Domain 1: General Security Concepts Module 3 of 61

Authentication, Authorization, and Accounting (AAA)

Security+ Domain 1 — General Security Concepts A — Security Foundations 12–16 minutes

What the Exam Is Really Testing

CompTIA does not just want you to define authentication, authorization, and accounting separately.

It wants you to demonstrate this:

Given a scenario, determine which phase of AAA is failing and select the appropriate control to fix it.

Many candidates confuse authentication with authorization. They mix up what proves identity with what grants access. The exam deliberately presents scenarios where the distinction matters — and the wrong answer is always the one that confuses the two.

The AAA Framework

AAA is not just an acronym to memorize. It is a sequence that every access decision follows:

  1. Authentication: Prove who you are
  2. Authorization: Determine what you are allowed to do
  3. Accounting: Record what you actually did

These three steps happen in order. You cannot authorize someone you have not authenticated. You cannot account for actions without knowing who performed them.

Authentication answers "who are you?" Authorization answers "what can you do?" Accounting answers "what did you do?"

Authentication: Proving Identity

Authentication verifies that a user, device, or system is who or what it claims to be. CompTIA organizes authentication around factors — categories of evidence used to prove identity.

The Five Authentication Factors

  • Something you know: Passwords, PINs, security questions. The weakest factor because knowledge can be shared, guessed, or stolen
  • Something you have: Smart cards, hardware tokens, mobile devices with authenticator apps. Stronger because possession is required
  • Something you are: Biometrics — fingerprints, facial recognition, iris scans, voice patterns. Strongest individual factor because it is tied to the person
  • Somewhere you are: Geolocation, IP address ranges, GPS coordinates. Used as a contextual factor to validate access location
  • Something you do: Behavioral biometrics — typing patterns, gait analysis, signature dynamics. Emerging factor based on behavioral characteristics

Multi-Factor Authentication (MFA)

MFA requires two or more factors from different categories. This is a critical distinction.

Two passwords is not MFA — it is two instances of the same factor (something you know). A password plus a fingerprint is MFA — it combines something you know with something you are.

For the exam: MFA requires factors from different categories. Multiple instances of the same category is multi-step, not multi-factor.

Authentication Protocols

CompTIA tests your knowledge of common authentication protocols:

  • RADIUS: Remote Authentication Dial-In User Service. Centralized authentication commonly used for network access (VPN, wireless). Encrypts only the password, not the entire session
  • TACACS+: Terminal Access Controller Access-Control System Plus. Cisco-developed protocol that encrypts the entire authentication session. Separates authentication, authorization, and accounting into distinct processes
  • Kerberos: Ticket-based authentication protocol used in Windows Active Directory environments. Uses a Key Distribution Center (KDC) to issue time-limited tickets
  • SAML: Security Assertion Markup Language. XML-based framework for exchanging authentication data between an identity provider and a service provider. Common in web-based SSO
  • OAuth/OpenID Connect: OAuth handles authorization (access tokens). OpenID Connect adds an authentication layer on top. Used in modern web and mobile applications

Authorization: Granting Access

After authentication confirms identity, authorization determines what that identity is allowed to do. CompTIA tests several authorization models.

Authorization Models

  • Role-Based Access Control (RBAC): Access is determined by the user's role in the organization. A "finance analyst" role gets access to financial systems. Most common model in enterprise environments
  • Rule-Based Access Control: Access is determined by predefined rules. Firewall rules and time-of-day restrictions are examples. Often confused with RBAC on the exam
  • Discretionary Access Control (DAC): The resource owner decides who gets access. Common in file systems where the file creator sets permissions. Flexible but difficult to manage at scale
  • Mandatory Access Control (MAC): Access is determined by classification labels and clearance levels. The system enforces access decisions, not users. Used in military and high-security environments
  • Attribute-Based Access Control (ABAC): Access decisions based on attributes — user attributes, resource attributes, environmental attributes. Most flexible model. "Allow access if user department is finance AND resource classification is internal AND time is business hours"

Key Authorization Principles

  • Least privilege: Users receive only the minimum access required to perform their job function
  • Separation of duties: No single person should control all phases of a critical process. The person who requests a purchase should not approve it
  • Need to know: Even with appropriate clearance, access is limited to information needed for the specific task

Accounting: Recording Activity

Accounting (also called auditing) creates a record of who did what, when, and from where. Without accounting, you cannot investigate incidents, prove compliance, or detect abuse.

Accounting mechanisms include:

  • System and application logs
  • Audit trails
  • SIEM (Security Information and Event Management) correlation
  • Network flow data
  • Session recording

Accounting is often the overlooked third element. But on the exam, it appears in scenarios about incident investigation, compliance evidence, and forensic analysis.

