AAA Configuration — Authentication, Authorization & Accounting (Cisco IOS)

In this lab, you will learn how to configure AAA (Authentication, Authorization, and Accounting) on Cisco routers and switches. AAA is the industry-standard framework for controlling who can access a device, what they are permitted to do, and keeping a record of every action taken. Before starting, make sure you are comfortable with Hostname, Banner & Password Configuration and the concepts covered in AAA Overview and AAA Authentication Methods.

AAA can authenticate users against a local database stored on the device itself, or delegate authentication to an external server using RADIUS or TACACS+. Understanding the difference between these two protocols is a key CCNA exam topic and an essential skill for any network engineer. See Local vs RADIUS Authentication for a conceptual comparison.

What Is AAA?

AAA stands for three separate but tightly related security functions:

Function Question It Answers Example
Authentication Who are you? Verifying a username and password before granting access
Authorization What are you allowed to do? Restricting a user to read-only commands (privilege level 1)
Accounting What did you do? Logging every command a user executed during their session

Without AAA, Cisco devices rely on simple line passwords and the enable secret command — which offer no per-user tracking, no command authorization, and no audit trail. AAA solves all three of these limitations.

RADIUS vs TACACS+

Cisco IOS supports two external AAA server protocols. Choosing the right one depends on your environment's requirements. See AAA Overview for a deeper conceptual breakdown.

Feature RADIUS TACACS+
Developed by Open standard (RFC 2865) Cisco proprietary
Transport UDP (ports 1812 / 1813) TCP (port 49)
Encryption Password only Full packet encryption
AAA separation Authentication + Authorization combined Authentication, Authorization, Accounting are separate
Command authorization Limited ✅ Full per-command authorization
Best for Network access (Wi-Fi, VPN, 802.1X) Device administration (routers, switches)
Rule of thumb: Use TACACS+ when controlling administrator access to Cisco devices (you need command-level authorization and a full audit trail). Use RADIUS for network access control — 802.1X, Wi-Fi, and VPN authentication.

1. Enabling AAA on the Device

Explanation

The very first step — before configuring any method lists — is to enable the AAA framework globally. The single command aaa new-model activates AAA on the device. Once entered, it immediately overrides all existing line password configurations (login, login local) and applies the default AAA authentication method instead.

Warning: Entering aaa new-model on a live device can lock you out immediately if no method list or fallback is defined. Always configure your authentication method list before or immediately after enabling AAA — especially on remote sessions. It is best practice to do this on the console first.

Cisco Prompt Commands

NetsTuts_R1>en
NetsTuts_R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
NetsTuts_R1(config)#aaa new-model
NetsTuts_R1(config)#end
NetsTuts_R1#
%SYS-5-CONFIG_I: Configured from console by console
NetsTuts_R1#wr
Building configuration...
[OK]
NetsTuts_R1#
aaa new-model globally enables the AAA framework. After this point, all login authentication is controlled by AAA method lists — not line passwords.

Verify AAA is enabled:

NetsTuts_R1#show running-config | include aaa new-model
aaa new-model

2. AAA Authentication — Local Database

Explanation

The simplest form of AAA uses the local user database stored on the device itself. Users are defined with username commands and the AAA method list is set to local. This approach requires no external server and is suitable for small networks or as a fallback method when an external server is unreachable.

A method list is a named or default sequence of authentication methods that IOS tries in order. The special name default applies automatically to all lines (console, VTY, AUX) unless a line has its own named list assigned.

Step 1 — Create Local User Accounts

NetsTuts_R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
NetsTuts_R1(config)#username admin privilege 15 secret Admin@Secure1!
NetsTuts_R1(config)#username netops privilege 5 secret Netops@Pass1!
NetsTuts_R1(config)#username readonly privilege 1 secret Read@Only1!
Three user accounts are created with different privilege levels. Privilege 15 = full access. Privilege 5 = limited. Privilege 1 = read-only. Always use secret — never password — for local accounts. See Password Configuration for details on enable secret vs enable password.

