not allowed access....
s, one-time token
One-time password
A one-time password is a password that is valid for only one login session or transaction. OTPs avoid a number of shortcomings that are associated with traditional passwords. The most important shortcoming that is addressed by OTPs is that, in contrast to static passwords, they are not vulnerable...
s, digital certificates, and phone numbers (calling/called).
Authorization
The authorizationAuthorization
Authorization is the function of specifying access rights to resources, which is related to information security and computer security in general and to access control in particular. More formally, "to authorize" is to define access policy...
function determines whether a particular entity is authorized to perform a given activity, typically inherited from authentication when logging on to an application or service. Authorization may be determined based on a range of restrictions, for example time-of-day restrictions, or physical location restrictions, or restrictions against multiple access by the same entity or user. Typical authorization in everyday computer life is for example granting read access to a specific file for authenticated user. Examples of types of service include, but are not limited to: IP address
IP address
An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
filtering, address assignment, route assignment, quality of Service/differential services, bandwidth
Bandwidth
Bandwidth is the difference between the upper and lower frequencies in a contiguous set of frequencies. It is typically measured in hertz, and may sometimes refer to passband bandwidth, sometimes to baseband bandwidth, depending on context...
control/traffic management, compulsory tunneling to a specific endpoint, and encryption
Encryption
In cryptography, encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information...
.
Accounting
Accounting refers to the tracking of network resourceResource (computer science)
A resource, or system resource, is any physical or virtual component of limited availability within a computer system. Every device connected to a computer system is a resource. Every internal system component is a resource...
consumption by users for the purpose of capacity and trend analysis, cost allocation, billing
Invoice
An invoice or bill is a commercial document issued by a seller to the buyer, indicating the products, quantities, and agreed prices for products or services the seller has provided the buyer. An invoice indicates the buyer must pay the seller, according to the payment terms...
. In addition, it may record events such as authentication and authorization failures, and include auditing functionality, which permits verifying the correctness of procedures carried out based on accounting data. Real-time accounting refers to accounting information that is delivered concurrently with the consumption of the resources. Batch accounting refers to accounting information that is saved until it is delivered at a later time. Typical information that is gathered in accounting is the identity of the user or other entity, the nature of the service delivered, when the service began, and when it ended, and if there is a status to report.
List of AAA Protocols
- RADIUSRADIUSRemote Authentication Dial In User Service is a networking protocol that provides centralized Authentication, Authorization, and Accounting management for computers to connect and use a network service...
- Diameter
- TACACSTACACSTerminal Access Controller Access-Control System is a remote authentication protocol that is used to communicate with an authentication server commonly used in UNIX networks. TACACS allows a remote access server to communicate with an authentication server in order to determine if the user has...
- TACACS+TACACS+TACACS+ is a Cisco Systems proprietary protocol which provides access control for routers, network access servers and other networked computing devices via one or more centralized servers...
Usage of AAA servers in CDMA data networks
AAA servers in CDMACode division multiple access
Code division multiple access is a channel access method used by various radio communication technologies. It should not be confused with the mobile phone standards called cdmaOne, CDMA2000 and WCDMA , which are often referred to as simply CDMA, and use CDMA as an underlying channel access...
data networks are entities that provide Internet Protocol
Internet Protocol
The Internet Protocol is the principal communications protocol used for relaying datagrams across an internetwork using the Internet Protocol Suite...
(IP) functionality to support the functions of authentication, authorization and accounting. The AAA server in the CDMA wireless data network architecture is similar to the HLR in the CDMA wireless voice network architecture.
Types of AAA servers include the following:
- Access Network AAA (AN-AAA) – Communicates with the RNCRadio Network ControllerThe Radio Network Controller is a governing element in the UMTS radio access network and is responsible for controlling the Node Bs that are connected to it. The RNC carries out radio resource management, some of the mobility management functions and is the point where encryption is done before...
in the Access Network (AN) to enable authentication and authorization functions to be performed at the AN. The interface between AN and AN-AAA is known as the A12A12 AuthenticationA12 Authentication is a CHAP-based mechanism used by a CDMA2000 Access Network to authenticate a 1xEV-DO Access Terminal . A12 authentication occurs when an AT first attempts to access the AN and is repeated after some authentication timeout period...
interface. - Broker AAA (B-AAA) – Acts as an intermediary to proxy AAA traffic between roaming partner networks (i.e., between the H-AAA server in the home network and V-AAA server in the serving network). B-AAA servers are used in CRX networks to enable CRX providers to offer billing settlement functions.
- Home AAA (H-AAA) – The AAA server in the roamer's home network. The H-AAA is similar to the HLR in voice. The H-AAA stores user profile information, responds to authentication requests, and collects accounting information.
- Visited AAA (V-AAA) – The AAA server in the visited network from which a roamer is receiving service. The V-AAA in the serving network communicates with the H-AAA in a roamer's home network. Authentication requests and accounting information are forwarded by the V-AAA to the H-AAA, either directly or through a B-AAA.
Current AAA servers communicate using the RADIUS
RADIUS
Remote Authentication Dial In User Service is a networking protocol that provides centralized Authentication, Authorization, and Accounting management for computers to connect and use a network service...
protocol. As such, TIA
Telecommunications Industry Association
The Telecommunications Industry Association is accredited by the American National Standards Institute to develop voluntary, consensus-based industry standards for a wide variety of ICT products, and currently represents nearly 400 companies...
specifications refer to AAA servers as RADIUS servers. However, future AAA servers are expected to use a successor protocol to RADIUS known as Diameter.
The behavior of AAA servers (RADIUS servers) in the CDMA2000
CDMA2000
CDMA2000 is a family of 3G mobile technology standards, which use CDMA channel access, to send voice, data, and signaling data between mobile phones and cell sites. The set of standards includes: CDMA2000 1X, CDMA2000 EV-DO Rev. 0, CDMA2000 EV-DO Rev. A, and CDMA2000 EV-DO Rev. B...
wireless IP network is specified in TIA-835.