If a question asks how to determine what a user accessed after a suspected breach, the answer is in accounting — logs, audit trails, session records.

AAA in Practice: Putting It Together

Consider a VPN connection scenario:

  1. Authentication: The user enters a username, password, and provides a one-time code from an authenticator app (MFA). The RADIUS server validates the credentials
  2. Authorization: Based on the user's group membership, the VPN gateway applies an access policy that limits which internal subnets the user can reach
  3. Accounting: The RADIUS server logs the connection time, duration, source IP, and bytes transferred for compliance reporting

Each phase is distinct. Each serves a different purpose. Each can fail independently.

Pattern Recognition

Security+ questions on AAA follow these patterns:

  • Phase identification: "A user can log in but cannot access the file share." This is an authorization issue, not authentication. Authentication succeeded (they logged in)
  • Factor classification: "Which combination represents true MFA?" Look for options that mix categories, not options that use multiple instances of one category
  • Protocol selection: "Which protocol provides separate control of authentication, authorization, and accounting?" TACACS+ separates them; RADIUS combines authentication and authorization
  • Model matching: "An organization assigns access based on job titles." This is RBAC, not ABAC (which would use multiple attributes beyond just role)

Trap Patterns

Common wrong answers and why they are wrong:

  • Confusing authentication with authorization: "The user cannot access the resource" does not automatically mean authentication failed. If they are logged in, authentication worked — the issue is authorization
  • Calling two passwords MFA: Two knowledge factors is not multi-factor authentication. The exam will present this as a distractor. MFA requires different categories of factors
  • Mixing up RADIUS and TACACS+: RADIUS encrypts only the password and combines authn/authz. TACACS+ encrypts everything and separates all three AAA functions. Know the difference
  • Confusing RBAC with rule-based: RBAC is based on organizational roles. Rule-based is based on conditional rules (if/then logic). They sound similar but are fundamentally different models

Scenario Practice

Question 1

A company requires employees to enter a password and then scan their fingerprint before accessing the corporate network. A recent security assessment found that both factors are verified by the same authentication server.

What type of authentication is being used?

A. Single-factor authentication using two verification methods sequentially
B. Multi-factor authentication combining knowledge and biometric factors
C. Two-step verification that only validates the stronger authentication factor
D. Risk-based authentication that adapts requirements based on user behavior

Answer & reasoning

Correct: B

A password (something you know) and a fingerprint (something you are) come from two different factor categories. This is true multi-factor authentication regardless of whether one server or two servers handle the verification.

The number of servers is irrelevant — what matters is the number of distinct factor categories.

Question 2

An employee successfully logs into the company's intranet portal but receives an "Access Denied" error when attempting to open a document in the legal department's shared folder.

Which AAA component is MOST likely causing this issue?

A. The authentication server failed to validate the employee's credentials properly
B. The accounting system is not recording the employee's access attempts correctly
C. The authorization policy does not grant this employee access to legal documents
D. The employee's multi-factor authentication token has expired since initial login

Answer & reasoning

Correct: C

The employee logged in successfully — authentication worked. They received "Access Denied" on a specific resource — this is an authorization issue. The employee's identity was verified, but their permissions do not include access to the legal folder.

If authentication had failed, they would not have reached the intranet portal at all.

Question 3

An organization needs to implement centralized authentication for its network infrastructure devices (routers, switches, firewalls). The security team requires the ability to control authentication, authorization, and accounting independently for granular policy management.

Which protocol BEST meets these requirements?

A. RADIUS, which combines authentication and authorization into a single process
B. TACACS+, which separates authentication, authorization, and accounting functions
C. Kerberos, which uses time-limited tickets issued by a key distribution center
D. SAML, which provides XML-based authentication assertions between providers

Answer & reasoning

Correct: B

The key requirement is independent control of each AAA function. TACACS+ is the only protocol that separates authentication, authorization, and accounting into distinct processes, allowing granular policy management.

RADIUS combines authentication and authorization. Kerberos is for domain authentication, not device management. SAML is for web-based SSO.

Key Takeaway

AAA is a sequence, not a single concept. Authentication proves identity, authorization determines permissions, and accounting records actions. Every access decision on the exam follows this order. When a scenario describes an access problem, identify which phase is failing — the fix depends entirely on whether the issue is proving who someone is, determining what they can do, or tracking what they did. Confusing authentication with authorization is the single most common mistake on AAA questions.

Section A Review Review: Security Foundations