Step 2 — Define the Default AAA Authentication Method List

NetsTuts_R1(config)#aaa authentication login default local
This tells IOS: when any line (console or VTY) requires login authentication, check the local user database. The keyword default applies this method list to all lines automatically.

Step 3 — Apply to Console and VTY Lines

Because the default method list applies automatically, explicit login authentication commands are optional on each line — but it is good practice to verify line configuration: 

NetsTuts_R1(config)#line console 0
NetsTuts_R1(config-line)#login authentication default
NetsTuts_R1(config-line)#exec-timeout 5 0
NetsTuts_R1(config-line)#logging synchronous
NetsTuts_R1(config-line)#exit
NetsTuts_R1(config)#line vty 0 4
NetsTuts_R1(config-line)#login authentication default
NetsTuts_R1(config-line)#transport input ssh
NetsTuts_R1(config-line)#exec-timeout 10 0
NetsTuts_R1(config-line)#exit
NetsTuts_R1(config)#end
NetsTuts_R1#wr
Building configuration...
[OK]
NetsTuts_R1#

Verify local AAA authentication configuration:

NetsTuts_R1#show aaa method-lists authentication
Authentication method-list 'default':
    1. LOCAL

Test: connect to the console — you should now be prompted for username and password:

Press RETURN to get started.

***Unauthorized access is strictly prohibited.***

User Access Verification

Username: admin
Password:
NetsTuts_R1>en
NetsTuts_R1#
The device now requires a username + password from the local database. Users with privilege 15 enter privileged EXEC mode directly after login.

3. AAA Authentication — Local with Enable Fallback

Explanation

A common and recommended best practice is to configure a fallback method so that if the primary method fails (for example, the local database is empty), the device falls back to the enable password. This prevents complete lockout in emergency situations.

Note: local-case is the case-sensitive version of local. Use it when you want usernames and passwords to be case-sensitive (recommended for production). none as a last fallback means access is granted with no credentials — never use none in production.

Configure Local Authentication with Enable Fallback

NetsTuts_R1(config)#aaa authentication login default local enable
IOS tries the local database first. If no local user is found, it falls back to the enable secret as a last resort. This two-method chain is a common production safety net.

Create a Named Method List for Console-Only Fallback

Named lists allow you to apply different authentication policies to different lines. Here, a dedicated list called CONSOLE-AUTH is created for the console: 

NetsTuts_R1(config)#aaa authentication login CONSOLE-AUTH local enable
NetsTuts_R1(config)#line console 0
NetsTuts_R1(config-line)#login authentication CONSOLE-AUTH
NetsTuts_R1(config-line)#exit
The console line now uses the CONSOLE-AUTH named list. VTY lines continue to use the default list. Named lists give you granular control over how each access method is authenticated.

4. AAA Authentication — RADIUS Server

Explanation

RADIUS (Remote Authentication Dial-In User Service) is an open-standard protocol (RFC 2865) used to delegate authentication to a central server — commonly Cisco ISE, FreeRADIUS, or Windows NPS. All user accounts, passwords, and group policies are managed centrally, making RADIUS ideal for environments with many devices and users. See Local vs RADIUS Authentication for a full comparison.

RADIUS uses UDP — port 1812 for authentication and port 1813 for accounting. The IOS device and the RADIUS server share a pre-configured shared secret key for message integrity.

Step 1 — Define the RADIUS Server

NetsTuts_R1(config)#radius server RADIUS-SRV1
NetsTuts_R1(config-radius-server)#address ipv4 192.168.10.10 auth-port 1812 acct-port 1813
NetsTuts_R1(config-radius-server)#key Radius@SharedKey1!
NetsTuts_R1(config-radius-server)#exit
The radius server command (IOS 15.2+) defines a named RADIUS server object. key sets the shared secret — this must match exactly what is configured on the RADIUS server side.

