This post summarizes Authentication, Authorization and Accountability (AAA) protocols or AAA network protocols.
Do not confuse the AAA protocols with the authentication protocols like EAP, CHAP and PAP. Authentication protocols works in the OSI layers 2 and 3, and AAA protocols in layer 7. You can read more about them on this post.
List of AAA Network Protocols
AAA Network Protocols:
- Kerberos
- RADIUS
- Diameter
- TACACS+
Kerberos
Kerberos is both a AAA network protocol and a SSO implementation. It is very popular.
You can read more about Kerberos on this post.
RADIUS
RADIUS is one of the most extended AAA network protocol.
It is used to provide authentication and authorization; it is often used for modems, wireless networks, and network devices. It uses network acccess servers to send access requests to central RADIUS servers.
RADIUS uses UDP transport protocol and only encrypts username and passwords by default.
It supports TLS over TCP, but not as a default setting. On the other hand, it does not support TLS over UDP.
Unlike Kerberos, it is not ticket-based.
RADIUS is typically used for wireless networks, modems, and network devices.
RADIUS is also an open standard, defined in various RFCs (most notably RFC 2865 and RFC 2866).
Diameter
Diameter aspired to be improvement of RADIUS.
TACACS+
TACACS+ is an improvement of TACACS (that was an insecure protocol) and XTACACS.
It has some benefits over RADIUS, including:
- Encryption of all authentication information (not password only)
- Two-factor authentication support
TACACS+ uses TCP.
TACACS+ is typically used for network devices.
TACACS+ and XTACACS are Cisco proprietary technologies.
You might also be interested in…
External References
- M. Chapple et al; “CISSP Study Guide Ninth Edition”, pp. 694-699; Wiley, 2021