Browse CompTIA Certification Guides

Study Logical Security, AAA & Identity Controls for Network+ (N10-009)

Fuad Efendi March 29, 2026 4 min read

Use IAM, MFA, SSO, RADIUS, LDAP, SAML, TACACS+, and least-privilege language correctly in network-access scenarios.

On this page

Identity questions in Network+ are usually access-boundary questions. CompTIA is not asking whether you recognize a few acronyms in isolation. It is asking whether you know which identity system belongs on the user path, which belongs on the administrator path, and how authorization should stay narrower than authentication alone.

TACACS+: An AAA protocol commonly used for administrative access to network devices with strong command authorization support.

Least privilege: Giving users or devices only the permissions they need and nothing broader.

What CompTIA is really testing

The strongest answers usually depend on one of these distinctions:

  • authentication versus authorization versus accounting
  • user access versus device-administration access
  • single sign-on convenience versus actual privilege control
  • identity proof versus network admission decision

Keep the identity tools distinct

Term What it is strongest for
MFA strengthening identity proof during authentication
SSO reducing repeated logins across related services
RADIUS centralized AAA, often for network access and remote user authentication
TACACS+ centralized AAA with strong fit for device administration and command control
LDAP directory lookups and identity information, not a complete security answer by itself
SAML federated identity assertions between systems

Think in identity paths

    flowchart LR
	  A["User or admin requests access"] --> B["Authentication"]
	  B --> C["Authorization or role decision"]
	  C --> D["Accounting and logging"]

What to notice:

  • AAA is a sequence, not just a vocabulary set
  • proving identity does not automatically grant broad permissions
  • logging matters after access is granted, not only before

The question behind the acronym

When Network+ uses AAA language, the real question is often:

  • who should be allowed in
  • who should be allowed to do what
  • who should be recorded doing it

That is why MFA can improve authentication while still not answering the authorization problem, and why SSO can improve convenience without proving least privilege by itself.

Small path example

1User Wi-Fi access
2  -> authenticate to network
3  -> receive policy / role
4  -> reach only approved resources
5
6Switch administrator access
7  -> authenticate to management plane
8  -> authorize allowed commands
9  -> log the admin action

What to notice:

  • both examples use identity controls
  • the second one needs stronger command-level control and audit detail
  • that is why a TACACS+-style answer often fits device administration better than a generic user-auth answer

A small policy example

1Admin login:
2- authenticate with MFA
3- authorize only network-admin role
4- log command activity centrally

What to notice:

  • stronger identity design narrows privilege after authentication
  • a successful login is not the same thing as broad authorization
  • CompTIA often hides the better answer inside this distinction

Common traps

  • treating MFA as if it solves authorization by itself
  • using a directory answer when the question is really about centralized AAA
  • confusing SSO with broad access rights
  • forgetting that administrator access paths need tighter control than ordinary user access

What strong answers usually do

  • decide whether the scenario is about user access or device administration
  • separate identity proof from permission scope
  • choose the identity system that matches the path and logging need
  • keep least privilege visible even when the question wording sounds mostly about convenience

Quiz

Loading quiz…

Harder scenario question

A network team wants centralized authentication for switch administrators, command-level authorization, and detailed logging of admin activity. Remote user VPN access is already handled elsewhere. Which answer is the strongest fit for the admin path?

A. LDAP only, because directory lookup solves both authorization and accounting by itself B. TACACS+, because the scenario is specifically about device administration with command control and accounting C. SSO, because convenience is the main security goal D. NAT, because admin traffic needs a translated address

Best answer: B

Why: The clue is not general user identity. It is administrator control on network devices. TACACS+ is a stronger fit than a generic directory-only answer when authorization granularity and accounting are part of the requirement.

Continue with 4.6 Network Segmentation for Guest, BYOD, IoT & OT if identity and boundary design are starting to connect cleanly.

4.2 Physical Security Controls