Most people studying for the SY0-701 exam can recite that AAA stands for authentication, authorization, and accounting. Then a question drops all three into one scenario and the recitation falls apart. You read "the user signed in successfully but cannot open the payroll folder," and your brain still wants to call that an authentication problem. It is not.
Here is the cleanest way I have found to keep the three apart.
Authentication is the login moment
Authentication answers one question: are you who you say you are? A password, a fingerprint, a security key, a one-time code. If the system accepts your identity, authentication succeeded. It says nothing about what you are allowed to do next.
Authorization is what you are allowed to touch
Authorization answers a different question: now that we know who you are, what can you access? This is permissions, file rights, role membership, the gap between a help desk account and a domain admin. The payroll example above is an authorization failure. The user proved their identity just fine. They simply lack the rights to that folder.
That one distinction is worth a surprising number of exam points, because the test writers love to describe a clean login followed by a denied action. If you tag it as authentication, you reach for the wrong fix (reset the password, re-enroll the token) instead of the right one (adjust the permission or the group membership).
Accounting is the A everyone skips
The third A is accounting, and it is the one people leave out of their notes. Accounting is the record of what happened: who logged in, when, from where, and what they did once inside. It is your audit trail.
On the exam it shows up wearing other words. When a question asks how you would prove a specific administrator ran a specific command, or how you achieve non-repudiation, it is pointing at accounting and logging, not at authentication. Non-repudiation means a user cannot credibly deny an action, and you get that from logs, timestamps, and signatures, not from the strength of their password.
A clean way to hold the order in your head: you prove who you are, you are granted what you can do, and the system writes down what you actually did.
RADIUS vs TACACS+ falls right out of this
The AAA framework also untangles a protocol comparison the exam keeps asking about. Both RADIUS and TACACS+ centralize authentication, but they are not interchangeable. RADIUS combines authentication and authorization into a single step, which makes it the classic choice for network access like wireless and VPN logins. TACACS+ separates all three A's and can log commands individually, which is why it is the standard for administering network devices.
So if a question asks which protocol lets you record every command an engineer types on a router, the per-command accounting in TACACS+ is your answer. A second tell: TACACS+ encrypts the entire payload, while RADIUS only encrypts the password.
How to make it stick
None of this sticks from reading definitions once. It sticks when a question forces you to separate the login from the permission from the log, again and again, until the sort is automatic. That is the whole reason I built the practice at secplusmastery.com around scenarios rather than flashcard definitions. The questions are written to make you decide which of the three A's is actually being tested, which is the exact muscle the real exam checks.
If you want to see where your own AAA understanding leaks, the free diagnostic at secplusmastery.com/diagnostic is a quick way to find out. Watch for the questions where you read "logged in" and your hand reaches for an authentication answer. That reflex is the trap.
One last drill you can do with no tool at all. Take any access scenario in your notes and label each sentence with a single letter: A1 for proving identity, A2 for granting access, A3 for recording the event. Once you can do that on sight, AAA questions stop being tricky and start being free points.
Top comments (0)