← Back

🔐 Module 7: Authentication, Authorization, and Accounting (AAA)

🔑 Centralized Security Framework for Network Access Control

CCNA Level AAA Framework TACACS+ RADIUS

📋 Overview

This module introduces the AAA security framework that provides centralized authentication, authorization, and accounting services. Students will learn to implement both local and server-based AAA solutions using TACACS+ and RADIUS protocols.

Back to top

🔑 Key Terms

Authentication

Process of verifying user identity through credentials like usernames and passwords.

Authorization

Process of determining what authenticated users are allowed to access and do.

Accounting

Process of tracking and recording user activities and resource usage.

TACACS+

Terminal Access Controller Access-Control System Plus - Cisco proprietary AAA protocol.

RADIUS

Remote Authentication Dial-In User Service - Open standard AAA protocol.

Cisco ISE

Identity Services Engine - Cisco's identity and access control policy platform.

Back to top

AAA Characteristics

The Three Components of AAA

Authentication

Verifies user identity before granting access. Methods include:

  • Username and password
  • Digital certificates
  • Biometric authentication
  • Multi-factor authentication

Authorization

Determines what authenticated users can access and do:

  • Command-level access control
  • Network resource access
  • Service-specific permissions
  • Time-based restrictions

Accounting

Tracks and records user activities:

  • Login/logout times
  • Commands executed
  • Resources accessed
  • Data transferred
AAA Benefits

Why Implement AAA?

  • Centralized user management
  • Scalable authentication solution
  • Granular access control
  • Comprehensive audit trails
  • Compliance with security policies
  • Reduced administrative overhead
Back to top

🔐 Configure Local AAA Authentication

Local AAA authentication stores user credentials on individual network devices. Suitable for small networks but doesn't scale well.

Local AAA Configuration Steps

Basic Configuration

Local AAA Setup

# Step 1: Enable AAA
Router(config)# aaa new-model

# Step 2: Create local users
Router(config)# username admin algorithm-type scrypt secret Str0ngPa55w0rd

# Step 3: Configure authentication method list
Router(config)# aaa authentication login default local-case

# Step 4: Apply to lines
Router(config)# line console 0
Router(config-line)# login authentication default
Router(config-line)# exit

Router(config)# line vty 0 4
Router(config-line)# login authentication default
Router(config-line)# transport input ssh

Local AAA Features

Feature Description
Method Lists Define authentication methods and fallback options
Line-specific Authentication Different authentication methods for different lines
Account Lockout Lock users after specified failed login attempts
Password Policies Enforce password complexity and aging
Scalability Limitation

Local AAA Drawbacks

Local AAA requires maintaining user databases on each device separately. This becomes unmanageable in large networks with multiple devices and users.

Back to top

Server-Based AAA

Server-based AAA uses centralized AAA servers to manage authentication, authorization, and accounting for entire networks.

Server-Based AAA Advantages

Scalability

Single database serves multiple network devices and thousands of users.

Centralized Management

User accounts managed from one location with consistent policies.

Integration

Works with external databases like Active Directory and LDAP.

Redundancy

Multiple servers provide high availability and fault tolerance.

Cisco Identity Services Engine (ISE)

Cisco ISE is a comprehensive identity and access control platform that provides:

  • Asset Visibility: Identifies and classifies devices connecting to the network
  • Posture Assessment: Evaluates device compliance with security policies
  • Segmentation: Enables secure network segmentation based on context
  • Guest Management: Provides secure access for visitors and contractors
  • Threat Containment: Dynamically adjusts access based on threat detection
BYOD Support

Modern Network Requirements

ISE addresses Bring Your Own Device (BYOD) challenges by defining fair access policies and enforcing compliance for all end devices including personal devices.

Back to top

📡 TACACS+ and RADIUS Protocols

Protocol Comparison

Capability TACACS+ RADIUS
Functionality Separates AAA services Combines authentication and authorization
Standard Cisco proprietary Open RFC standard
Transport Protocol TCP port 49 UDP ports 1812/1813
Encryption Entire packet encrypted Only password encrypted
Authorization Per-user/per-group basis No per-user command authorization
Accounting Limited Extensive

Protocol Selection Criteria

Choose TACACS+ When:

  • Need granular command authorization
  • Security is paramount (full encryption)
  • Using Cisco equipment primarily
  • Need separation of AAA functions

Choose RADIUS When:

  • Need detailed accounting for billing
  • Using 802.1X or VoIP (SIP)
  • Multi-vendor environment
  • ISP or service provider network
Security Comparison

TACACS+ vs RADIUS Security

TACACS+ is considered more secure because it encrypts the entire packet, while RADIUS only encrypts passwords. RADIUS transmits usernames, accounting information, and other data in plaintext.

