AAA Architecture
Last updated
Last updated
Enables systematic access security.
Authentication identifies a user.
Authorization determines what that user can do.
Accounting monitors the network usage time for billing purposes.
AAA information is typically stored in an external database or remote authentication server.
Traditional AAA Implementation.
IEEE 802.1X is an IEEE Standard for Network Access Control (NAC).
802.1X-2001 and 802.1X-2004 only provide authentication.
802.1X-2010 adds optional encryption over the LAN segment.
It provides an authentication mechanism for devices wishing to attach to a LAN.
Based on the Extensible Authentication Protocol (EAP).
AAA protocols/services: TACACS+, RADIUS, and DIAMETER.
EAP defined in [RFC3748] was designed to enable extensible authentication for network access in situations in which the Internet Protocol (IP) protocol is not available.
Originally developed for use with Point-to-Point Protocol (PPP) [RFC1661].
Subsequently also been applied to IEEE 802 wired networks [IEEE- 802.1X], Internet Key Exchange Protocol version 2 (IKEv2)[RFC4306], and wireless networks such as [IEEE-802.11] and [IEEE-802.16e].
EAP is a two-party protocol spoken between the EAP peer and server.
Keying material is generated by EAP authentication algorithms, known as "methods".
Part of this keying material can be used by EAP methods themselves, and part of this material can be exported.
Where EAP key derivation is supported, the conversation typically takes place in three phases:
Phase 0: Discovery.
Phase 1: Authentication.
1a: EAP authentication.
1b: AAA Key Transport (optional).
Phase 2: Secure Association Protocol.
2a: Unicast Secure Association.
2b: Multicast Secure Association (optional).
EAP lower layers implement phases 0, 2a, and 2b in different ways:
IEEE 802.1X.
IEEE 802.1X-2004 does not support discovery (phase 0), nor does it provide for the derivation of unicast or multicast secure associations (phase 2).
IEEE 802.11.
Handles discovery via the Beacon and Probe Request/Response mechanisms.
Access Points (APs) periodically announce their Service Set Identifiers (SSIDs) as well as capabilities using Beacon frames.
Stations can query for APs by sending a Probe Request.
Neither Beacon nor Probe Request/Response frames are secured.
A 4-way handshake enables the derivation of unicast (phase 2a) and multicast/broadcast (phase 2b) secure associations.