Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!

How AAA Servers Work

Key Points
  • AAA servers handle authentication, authorization, and accounting for secure network access control.
  • AAA servers support more secure certificate-based authentication using EAP-TLS, reducing risks and improving user experience.
  • SecureW2’s Cloud RADIUS offers a robust, dynamic AAA solution for secure, policy-driven authentication and seamless network management.

WPA2-Personal is common in homes and cafes  – a security type requiring a preshared key (PSK). But some networks cannot be secured with a password, they want a username and a unique password for every user. That’s likely a WPA2-Enterprise network. That is why the AAA server facilitates the security you need.

AAA is an important protocol in network access control but how does this actually work? Let’s discuss this.

What are AAA servers?

Fig: AAA setup

AAA stands for Authentication, Authorization, and Accounting. You might have heard of two AAA servers: RADIUS and TACACS+. Modern WPA2-Enterprise networks use the RADIUS protocol fairly exclusively, so you’re unlikely to encounter TACACs+ in the field.

AAA servers perform several very important functions:

  • granting or denying access to a network
  • providing varying levels of authorization to users  
  • keeping a record of all attempts to establish a network connection

Where are AAA servers used?

If you are an organization dealing with sensitive data, you need a secure method of transporting data. AAA servers are used so your devices can communicate securely with access points. It is a major part of large organization networks like enterprises, universities, and hospitals. With the growing threats in cyber security, AAA servers are rapidly becoming adopted by smaller businesses too.

Why do I need a AAA Server?

AAA servers are a WiFi security necessity – it replaces a single preshared key with unique credentials per user or device. 

These days users are accessing their sensitive data irrespective of the network, whether it be a public hotspot, an airport, or a friend’s apartment. These environments use simple authentication methods based on a pre-shared key (PSK) that only involves remembering a single password.

Such networks are a major cause of data breaches. A survey found that 74% of IT decision makers (whose organizations have been breached in the past) say it involved privileged access credential abuse.

Therefore, the Pre-Shared Key network security most often used at home is not sufficient for any professional use and can put them at serious risk for cyber crimes.

How is  AAA Set Up?

Imagine we are the supplicants (AKA users) and we want to connect to the network through an access point as depicted in the picture above.

Components of an AAA setup:

  • Supplicant
  • Switch/Access Point/Controller
  • AAA Server (such as RADIUS)

For us to connect, we need to authenticate first, which involves verifying user credentials. In other words, we need to supply a username and password for network access. The switch/access point/controller takes these credentials and passes them to a AAA server (AKA RADIUS). The RADIUS confirms with the identity provider (not pictured) that the credentials match an authorized user and checks if there are any special instructions regarding their access level.

If there is a match in the identity provider, the user gets authenticated to the network, if not, access is denied. Once verified, we are authorized to access resources on the network based on the access control policies set by the organization.

Finally, the AAA server fulfills the last part of its role – accounting. The authentication events described above are recorded in the RADIUS event log in case they need to be referenced later for troubleshooting or audits.

Credential or Certificates? Two Modes of Authentication

AAA servers support both credential and certificate-based authentication, each with its list of pros and cons.

Credentials :

  • Poor UX (reset policies, complexity requirements)
  • Easily decrypted
  • Prone to over-the-air attacks (man-in-the-middle, evil twin attacks)
  • Requires significant IT resources

Certificates :

  • Uses uncrackable public-private key encryption 
  • Uses the most secure authentication protocol EAP-TLS 
  • Superior UX, no need to remember or reset passwords
  • Avoids over-the-air attacks (man-in-the-middle, evil twin attacks)
  • Frees up IT resources

Click here to see how easy it was for our customers to switch from credentials to certificates.

How Do AAA Servers Work?

 

Initialization

The supplicant has the user’s credentials and connects with the switch/controller to initiate the authentication process.

Intermediary

The switch/access point/controller initiates communication between the end-user device and the RADIUS server. This device is where you configure a Wi-Fi protocol such as WPA2-PSK and WPA2-Enterprise.

Authentication

Your AAA server can be configured with several authentication protocols

EAP-TTLS/PAP and PEAP-MSCHAPv2 are common, if vulnerable, credential-based authentication protocols.  EAP-TLS enables digital certificate authentication and is a highly secure method for protecting the authentication process

The AAA server connects to your identity providers (IDP) like Azure AD or Okta, to confirm if users have the correct certificate or credentials to prevent any unapproved users from accessing the network.

Authorization

The AAA server communicates with a directory (on-prem or cloud) to identify what level of access each user has. The authorization applies organization rules to resolve access requests from users

Accounting

Accounting involves recording the information of devices that are authenticated to a network and the session duration. The device information, usually the MAC address and port number, is sent in a packet to the accounting server when the session begins. The server will receive a message signaling the end of the session.

The Leading AAA Solution

SecureW2’s JoinNow solution comes built-in with a world-class Cloud RADIUS server, providing powerful, dynamic policy-driven authentication. The keys to a successful RADIUS deployment are availability, consistency, and speed. Backed by AWS, SecureW2 Cloud RADIUS delivers high availability, consistent and quality connections, and requires no physical installation.

Ready to take the next step in improving user experience and hardening your network security? The transition process is easier than you think. Click here if you’d like to get in touch with one of our experts.

Learn about this author

Shantha Meena

Shantha Meena is a content writer with a passion for creative writing and poetry that captures momentary emotions and insights. She originally was a Software Engineer at Juniper Networks and started writing out of a desire to further her creative aspirations and her technical knowledge

How AAA Servers Work