IAM, MFA, SSO, Directory Services, and AAA

Identity and Access Management

Identity and Access Management (IAM) is the combined set of processes and technologies used to establish who or what is requesting access and what that identity may do. Network+ keeps the focus operational: how identities are checked, how network devices make access decisions, and which protocol fits a given scenario.

Authentication, Authorization, and Accounting

The AAA triad is the backbone of Domain 4 access control.

AAA applies to people, devices, services, and administrators alike. A Wi-Fi user joining an SSID, a switch port running 802.1X, and an engineer logging into a router can all flow through one AAA server.

MFA Factors

Multi-factor authentication (MFA) requires two or more different factor categories.

Two passwords are not MFA because both are the know factor. A password plus an authenticator approval is MFA because it joins know and have. For high-risk access, phishing-resistant MFA such as FIDO2/WebAuthn security keys or smart cards beats SMS one-time codes, which are vulnerable to SIM swapping and interception.

SSO and Federation

Single sign-on (SSO) lets a user authenticate once to an identity provider (IdP) and then reach many applications without re-entering credentials. Federation extends trust between an IdP and a relying service, often across companies or clouds.

SSO improves usability and centralizes control, but it concentrates risk: if the IdP is compromised or offline, every connected app is affected. Strong MFA on the IdP, conditional access, thorough logging, and a break-glass emergency account are core to the design.

RADIUS, TACACS+, and 802.1X

In 802.1X, the supplicant is the client device or software requesting access, the authenticator is the switch port or wireless access point gatekeeping the connection, and the authentication server is usually a RADIUS server validating credentials or certificates. Until the supplicant authenticates, the port passes only EAP traffic and blocks everything else. Memorize those three roles in order, because exam stems often hand you one piece ("the switch acts as the...") and expect you to name the role.

The switch or access point is always the authenticator; it never makes the credential decision itself, it merely relays EAP between the supplicant and the RADIUS server.

Directory services tie this together. Most organizations store users and groups in a directory such as Active Directory and expose it over LDAP. RADIUS, SSO portals, and applications all query that single directory so that disabling one account removes access everywhere. That central directory is also why an offline or compromised directory becomes a single point of failure, reinforcing the need for redundancy and monitoring.

Scenario: Secure Wired Access

A company wants conference-room ports to block unknown devices: managed laptops get normal access, contractor laptops land on a restricted network, and failed attempts are logged. A solid design is 802.1X on access switches, RADIUS as the authentication server, EAP-TLS certificates for managed laptops, dynamic VLAN assignment to steer devices into the correct VLAN based on the RADIUS reply, and accounting logs for audit. A guest or remediation VLAN catches devices that fail authentication without giving them internal reach.

If a device cannot do 802.1X at all - such as a printer or IP camera - MAC Authentication Bypass (MAB) lets the switch authorize it by its hardware address as a fallback, which the exam may contrast with full 802.1X.

Common Traps

• SSO does not remove the need for MFA; it raises the stakes for protecting the IdP.
• LDAP queries a directory; it does not encrypt a VPN tunnel.
• RADIUS fits network access; TACACS+ is preferred for command-level device administration.
• 802.1X is not a firewall; it only decides whether a device joins the network at the edge.
• Accounting logs are worthless without reliable timestamps, identities, and synchronized clocks (NTP).