Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.

Global Accelerated Learning • Est. 1999
Glossary Term AAA Framework

Training Camp • Cybersecurity Glossary

What is AAA Framework?

The Authentication, Authorization, and Accounting model for network access control, implemented by protocols like RADIUS, TACACS+, and Diameter.

Glossary > Identity & Access Management > AAA Framework

AAA Framework — The Authentication, Authorization, and Accounting model for network access control, implemented by

Understanding AAA Framework

The AAA framework stands for Authentication, Authorization, and Accounting — a security model that controls and records access to networks, devices, and resources. Authentication verifies who a user or device is, authorization determines what they are permitted to do, and accounting logs their activity for auditing, billing, and forensics. Together these three functions form the backbone of network access control.

Each element has a distinct job. Authentication validates identity via credentials, certificates, or tokens. Authorization, performed after identity is confirmed, enforces policy on which commands, services, or network segments the subject may use. Accounting captures session details — login times, commands issued, data consumed — and forwards them to logging systems. In deployment, network devices (the AAA clients) hand these requests to a central server using protocols such as RADIUS, TACACS+, or Diameter.

The AAA framework matters because it centralizes and separates the control of access, which is far more secure and scalable than per-device local accounts. Centralized authentication enforces consistent credential policy; granular authorization supports least privilege; and accounting provides the audit trail required for incident response and compliance (PCI DSS, HIPAA, SOX). Without AAA, organizations lose visibility into who did what, and managing access across hundreds of devices becomes error-prone.

For example, an enterprise uses TACACS+ — which separates the three functions and encrypts the full payload — to manage router and switch administration. When an engineer logs in, the TACACS+ server authenticates the credentials, authorizes only the specific IOS commands tied to their role, and logs every command entered. RADIUS, by contrast, is commonly used for end-user network access such as 802.1X and VPN, where it combines authentication and authorization in one step while still producing accounting records.

Learn More About AAA Framework:

Ready to Get Certified?

Turn knowledge into credentials with our instructor-led cybersecurity boot camps.

View All Courses →