Step 2 — (Optional) Group the Server into a Server Group

Server groups allow you to pool multiple RADIUS servers for redundancy. Requests are sent to the primary server first — failover to the next if it is unreachable: 

NetsTuts_R1(config)#aaa group server radius RADIUS-GROUP
NetsTuts_R1(config-sg-radius)#server name RADIUS-SRV1
NetsTuts_R1(config-sg-radius)#exit

Step 3 — Define the AAA Authentication Method List Using RADIUS

NetsTuts_R1(config)#aaa authentication login default group RADIUS-GROUP local
NetsTuts_R1(config)#end
NetsTuts_R1#wr
Building configuration...
[OK]
NetsTuts_R1#
IOS tries the RADIUS server group first. If the RADIUS server is unreachable (not if authentication fails — only if the server is down), it falls back to the local database. This fallback prevents lockout during a server outage. See Local vs RADIUS for important notes on how the fallback works.

Verify RADIUS server configuration:

NetsTuts_R1#show radius server-group all
Server group RADIUS-GROUP:
    Sharecount = 1  sg_unconfigured = FALSE
    Type = standard
    Server(s) in this group:
    * 192.168.10.10:1812,1813

Verify RADIUS server status:

NetsTuts_R1#show radius statistics

Test authentication with a specific username (debug — use with caution on production):

NetsTuts_R1#debug aaa authentication
NetsTuts_R1#debug radius authentication
Debug output will show each authentication step — RADIUS request sent, reply received, method used. Always turn off debug with undebug all when finished. See Debug Commands for safe debug usage guidelines.

5. AAA Authentication — TACACS+ Server

Explanation

TACACS+ (Terminal Access Controller Access Control System Plus) is Cisco's proprietary AAA protocol, preferred for device administration because it separates Authentication, Authorization, and Accounting into independent transactions and encrypts the entire packet — not just the password. See TACACS+ Configuration Lab for an extended deep-dive, and RADIUS Configuration Lab for RADIUS-specific advanced scenarios.

TACACS+ uses TCP port 49 for reliable delivery. Because TCP is connection-oriented, TACACS+ detects server failures faster than RADIUS/UDP.

Step 1 — Define the TACACS+ Server

NetsTuts_R1(config)#tacacs server TACACS-SRV1
NetsTuts_R1(config-server-tacacs)#address ipv4 192.168.10.20
NetsTuts_R1(config-server-tacacs)#port 49
NetsTuts_R1(config-server-tacacs)#key Tacacs@SharedKey1!
NetsTuts_R1(config-server-tacacs)#exit
The tacacs server command (IOS 15.2+) defines a named TACACS+ server object. The shared key must match the TACACS+ server (e.g., Cisco ISE or TACACS+ daemon) exactly — including case and special characters.

Step 2 — Create a TACACS+ Server Group

NetsTuts_R1(config)#aaa group server tacacs+ TACACS-GROUP
NetsTuts_R1(config-sg-tacacs+)#server name TACACS-SRV1
NetsTuts_R1(config-sg-tacacs+)#exit

Step 3 — Define the AAA Authentication Method List Using TACACS+

NetsTuts_R1(config)#aaa authentication login default group TACACS-GROUP local
NetsTuts_R1(config)#end
NetsTuts_R1#wr
Building configuration...
[OK]
NetsTuts_R1#
TACACS+ is tried first. If the server is unreachable, the local database is used as a fallback. This is the recommended design for device administration AAA in enterprise networks.

Verify TACACS+ server status:

NetsTuts_R1#show tacacs
Server: 192.168.10.20/49:
   State:           UP
   Single connect:  disabled
   Packets in:      14
   Packets out:     14

6. AAA Authorization

Explanation

AAA Authorization controls what an authenticated user is allowed to do after they log in. Without authorization, a user who authenticates via RADIUS or TACACS+ lands at privilege level 1 by default — unable to run most show commands or make any configuration changes.

There are two main authorization types used in device administration:

Authorization Type What It Controls Common Method
exec The privilege level granted to a user when they start an EXEC session group tacacs+ or if-authenticated
commands <level> Per-command authorization — each command is checked against the AAA server before execution group tacacs+

EXEC Authorization (Privilege Level Assignment)

NetsTuts_R1(config)#aaa authorization exec default group TACACS-GROUP local if-authenticated
When a user logs in, the TACACS+ server returns the privilege level in the authorization response (e.g., privilege 15 for admins). If TACACS+ is unreachable, if-authenticated grants access at whatever level the local database specifies. This prevents lockout during server outages.

