Least Privilege, AAA, Passwords, and MFA

Identity and Access Basics

Network security is not only about blocking packets. It is also about deciding who is allowed to use systems, what they are allowed to do, and how activity is recorded. The principle of least privilege is the simple rule behind many access decisions: give a person, service, or device only the permissions required for the task. A receptionist may need access to a scheduling application but not firewall administration. A printer may need to receive print jobs but not reach file shares. A guest phone may need Internet access but not management access to the router.

AAA is a common way to organize identity controls. Authentication asks: who are you? It can use a password, certificate, token, biometric factor, or a combination of methods. Authorization asks: what are you allowed to do? A user may authenticate successfully but still lack permission to view a folder, change a switch configuration, or connect to a restricted wireless network. Accounting asks: what did you do? Logs, session records, configuration-change history, and sign-in events help support troubleshooting, auditing, and incident response.

Passwords remain common, so they must be handled carefully. A strong password or passphrase should be long, unique, and hard to guess. Length usually matters more than forced complexity that causes users to write passwords down or reuse patterns. Reusing the same password across services is dangerous because one breached site can expose accounts elsewhere. Default passwords on routers, access points, cameras, printers, and network appliances must be changed before the device is trusted on a network. Shared administrator passwords should be avoided when individual accounts and role-based permissions are available.

Technicians must also understand password safety in daily work. Do not ask users to tell you their password. Use approved reset workflows. Do not store passwords in tickets, screenshots, chat messages, or plain text notes. When a password reset is needed, verify the user's identity according to organizational procedure. If a device arrives with a vendor default login, document that it must be changed as part of installation. If a user reports repeated lockouts, collect times and affected services rather than guessing or repeatedly clearing the symptom.

Multi-factor authentication, or MFA, adds a second proof of identity beyond the password. Factors are often described as something you know, something you have, and something you are. A password is something you know. A phone app approval, hardware security key, or one-time code can be something you have. A fingerprint or face scan can be something you are. MFA is valuable because a stolen password alone may not be enough for an attacker to sign in. However, MFA must still be used carefully.

Users should be trained not to approve unexpected push prompts, and technicians should escalate reports of repeated unexplained MFA requests.

Least privilege applies to network devices too. Management interfaces should be reachable only from trusted networks or VPNs, not from guest Wi-Fi or the public Internet. Administrative accounts should be separate from everyday user accounts. Old accounts should be disabled when staff leave or roles change. Service accounts should have narrow permissions and documented owners. A technician may not own the identity system, but should know the right questions: who needs access, what exact access is required, for how long, and who approved it?

Study Checkpoint

• Topic: Least Privilege, AAA, Passwords, and MFA.
• Verify the official Cisco concept before memorizing a shortcut.
• Practice the technician action: observe, document, test, fix when supported, or escalate.