In IP security, AAA stands for “Authentication, Authorization and Accounting”.
An AAA server makes sure protected data can only be accessed by authorized people or systems.
A RADIUS server is used to authenticate users, particularly against an LDAP server,
allowing you to centralize user information stored in the LDAP server and
authenticated by the RADIUS server, thereby both reducing administrative overhead
on user management and making the remote login process more secure.
It allows a network access server (NAS) to perform authentication, authorization,
and accounting for users. RADIUS is a client/server protocol based on UDP. The
RADIUS client, the network access server, is typically a router, switch, or wireless
access point (access points are specially configured nodes on networks; WAPs are
Authentication refers to the confirmation that a user who is requesting
services is a valid user of the network services requested. Authentication
is accomplished via the presentation of an identity and credentials.
Examples of types of credentials are passwords, one-time tokens, digital
certificates, and phone numbers (calling/called).
Authorization refers to the granting of specific types of service
(including "no service") to a user, based on their authentication, what
services they are requesting, and the current system state. Authorization
may be based on restrictions, for example time-of-day restrictions, or
physical location restrictions, or restrictions against multiple logins
by the same user. Authorization determines the nature of the service which
is granted to a user. Examples of types of service include, but are not
limited to: IP address filtering, address assignment, route assignment,
QoS/differential services, bandwidth control/traffic management, compulsory
tunneling to a specific endpoint, and encryption.
Accounting refers to the tracking of the consumption of network resources
by users. This information may be used for management, planning, billing,
or other purposes. Real-time accounting refers to accounting information
that is delivered concurrently with the consumption of the resources. Batch
accounting refers to accounting information that is saved until it is
delivered at a later time. Typical information that is gathered in
accounting is the identity of the user, the nature of the service delivered,
when the service began, and when it ended.
RADIUS (Remote Authentication Dial In User Service)
Diameter the proposed successor to RADIUS
EAP Extensible Authentication Protocol
PKI: Public Key Infrastructure
Open1x and xsupplicant