IAM, MFA, SSO, Directory Services, and AAA
Key Takeaways
- IAM identifies users and systems, authenticates them, and supports authorization decisions.
- MFA combines factors such as something you know, have, are, do, or somewhere you are.
- SSO reduces repeated logins but makes identity provider security and availability more important.
- SAML supports many browser-based enterprise SSO deployments, while LDAP commonly supports directory lookups.
- RADIUS, TACACS+, and 802.1X are common network access and device administration AAA technologies.
Identity and access management, or IAM, is the set of processes and technologies used to know who or what is requesting access and what that identity is allowed to do. Network+ keeps the focus practical: how identities are checked, how network devices make access decisions, and which protocol fits the scenario.
Authentication, Authorization, and Accounting
| AAA function | Question answered | Example |
|---|---|---|
| Authentication | Who are you? | Username and password plus MFA |
| Authorization | What are you allowed to do? | Permit VPN access but deny firewall administration |
| Accounting | What did you do? | Log command execution on a router |
AAA can apply to people, devices, services, and infrastructure administrators. A wireless user authenticating to an SSID, a switch port using 802.1X, and a network engineer logging in to a router can all use AAA.
MFA Factors
| Factor | Meaning | Example |
|---|---|---|
| Something you know | Knowledge | Password or PIN |
| Something you have | Possession | Hardware token, phone authenticator, smart card |
| Something you are | Biometric | Fingerprint or face recognition |
| Somewhere you are | Location context | Corporate network or approved country |
| Something you do | Behavior | Typing pattern or gesture pattern |
Two passwords are not MFA because they are the same factor type. A password plus a push approval is MFA because it combines knowledge and possession. For higher-risk access, phishing-resistant MFA such as FIDO2 security keys or smart cards is stronger than simple SMS codes.
SSO and Federation
Single sign-on lets a user authenticate once to an identity provider and then access multiple applications. Federation extends trust between an identity provider and a relying service, often across organizational or cloud boundaries.
| Term | Network+ level meaning | Common cue |
|---|---|---|
| SSO | One login used across multiple services | User signs in once and launches several apps |
| SAML | XML-based federation often used for enterprise browser SSO | Identity provider sends an assertion to a service provider |
| OAuth 2.0 | Authorization framework for delegated access | App gets permission to access a resource |
| OpenID Connect | Identity layer on OAuth 2.0 | ID token proves user authentication |
| LDAP | Directory access protocol | Application queries directory users and groups |
SSO improves usability and centralizes control, but it raises the impact of identity provider compromise or outage. MFA, conditional access, logging, and break-glass planning are important parts of the design.
RADIUS, TACACS+, and 802.1X
| Technology | Common use | Key detail |
|---|---|---|
| RADIUS | VPN, wireless, 802.1X, network access AAA | Combines authentication and authorization; uses UDP |
| TACACS+ | Network device administration AAA | Separates authentication, authorization, and accounting; uses TCP |
| 802.1X | Port-based network access control | Uses supplicant, authenticator, and authentication server |
| EAP | Authentication framework used with 802.1X | Supports methods such as certificates or credentials |
In 802.1X, the supplicant is the client device or software requesting access. The authenticator is usually the switch or wireless access point controlling the port or association. The authentication server is commonly a RADIUS server that validates credentials or certificates.
Scenario: Secure Wired Access
A company wants conference room switch ports to block unknown devices. Managed laptops should receive normal access, contractor laptops should be placed on a restricted network, and failed authentication should be logged.
A reasonable design is 802.1X on access switches, RADIUS as the authentication server, certificates for managed laptops, dynamic VLAN assignment for access decisions, and accounting logs for audit review. Guest or remediation VLANs can handle devices that fail authentication without giving them broad internal access.
Common Traps
- SSO does not eliminate the need for MFA.
- LDAP is commonly used for directory queries, not for encrypting a VPN tunnel.
- RADIUS is common for network access; TACACS+ is commonly preferred for granular device administration.
- 802.1X is not a firewall; it controls whether a device gets network access at the port or wireless edge.
- Accounting logs are useful only if timestamps, identities, device names, and actions are reliable.
A company wants switch ports to authenticate devices before granting access to the production VLAN. Which technology best fits?
Which protocol is commonly used for granular AAA when administrators log in to routers and switches?
Match each identity or AAA term to its best description.
Match each item on the left with the correct item on the right