Within the framework of Authentication, Authorization, and Accounting (AAA), authentication is fundamentally defined as the validation of an identity or a credential. It is the critical first step in secure access control, ensuring that the system knows exactly who an entity is before permitting it to perform any actions.
The Foundation of AAA
The sources describe the "Triple A" principle as a technological control mechanism similar to airport security or a retail transaction.
Authentication: Verifies the identity ("Who are you?").
Authorization: Determines entitlement ("What are you allowed to do?"). A successful authentication does not automatically grant access; the authorization process must still determine the appropriate level of entitlement based on the security context.
Accounting: Maintains an audit trail and security log of what transpired ("What did you do?").
Core Authentication Components
In a network environment, authentication involves three primary "actors":
Supplicant: Software on the endpoint that understands how to communicate credentials (e.g., Windows native supplicant or AnyConnect NAM).
Authenticator: The Network Access Device (NAD), such as a switch or wireless controller, that acts as a middleman or proxy between the endpoint and the server.
Authentication Server: The policy engine, such as Cisco ISE, that validates the credentials against an identity store and returns a result.
Authentication Protocols and Methods
The sources distinguish between two primary contexts for AAA:
Network Access AAA: Focuses on identifying users or endpoints before they communicate on the network 14, 15. This typically uses the RADIUS protocol, which is an IETF standard that combines authentication and authorization into a single transaction 16-18. Common methods include IEEE 802.1X, MAC Authentication Bypass (MAB) for "headless" devices, and Web Authentication (WebAuth) for interactive users.
Device Administration AAA: Controls administrative access to network devices (e.g., SSH or console sessions) 22, 23. This context prefers the TACACS+ protocol because it separates authentication from authorization, allowing a user to authenticate once but be authorized for every individual command entered.
Identity Management and Policies
Authentication relies on Identity Stores, which act as the "single source of truth" for credentials. These can be Internal (stored on ISE) or External (such as Active Directory or LDAP).
Cisco ISE uses Authentication Policies to achieve four primary goals:
Drop unauthorized traffic immediately to save processing power.
Route requests to the correct identity store (e.g., routing certificate-based requests to a Certificate Authentication Profile).
Validate the identity (checking if the password is correct or the certificate is expired/revoked).
Pass the session to the Authorization Policy for the final access decision.
To handle complex environments, ISE leverages Identity Source Sequences (ISS), which allow the server to check multiple identity stores in a top-to-bottom succession until a match is found.
