The acronym AAA stands for “Authentication, Authorisation, and Accounting”. It defines an architecture which authenticates and grants authorisation to users and, and afterwards accounts for their activity. When AAA is not used, the architecture is described as “open”, where anyone can gain access and do anything, without any tracking.
The responsibilities of of each component can be summarized as follows:
- Authentication: Is this a valid user for this system?
- Authorisation: What permissions and access does this user have?
- Accounting: What did this user do on the system?
It is possible to incorporate only a portion of AAA in a system. For example, if a company is not concerned about billing users for their network usage, they may decide to both authenticate and authorize users, but ignore user activity and not bother with accounting. Similarly, a monitoring system will look for unusual user activity (accounting), but may cede the authentication and authorisation decisions to another part of the network.
What are the benefits of AAA?
AAA ensures the flexibility of network policies and gives administrators the ability to move systems.
AAA has been in common use since the early 1990s for medium to large networks. Generally speaking, small organizations can be managed without an AAA system, particularly where access to the network is largely constrained by physical access. The threshold for needing the flexibility and scalability that AAA provides is usually around 40-50 users.
What are some examples of AAA?
RADIUS protocol is one of a number of Authentication, Authorisation, and Accounting protocols.
FreeRADIUS is an open source implementation of the RADIUS protocol and is the most popular RADIUS server in the world.
Another example of an AAA protocol is Diameter.
Where is AAA used?
Today, the proliferation of mobile devices, diverse network consumers, and varied network access methods combine to create an environment that places greater demands on AAA. AAA has a part to play in almost all the ways we access a network: wireless hotspots use AAA for security; partitioned networks require AAA to enforce access; all forms of remote access use AAA to authorize remote users.
Is RADIUS AAA right for your network?
If you have fewer than 40 users and access is controlled by physical location → You may not need AAA
If you manage remote access, Wi-Fi, or VPN for 40+ users → AAA is essential
If you need compliance audit trails → Accounting is non-negotiable
If you're evaluating RADIUS → See our RADIUS AAA guide
If you're an ISP managing subscribers at scale → RADIUS AAA handles Authentication, service policy assignment, and billing Accounting in one system
If you're an enterprise managing Wi-Fi, VPN, and wired access → RADIUS AAA with 802.1X gives you centralised control over every access point
If you're using Active Directory for user management → RADIUS integrates directly with AD via LDAP or Samba, no separate identity store required
If you're running Cisco ISE or Microsoft NPS → RADIUS AAA is what those products are built on; FreeRADIUS delivers the same functions without the licensing costs
If you need compliance audit trails → RADIUS accounting captures session records that satisfy most compliance frameworks
How Authentication, Authorisation, and Accounting work together
AAA isn't three separate systems running in parallel; it's a chain.
- Authentication comes first, establishing identity.
- Authorisation follows, determining what that verified identity is permitted to do.
- Accounting runs throughout the session, recording what actually happened.
Each stage depends on the one before it: you can't grant meaningful Authorisation without first confirming identity, and Accounting records are only useful when you know who the session belonged to.
AAA and network security
AAA is a foundational security architecture, but it's worth being precise about what it protects.
Strong AAA controls who enters the network and tracks what they do while they're on it. That's essential. But AAA is one layer in a broader security architecture. A well-configured AAA system with poor network segmentation, flat topology, or unmonitored vendor access still leaves organisations vulnerable to lateral movement once an attacker is inside.
This is why network security professionals talk about AAA as a strong front door - necessary, but most effective when the rest of the house is equally well-secured.
Conclusion
AAA - Authentication, Authorisation, and Accounting - is the framework that controls who accesses your network, what they can do, and what gets recorded. RADIUS is the most widely deployed protocol implementing AAA for enterprise and ISP networks. For most organisations managing more than a handful of users, AAA isn't optional: it's the foundation of network security.
Need more help?
InkBridge Networks has been at the forefront of network security for over two decades, tackling complex challenges across various protocols and infrastructures. Our team of seasoned experts has encountered and solved nearly every conceivable network security issue. If you're looking for insights from the architects behind some of the internet's most foundational authentication systems, you can request a quote for network security solutions here.
Related Articles
Client Case Study: RADIUS AAA Policies
One of our clients with a support contract had performance issues. We tracked this down to inefficient usage of AAA policies. Having tuned the policies the load on our client’s database dropped by a factor of 400 which saved them from an expensive hardware upgrade.
RADIUS AAA
RADIUS is the core of our business. We have world-leading experience with the protocol. We can help you with all aspects of Authentication, Authorisation, and Accounting. That isn’t all. Our expertise is with RADIUS systems, not just the basic RADIUS server. This means that we have an extensive background in SQL, LDAP, Active Directory, 802.1X, and any related technology, protocol, or server implementation.