Authentication, authorization, and accounting

Authentication, authorization, and accounting (AAA) is a function for centrally and securely controlling access to IT infrastructure resources. This is achieved by enforcing policies and providing audit functionality by keeping track of activities performed on a given device. In simple terms, authentication can refer to identifying a user with a username and password. The AAA server matches user's authentication credentials against credentials setup and stored in a back-end database. The authorization process validates whether the user has the authority to do a specified task or not. This can include accessing or executing any command on a given resource. The final piece in the AAA function is accounting, which records all the activity on resources consumed by a user during access.

AAA functions are always offered by an exclusive centralized AAA server, a software program that performs all these functions. A current standard by which network access servers interface with the AAA server is the Remote Authentication Dial-In User Service (RADIUS) or Terminal Access Controller Access Control System (TACACS) protocols.

TACACS can be further connected to domain controller security groups, which gives elevated security access. You will have to create two security groups on domain controller, for example, RO and RW. After one or two human security approvals, your user account will be automatically added to the RW group. This provides a way to dynamically request administrative (admin) access to production machines. After the specified time, the account will be removed from there automatically.