The question requires a protocol that supports separate authorization and authentication processes. Terminal Access Controller Access-Control System Plus (TACACS+) is designed with this separation as a core feature. It uses distinct protocol messages and processes for authentication and authorization, allowing these functions to be handled independently, even by different servers. This modularity provides granular control and flexibility. While often used for device administration (including managing wireless APs), its protocol design directly matches the question's explicit requirement for separation. In contrast, RADIUS combines authentication and authorization into a single function, sending authorization details within the authentication acceptance message.

A. RADIUS: This protocol combines authentication and authorization into a single packet exchange (Access-Accept), which contradicts the requirement for separate solutions.

C. 802.1X: This is an IEEE standard for port-based network access control; it is an authentication framework, not a specific AAA protocol itself. It relies on a backend protocol like RADIUS.

D. Kerberos: This is a ticket-based authentication protocol for client/server applications and is not used for AAA functions between a network access device like an AP and a central server.

---

1. Cisco Press. Odom

W. (2020). CCNA 200-301 Official Cert Guide

Volume 2. Cisco Press. In Chapter 23

"Securing Network Devices

" the section "Comparing RADIUS and TACACS+" states

"TACACS+ separates the authentication

authorization

and accounting functions... RADIUS combines the authentication and authorization functions."

2. Official Vendor Documentation. Cisco Systems

(2023). Security Configuration Guide: AAA

Cisco IOS XE Cupertino 17.9.x. Chapter: "Configuring TACACS+". In the "TACACS+ Overview" section

it states

"TACACS+ provides for separate and modular authentication

authorization

and accounting facilities."

3. Official Vendor Documentation. Cisco Systems

(2023). Security Configuration Guide: AAA

Cisco IOS XE Cupertino 17.9.x. Chapter: "Configuring RADIUS". The "RADIUS Overview" section describes the process where the "RADIUS server authenticates the user and returns the configuration information... to the NAS [AP] for delivery to the user." This confirms the combined nature of the authentication and authorization response.