Local and RADIUS/TACACS+ Authentication

1. What Is Local Authentication?

Local authentication stores usernames and passwords directly on the network device itself — in the running configuration of a router or switch. No external server is required; the device verifies credentials from its own local database at login time.

Use Cases: Small networks with few administrators; out-of-band management; emergency fallback when centralized AAA servers are unreachable.
Advantages: Simple to set up, no external dependencies, works even when the network is down, always available for emergency console access.
Limitations: Does not scale — each device requires individual account management. A password change across 50 routers means 50 manual updates. Lacks centralized auditing and per-command authorization.

! Create a local user with a hashed (secret) password at privilege level 15
Router(config)# username admin privilege 15 secret Str0ngP@ss!

! Apply local authentication to VTY lines
Router(config)# line vty 0 4
Router(config-line)# login local
Router(config-line)# transport input ssh

Critical rule: Always use secret (not password) for local accounts. The password keyword stores a reversible Type 7 encoding that can be decoded in seconds. secret stores a one-way hash (MD5 Type 5 or scrypt Type 9) that cannot be reversed.

2. What Is RADIUS Authentication?

RADIUS (Remote Authentication Dial-In User Service) is an open-standard, centralized AAA protocol originally developed by Livingston Enterprises and now maintained by the IETF (RFC 2865/2866). It allows a single server to authenticate users and devices across an entire network infrastructure.

Transport: UDP — port 1812 for authentication/authorization, port 1813 for accounting.
Encryption: Encrypts the password field only; the rest of the packet (including username and attributes) is transmitted in clear text.
AAA Handling: Combines authentication and authorization into a single response — the server returns ACCEPT/REJECT along with any authorization attributes in one packet.
Vendor Support: Multi-vendor open standard — supported by Cisco, Juniper, Aruba, Palo Alto, and all major network platforms.

Primary Use Cases:

802.1X wired and wireless port authentication — authenticates endpoints before granting network access.
VPN authentication — validates remote users connecting via IPsec or SSL VPN. See Site-to-Site IPsec VPN.
Wi-Fi WPA2/WPA3-Enterprise — RADIUS is the backbone of enterprise wireless security.
ISP dial-up and broadband — the original use case; still used for PPPoE authentication.

Common RADIUS Server Software:

Cisco ISE (Identity Services Engine) — enterprise-grade, policy-based
FreeRADIUS — open-source, widely deployed
Microsoft NPS (Network Policy Server) — integrates with Active Directory
Aruba ClearPass — multi-vendor policy management

See: AAA TACACS+/RADIUS Configuration (Step-by-Step) | 802.1X Port Authentication

3. What Is TACACS+ Authentication?

TACACS+ (Terminal Access Controller Access-Control System Plus) is a Cisco-proprietary AAA protocol designed specifically for network device administration. While RADIUS focuses on user network access, TACACS+ focuses on controlling what administrators can do on network devices.

Transport: TCP — port 49. TCP provides reliable, connection-oriented delivery and connection-state awareness — the server knows immediately if a client disconnects.
Encryption: Encrypts the entire packet payload (including username, authorization data, and accounting records) — not just the password field like RADIUS.
AAA Separation: Fully separates authentication, authorization, and accounting into independent processes. Each can use a different server or policy.
Command Authorization: TACACS+ can control exactly which Cisco IOS commands a user is permitted to run — down to the individual command level. RADIUS cannot do this.
Vendor: Cisco-proprietary — best suited for Cisco-heavy environments.