Command Authorization (Per-Command Checking via TACACS+)

Important: Command authorization is only available with TACACS+ — not RADIUS. This is one of the primary reasons TACACS+ is preferred for device administration. 
NetsTuts_R1(config)#aaa authorization commands 1 default group TACACS-GROUP local
NetsTuts_R1(config)#aaa authorization commands 15 default group TACACS-GROUP local
Every command a user types is sent to the TACACS+ server for approval before execution. Level 1 covers User EXEC commands; Level 15 covers all Privileged EXEC and Configuration mode commands. This provides a complete per-command audit trail.

Configuration Mode Authorization

NetsTuts_R1(config)#aaa authorization config-commands
Without this command, command authorization does not apply to configuration mode commands (entered at the (config)# prompt). Add this to ensure all commands are authorized — not just EXEC mode commands.

Verify authorization method lists:

NetsTuts_R1#show aaa method-lists authorization
Authorization method-list 'default':
    1. TACACS+
    2. LOCAL

7. AAA Accounting

Explanation

AAA Accounting records everything a user does during their session — when they logged in, what commands they ran, and when they disconnected. This creates a complete audit trail stored on the AAA server (RADIUS or TACACS+). Accounting is critical for compliance, forensics, and change management in enterprise environments.

EXEC Session Accounting

NetsTuts_R1(config)#aaa accounting exec default start-stop group TACACS-GROUP
start-stop sends an accounting record when the session begins (start) and when it ends (stop). The TACACS+ server logs the username, session duration, and source IP for every login session.

Command Accounting (Full Audit Trail)

NetsTuts_R1(config)#aaa accounting commands 1 default start-stop group TACACS-GROUP
NetsTuts_R1(config)#aaa accounting commands 15 default start-stop group TACACS-GROUP
NetsTuts_R1(config)#end
NetsTuts_R1#wr
Building configuration...
[OK]
NetsTuts_R1#
Every command typed by the user is sent to the TACACS+ server — creating a line-by-line record of every change made to the device. This is a mandatory requirement in regulated environments (PCI-DSS, HIPAA, SOX).

Network Accounting (for RADIUS)

NetsTuts_R1(config)#aaa accounting network default start-stop group RADIUS-GROUP
Network accounting is used with RADIUS to record session information for network access connections — for example, 802.1X port authentication sessions or VPN connections. It records bytes transferred, session duration, and user identity.

Verify accounting configuration:

NetsTuts_R1#show aaa method-lists accounting
Accounting method-list 'default':
    1. TACACS+

8. Full AAA Baseline Configuration

Explanation

In production, AAA authentication, authorization, and accounting are configured together as a complete device administration security baseline. The following is a complete reference configuration using TACACS+ as the primary server with local fallback. This applies to both routers and switches.

Best practice: Always configure AAA from the console first — never from a remote SSH session — to prevent lockout. Test authentication on the console before disconnecting. Save with wr after each major step. 
! ══════════════════════════════════════════════════════════
! NetsTuts Full AAA Baseline — Device Administration
! Device: NetsTuts_R1 | Primary: TACACS+ | Fallback: Local
! ══════════════════════════════════════════════════════════

Router>en
Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.

! ── Step 1: Hostname (required before AAA) ────────────────
Router(config)#hostname NetsTuts_R1

! ── Step 2: Local user accounts (fallback) ───────────────
NetsTuts_R1(config)#username admin privilege 15 secret Admin@Secure1!
NetsTuts_R1(config)#username netops privilege 5 secret Netops@Pass1!