Back to top

Configure Server-Based AAA

Four Steps to Configure Server-Based AAA

Step Purpose Command
1 Enable AAA globally aaa new-model
2 Specify AAA server tacacs server name or radius server name
3 Configure encryption key key shared-secret
4 Configure method list aaa authentication login default group tacacs+

TACACS+ Configuration Example

# Configure TACACS+ server
R1(config)# aaa new-model
R1(config)# tacacs server Server-T
R1(config-server-tacacs)# address ipv4 192.168.1.101
R1(config-server-tacacs)# single-connection
R1(config-server-tacacs)# key TACACS-Pa55w0rd
R1(config-server-tacacs)# exit

# Configure authentication method list
R1(config)# aaa authentication login default group tacacs+ local-case

RADIUS Configuration Example

# Configure RADIUS server
R1(config)# aaa new-model
R1(config)# radius server SERVER-R
R1(config-radius-server)# address ipv4 192.168.1.100 auth-port 1812 acct-port 1813
R1(config-radius-server)# key RADIUS-Pa55w0rd
R1(config-radius-server)# exit

# Configure authentication method list
R1(config)# aaa authentication login default group radius local-case

Authorization and Accounting Configuration

Critical Warning

Authorization Lockout Risk

When enabling AAA authorization, create a user with full access rights BEFORE enabling authorization. Otherwise, you'll be locked out immediately and must reboot the router to recover.

# Configure authorization
R1(config)# username ADMIN algorithm-type scrypt secret Str0ngPa55w0rd
R1(config)# aaa authorization exec default group tacacs+
R1(config)# aaa authorization network default group tacacs+

# Configure accounting
R1(config)# aaa accounting exec default start-stop group tacacs+
R1(config)# aaa accounting network default start-stop group tacacs+

Accounting Triggers

Trigger Description
start-stop Send start and stop accounting records
stop-only Send stop records only, including failures
none Disable accounting on line or interface
Back to top

✅ Quick Checks

  1. What are the three components of AAA?
    Authentication (who you are), Authorization (what you can do), and Accounting (what you did).
  2. What is the main difference between TACACS+ and RADIUS encryption?
    TACACS+ encrypts the entire packet, while RADIUS only encrypts the password.
  3. Which protocol separates authentication and authorization?
    TACACS+ separates AAA functions, while RADIUS combines authentication and authorization.
  4. What ports do TACACS+ and RADIUS use?
    TACACS+ uses TCP port 49, RADIUS uses UDP ports 1812 (auth) and 1813 (accounting).
  5. What must you do before enabling AAA authorization?
    Create a user with full access rights to prevent being locked out of the system.
Back to top

📝 Summary

  • AAA provides centralized authentication, authorization, and accounting services
  • Local AAA is suitable for small networks but doesn't scale well
  • Server-based AAA enables centralized management for large networks
  • Cisco ISE provides comprehensive identity and access control beyond basic AAA
  • TACACS+ offers better security with full packet encryption
  • RADIUS provides extensive accounting and supports 802.1X and VoIP
  • Protocol selection depends on security requirements and network needs
  • Authorization must be configured carefully to avoid lockout situations
  • Accounting provides audit trails for compliance and troubleshooting
  • Method lists define authentication order and fallback options
Back to top

References

  • Module 7: Authentication, Authorization, and Accounting - Introduction (Ch. 7.0)
  • AAA Characteristics (Ch. 7.1)
  • Configure Local AAA Authentication (Ch. 7.2)
  • Server-Based AAA Characteristics and Protocols (Ch. 7.3)
  • Configure Server-Based Authentication (Ch. 7.4)
  • Configure Server-Based Authorization and Accounting (Ch. 7.5)
  • RFC 2865 - RADIUS Authentication
  • Cisco ISE Documentation
Back to top