When Does Authorization Occur in the AAA Process?
Understanding the precise moment that authorization is applied within the Authentication‑Authorization‑Accounting (AAA) framework is essential for network administrators, security engineers, and anyone involved in designing secure access controls. Although AAA is often presented as a three‑step pipeline, the actual timing of each step can vary depending on the protocol, technology, and deployment scenario. This article breaks down the mechanics of the AAA process, explains the typical sequence of events, and clarifies when and how authorization is enforced in real‑world systems.
Introduction
AAA is a foundational concept in network security, originally coined by the RFC 2865 and RFC 2866 documents for RADIUS, and later adapted to other protocols such as TACACS+. The three components serve distinct purposes:
- Authentication – verifying the identity of a user or device.
- Authorization – determining what that authenticated entity is allowed to do.
- Accounting – logging the activity for auditing, billing, or policy enforcement.
While authentication is the first gatekeeper, it is authorization that actually dictates the scope of access. Knowing exactly when authorization takes place allows architects to design systems that balance performance, security, and scalability Small thing, real impact. Turns out it matters..
The Classic AAA Flow
Below is a high‑level representation of the typical AAA interaction, using RADIUS as an example:
User → NAS (Network Access Server) → RADIUS Server
-
Authentication Request
- The NAS forwards the user’s credentials (e.g., username/password or token) to the RADIUS server.
- The server validates the credentials against an authentication backend (LDAP, Active Directory, local DB).
-
Authorization Request
- Upon successful authentication, the NAS sends an Authorization packet to the server.
- The server consults policy databases or attribute stores to determine the user’s permissions, such as VLAN assignment, bandwidth limits, or service access.
-
Accounting Request
- The NAS begins sending periodic accounting packets (start, interim, stop) to record session duration, data usage, and other metrics.
In this flow, authorization is triggered immediately after a successful authentication. That said, the exact moment can shift depending on protocol nuances Small thing, real impact..
When Authorization Is Implemented: A Closer Look
1. Immediate Post‑Authentication Authorization
In the most common RADIUS deployments, the server sends an Access‑Accept message that contains Authorization attributes. These attributes are part of the same packet that confirms authentication success. The NAS then enforces the policies instantly, enabling the user’s session That's the part that actually makes a difference..
- Pros: Low latency, single round‑trip to the server.
- Cons: All authorization decisions must be made before the user is granted access, which can be problematic for dynamic policies that rely on real‑time data (e.g., current network load).
2. Deferred Authorization (Policy‑Based or Contextual)
Some systems separate authentication and authorization into distinct phases:
- Authentication: The NAS accepts the user and starts a session.
- Deferred Authorization: The NAS periodically queries the RADIUS server for updated policies or waits for a specific event (e.g., a policy‑change message) before applying new restrictions.
This approach is common in policy‑based access control (PBAC) environments where policies may change during a session (e.Think about it: g. , a user moves from a guest network to a secure VLAN after a security check).
3. On‑Demand Authorization in Protocols Like TACACS+
TACACS+ treats authorization as a separate, explicit request. After authentication, the client (e.g.Consider this: , a router) sends a TACACS+ Authorization packet that can request specific services (e. g., command authorization). The server responds with a list of permitted commands or configuration changes.
- Use Case: Network devices where operators need granular control over what commands a user can execute.
4. Authorization Within Token‑Based Systems
In OAuth 2.The IdP issues an access token that encodes scopes and permissions. On top of that, 0 or OpenID Connect flows, authorization occurs after the user authenticates with an identity provider (IdP). The resource server validates the token and enforces authorization before granting access to protected resources.
- Timing: Authorization is effectively simultaneous with resource access, but the decision is made by the resource server upon each request.
Factors Influencing Authorization Timing
| Factor | Impact on Timing | Example |
|---|---|---|
| Protocol Design | Determines whether authorization is bundled with authentication or separate. So | RADIUS (bundled) vs. Day to day, tACACS+ (separate) |
| Policy Complexity | Dynamic or context‑sensitive policies may delay authorization until additional data is available. | Real‑time bandwidth throttling |
| Performance Requirements | High‑throughput environments may prefer early authorization to reduce round‑trips. | Large campus networks |
| Security Posture | Strict environments may enforce multiple authorization checks during a session. | Military or financial networks |
| Device Capabilities | Some NAS or network devices may only support single‑step authorization. |
Step‑by‑Step Example: RADIUS Authorization Flow
- User submits credentials to the NAS.
- NAS forwards an Access‑Request to the RADIUS server.
- RADIUS server authenticates and replies with Access‑Accept containing:
- User-Name, Framed-IP-Address, VLAN-ID, Bandwidth-Limits, etc.
- NAS applies policies immediately and establishes the user session.
- NAS begins sending Accounting‑Start packets.
- If policies change (e.g., due to a policy engine update), the NAS may send a new Access‑Request or rely on a re‑authorization mechanism.
Authorization in Modern Cloud and SD‑WAN Environments
Cloud‑native and software‑defined WAN (SD‑WAN) architectures often decouple authentication from authorization:
- Authentication occurs via a central identity provider (e.g., Azure AD, Okta).
- Authorization is enforced at the edge gateway using policy objects that reference cloud‑managed rule sets.
- Dynamic Policy Updates: Edge devices pull updated policies from a central controller as soon as they change, ensuring that users immediately receive new access rights without re‑authentication.
This model supports zero‑trust principles, where every session is continuously evaluated for risk and policy compliance And that's really what it comes down to..
Common Misconceptions About Authorization Timing
| Misconception | Reality |
|---|---|
| “Authorization always happens after authentication.Here's the thing — ” | In some protocols (e. g.Think about it: , OAuth), authorization is evaluated per request, not just after initial login. |
| “Authorization can wait until the session ends.On the flip side, ” | Policies may need to be enforced in real time to prevent misuse (e. Plus, g. , limiting command execution on network devices). |
| “Authorization is a single decision.” | Many systems support multi‑factor authorization, where different levels of access are granted based on contextual risk. |
Frequently Asked Questions
Q1: Can authorization be skipped if authentication succeeds?
A: In most AAA implementations, no. Authorization is mandatory to define what the authenticated entity may do. Skipping it would effectively grant unrestricted access, violating security principles.
Q2: How does the AAA server know what policies to apply?
A: The server consults configured policy repositories—such as LDAP groups, SQL databases, or cloud‑based policy engines—using attributes from the authenticated identity (e.g., role, department, device type).
Q3: What happens if the authorization response is delayed?
A: The NAS may enforce default policies (e.g., deny all) until the server responds. In critical systems, timeouts are shortened to prevent denial‑of‑service via delayed policy delivery.
Q4: Is it possible to perform authorization before authentication?
A: Technically, the NAS can request preliminary authorization based on pre‑authenticated tokens or certificates. That said, the definitive authorization decision usually waits until credentials are verified.
Q5: How does authorization interact with accounting?
A: Authorization determines the scope of activity (what the user can do). Accounting records the compliance of that activity (how much data was transferred, which commands were executed). The two work hand‑in‑hand to provide a complete audit trail.
Conclusion
Authorization in the AAA process is not a static, one‑off event; it is a dynamic decision that can occur immediately after authentication, in response to contextual changes, or per request in token‑based systems. Understanding the timing and mechanisms of authorization enables designers to build secure, efficient, and scalable access control systems that adapt to modern networking demands. By aligning protocol choice, policy design, and device capabilities, organizations can check that every authenticated entity operates within the boundaries explicitly defined by their security policies.
Quick note before moving on Simple, but easy to overlook..