! ── Step 3: Enable AAA ───────────────────────────────────
NetsTuts_R1(config)#aaa new-model

! ── Step 4: Define TACACS+ server ────────────────────────
NetsTuts_R1(config)#tacacs server TACACS-SRV1
NetsTuts_R1(config-server-tacacs)#address ipv4 192.168.10.20
NetsTuts_R1(config-server-tacacs)#port 49
NetsTuts_R1(config-server-tacacs)#key Tacacs@SharedKey1!
NetsTuts_R1(config-server-tacacs)#exit

! ── Step 5: TACACS+ server group ─────────────────────────
NetsTuts_R1(config)#aaa group server tacacs+ TACACS-GROUP
NetsTuts_R1(config-sg-tacacs+)#server name TACACS-SRV1
NetsTuts_R1(config-sg-tacacs+)#exit

! ── Step 6: Authentication method list ───────────────────
NetsTuts_R1(config)#aaa authentication login default group TACACS-GROUP local

! ── Step 7: EXEC authorization ───────────────────────────
NetsTuts_R1(config)#aaa authorization exec default group TACACS-GROUP local if-authenticated

! ── Step 8: Command authorization ────────────────────────
NetsTuts_R1(config)#aaa authorization commands 1 default group TACACS-GROUP local
NetsTuts_R1(config)#aaa authorization commands 15 default group TACACS-GROUP local
NetsTuts_R1(config)#aaa authorization config-commands

! ── Step 9: Accounting ───────────────────────────────────
NetsTuts_R1(config)#aaa accounting exec default start-stop group TACACS-GROUP
NetsTuts_R1(config)#aaa accounting commands 1 default start-stop group TACACS-GROUP
NetsTuts_R1(config)#aaa accounting commands 15 default start-stop group TACACS-GROUP

! ── Step 10: Console line ────────────────────────────────
NetsTuts_R1(config)#line console 0
NetsTuts_R1(config-line)#login authentication default
NetsTuts_R1(config-line)#exec-timeout 5 0
NetsTuts_R1(config-line)#logging synchronous
NetsTuts_R1(config-line)#exit

! ── Step 11: SSH configuration ───────────────────────────
NetsTuts_R1(config)#ip domain-name netstuts.com
NetsTuts_R1(config)#crypto key generate rsa modulus 2048
The name for the keys will be: NetsTuts_R1.netstuts.com
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 3 seconds)

NetsTuts_R1(config)#ip ssh version 2
NetsTuts_R1(config)#ip ssh authentication-retries 3
NetsTuts_R1(config)#ip ssh time-out 60

! ── Step 12: VTY lines (SSH only) ────────────────────────
NetsTuts_R1(config)#line vty 0 4
NetsTuts_R1(config-line)#login authentication default
NetsTuts_R1(config-line)#transport input ssh
NetsTuts_R1(config-line)#exec-timeout 10 0
NetsTuts_R1(config-line)#exit

! ── Step 13: Save ────────────────────────────────────────
NetsTuts_R1(config)#end
NetsTuts_R1#
%SYS-5-CONFIG_I: Configured from console by console
NetsTuts_R1#wr
Building configuration...
[OK]
NetsTuts_R1#
This complete baseline configures TACACS+ with local fallback for authentication, per-command authorization, and full accounting. Apply this on every new Cisco router or switch before connecting it to a production network.

9. Verifying Your AAA Configuration

After completing the lab, use the following commands to confirm that AAA is correctly configured and functioning. Compare your output to the examples below. For general show command reference, see show running-config and Debug Commands.

show aaa method-lists (All)

NetsTuts_R1#show aaa method-lists all
Authentication method-list 'default':
    1. TACACS+
    2. LOCAL
Authorization method-list 'default' (exec):
    1. TACACS+
    2. LOCAL
    3. IF-AUTHENTICATED
Authorization method-list 'default' (commands 1):
    1. TACACS+
    2. LOCAL
Authorization method-list 'default' (commands 15):
    1. TACACS+
    2. LOCAL
Accounting method-list 'default' (exec):
    1. TACACS+
Accounting method-list 'default' (commands 1):
    1. TACACS+
Accounting method-list 'default' (commands 15):
    1. TACACS+

Verification Commands Quick Reference

Command What to Verify Expected Result
show aaa method-lists all All authentication, authorization, and accounting method lists Lists show TACACS+ and LOCAL in correct order
show tacacs TACACS+ server connectivity and packet counters State: UP, packets in/out incrementing
show radius statistics RADIUS request/response counters Access-Request and Access-Accept counters incrementing
show running-config | section aaa All AAA configuration lines in the running config All aaa new-model, method lists, and server definitions present
show aaa sessions Currently active AAA sessions Shows active user sessions and method used
show users Users currently connected and their line Shows your active console or VTY session with username

Full Verification Run

NetsTuts_R1#show tacacs
Server: 192.168.10.20/49:
   State:           UP
   Single connect:  disabled
   Packets in:      26
   Packets out:     26

NetsTuts_R1#show users
    Line       User       Host(s)              Idle       Location
*  0 con 0    admin      idle                 00:00:00

NetsTuts_R1#show running-config | section aaa
aaa new-model
aaa group server tacacs+ TACACS-GROUP
 server name TACACS-SRV1
aaa authentication login default group TACACS-GROUP local
aaa authorization exec default group TACACS-GROUP local if-authenticated
aaa authorization commands 1 default group TACACS-GROUP local
aaa authorization commands 15 default group TACACS-GROUP local
aaa authorization config-commands
aaa accounting exec default start-stop group TACACS-GROUP
aaa accounting commands 1 default start-stop group TACACS-GROUP
aaa accounting commands 15 default start-stop group TACACS-GROUP
All verification commands confirm the full AAA baseline is correctly applied. The TACACS+ server shows UP state with active packet exchange.

10. Troubleshooting Common AAA Issues

Use show logging and debug commands alongside the fixes below to diagnose authentication failures and access issues.

Problem Likely Cause Fix
Locked out immediately after typing aaa new-model No default method list was defined — AAA has no method to authenticate against Connect via console. Define a method list: aaa authentication login default local. Ensure at least one local user exists.
Authentication always falls back to local even when TACACS+ server is reachable Shared key mismatch between router and TACACS+ server Verify the key on both sides. Use debug tacacs to see if authentication packets are being rejected. Key is case-sensitive.
User authenticates but lands at privilege level 1 EXEC authorization is not configured, or the TACACS+ server is not returning a privilege level Add aaa authorization exec default group TACACS-GROUP local if-authenticated. Check the TACACS+ server profile for the user's privilege level attribute.
Commands are rejected with "% Authorization failed" Command authorization is enabled but the TACACS+ server policy does not permit that command for this user Check the TACACS+ server policy for the user or group. Temporarily bypass with no aaa authorization commands 15 default to confirm the cause.
TACACS+ server shows DOWN in show tacacs IP address, port, or key mismatch; or firewall blocking TCP 49 Ping the TACACS+ server IP from the router. Check show tacacs for error counters. Verify TCP port 49 is open through any firewall between the devices.
RADIUS authentication fails — no fallback to local RADIUS server is reachable but returns Access-Reject (wrong credentials). Fallback only triggers if the server is unreachable, not if it actively rejects the login. Verify user credentials on the RADIUS server. Use debug radius authentication to see the server response. Check Local vs RADIUS for fallback behavior details.
Accounting records not appearing on the AAA server Accounting not configured, or server not listening on the accounting port Confirm aaa accounting commands are present in show running-config. Verify the accounting port (TACACS+ TCP 49, RADIUS UDP 1813) is reachable.

11. Key Points & Exam Tips

  • aaa new-model must be configured first — all other AAA commands depend on it. It immediately overrides all line passwords.
  • The default method list applies to all lines automatically. Named lists must be explicitly assigned to a line with login authentication <list-name>.
  • AAA fallback to local only triggers when the external server is unreachable — not when it actively rejects credentials. This is a common exam trap.
  • TACACS+ uses TCP 49, encrypts the full packet, and supports per-command authorization. Use it for device administration.
  • RADIUS uses UDP 1812/1813, encrypts only the password, and combines authentication + authorization. Use it for network access (802.1X, VPN, Wi-Fi).
  • Command authorization (aaa authorization commands) is a TACACS+-only feature — RADIUS cannot perform per-command checks.
  • aaa authorization config-commands must be added separately — without it, command authorization does not apply to configuration mode commands.
  • if-authenticated as a fallback in authorization means: if the user was successfully authenticated by any method, grant access at whatever privilege level the local database specifies. This prevents lockout.
  • Always test AAA changes on the console before testing on VTY. If you lock yourself out via VTY, console access is your recovery path.
  • Use debug aaa authentication and debug tacacs to troubleshoot — but always run undebug all immediately after on production devices.
Related Labs: After completing this lab, continue with RADIUS Configuration Lab and TACACS+ Configuration Lab for extended server-side scenarios. For login security hardening, see Login Security & Brute-Force Protection. For the conceptual foundation, review AAA Overview, AAA Authentication Methods, and Local vs RADIUS Authentication.

TEST WHAT YOU LEARNED

1. What does the command aaa new-model do when first entered on a Cisco device?

Correct answer is B. aaa new-model activates the AAA framework globally. The moment it is entered, all existing line password configurations (login, login local) are overridden and replaced by AAA method lists. If no method list is defined, the device may become inaccessible.

2. An engineer configures aaa authentication login default group TACACS-GROUP local. The TACACS+ server returns an Access-Reject for user "jsmith". What happens next?

Correct answer is C. This is a critical distinction. The local fallback only triggers when the AAA server is unreachable (no response, timeout). If the server is reachable but actively rejects the user (Access-Reject), authentication fails immediately — the local database is not consulted.

3. Which protocol should be chosen for Cisco device administration when per-command authorization and full packet encryption are required?

Correct answer is D. TACACS+ encrypts the entire packet (not just the password), uses TCP for reliability, and — most importantly — supports per-command authorization. RADIUS cannot perform per-command authorization checks, making TACACS+ the correct choice for device administration.

4. A user authenticates successfully via TACACS+ but lands at privilege level 1 and cannot run show running-config. What is the most likely cause?

Correct answer is A. Without aaa authorization exec, IOS does not ask the TACACS+ server what privilege level to grant. The user defaults to privilege 1 regardless of what the server would have assigned. Add aaa authorization exec default group TACACS-GROUP local if-authenticated and verify the TACACS+ server profile assigns privilege 15 to this user.

5. What is the purpose of the aaa authorization config-commands command?

Correct answer is B. By default, aaa authorization commands only checks EXEC mode commands. aaa authorization config-commands extends authorization checking to all commands entered in configuration mode (e.g., at the (config)#, (config-if)# prompts). This is required for a complete command-level audit.

6. What transport protocol and port does TACACS+ use?

Correct answer is C. TACACS+ uses TCP port 49. TCP provides reliable, connection-oriented delivery — meaning the router knows immediately if the TACACS+ server is unreachable (connection refused or timeout). RADIUS uses UDP on ports 1812 (authentication) and 1813 (accounting).

7. An engineer needs to configure AAA accounting to log every command typed by privileged users at level 15. Which command achieves this?

Correct answer is D. aaa accounting commands 15 logs every command entered at privilege level 15 (Privileged EXEC and Configuration mode). aaa accounting exec logs session start/stop events, not individual commands. aaa accounting network is for network access accounting, not device administration.

8. An engineer enters aaa new-model on a remote SSH session without first defining a method list. What is the most likely result?

Correct answer is A. aaa new-model immediately overrides all line password configurations. With no method list defined, AAA has no way to authenticate the VTY session — the connection drops. This is why you must always configure AAA from the console first, with at least aaa authentication login default local defined before enabling aaa new-model.

9. Which AAA accounting type is used to record session start/stop information for 802.1X port authentication sessions?

Correct answer is B. aaa accounting network logs network access sessions — including 802.1X port authentication, VPN connections, and other network service events. aaa accounting exec logs administrator login sessions to the device CLI. aaa accounting commands logs individual commands typed by a user.

10. What does the if-authenticated keyword do when used in an AAA authorization method list?

Correct answer is C. if-authenticated is a safety net in authorization method lists. If all preceding methods fail (e.g., TACACS+ is unreachable), and the user was successfully authenticated by any method, IOS grants access at whatever privilege level is in the local database. This prevents total lockout without removing security — the user must still authenticate before if-authenticated applies.
Back to Home