Primary Use Cases:

Router and switch CLI administrative logins
Per-command authorization (restrict NOC to read-only; allow engineers full access)
Detailed accounting of every command executed by every administrator
Privilege level assignment server-side, centrally managed across all devices

Common TACACS+ Server Software:

Cisco ISE — preferred for enterprise Cisco environments
Cisco ACS (Access Control Server) — legacy, end-of-life but still deployed
tac_plus (open-source daemon) — lightweight, commonly used in smaller networks

See: AAA TACACS+ Configuration (Step-by-Step)

4. Local vs. RADIUS vs. TACACS+ — Full Comparison

Feature	Local	RADIUS	TACACS+
Credential Storage	On the device itself	Centralized server	Centralized server
Transport Protocol	N/A (local)	UDP (1812/1813)	TCP (port 49)
Encryption	Password hash only (if using `secret`)	Password field only	Entire packet payload
AAA Handling	Authentication only (no authZ/accounting)	Combines auth + authorization in one response	Fully separates auth, authorization, accounting
Command Authorization	Privilege levels only (coarse-grained)	❌ Not supported	✅ Per-command, per-user control
Scalability	Poor — manual per-device management	Excellent — one server for all devices	Excellent — one server for all devices
Vendor Support	All vendors	All vendors (open standard)	Primarily Cisco environments
Best For	Small networks, fallback access	User/device network access (Wi-Fi, VPN, 802.1X)	Network device administration (CLI, command control)
Reliability	Always available (no external dependency)	UDP — no guaranteed delivery; app handles retries	TCP — reliable delivery, connection-state aware
Accounting / Auditing	Limited (local logging only)	UDP-based accounting (port 1813)	Full command-level accounting to central server

              Decision rule: Use Local for small networks and emergency fallback. Use RADIUS
              when authenticating end users for network access (Wi-Fi, VPN, 802.1X). Use TACACS+ when
              controlling administrator access to device CLIs — especially when per-command authorization and
              detailed audit trails are required.
            

5. The AAA Model — Authentication, Authorization, Accounting

AAA is a security framework that controls access to network resources by addressing three distinct questions for every session. See AAA Overview for the full conceptual background.

Authentication — "Who are you?"
Verifies identity using credentials (username/password, certificate, token). The user must prove they are who they claim to be before gaining any access.
Authorization — "What are you allowed to do?"
Determines what resources, commands, or network access the authenticated user is permitted to use. TACACS+ handles this independently from authentication; RADIUS combines them.
Accounting — "What did you do?"
Records session start/stop times, commands executed, bytes transferred, and other activity. This data is sent to the AAA server for auditing, compliance, and billing.

How TACACS+ Separates AAA

  Client (Router/Switch)             TACACS+ Server
         │                                 │
         │──── Authentication Request ────▶│  Step 1: Who are you?
         │◀─── Accept / Reject ───────────│
         │                                 │
         │──── Authorization Request ─────▶│  Step 2: What can you do?
         │◀─── Permitted Commands ─────────│
         │                                 │
         │──── Accounting Start ──────────▶│  Step 3: Log what you do
         │    (session begins)              │
         │──── Command Accounting ─────────▶│  (each command logged)
         │──── Accounting Stop ────────────▶│  (session ends)

How RADIUS Handles AAA

  Client (Router/Switch)             RADIUS Server
         │                                 │
         │──── Access-Request ────────────▶│  Auth + AuthZ combined
         │◀─── Access-Accept/Reject ───────│  (attributes returned in one packet)
         │                                 │
         │──── Accounting-Request (Start) ▶│  Separate accounting packet
         │──── Accounting-Request (Stop) ─▶│

6. Configuration — Local Authentication

Local authentication is the simplest method and the mandatory fallback for all AAA deployments.

Basic Local User Setup

! Create users at different privilege levels
Router(config)# username admin    privilege 15 secret AdminPass1!
Router(config)# username netops   privilege 5  secret NocPass1!
Router(config)# username readonly privilege 1  secret ReadOnly1!

! Apply to console line
Router(config)# line console 0
Router(config-line)# login local
Router(config-line)# exec-timeout 5 0

! Apply to VTY lines — SSH only
Router(config)# line vty 0 4
Router(config-line)# login local
Router(config-line)# transport input ssh
Router(config-line)# exec-timeout 10 0

Verify Local Users

Router# show running-config | section username
username admin privilege 15 secret 9 $9$hashedvalue...
username netops privilege 5 secret 9 $9$hashedvalue...

Router# show users
    Line       User       Host(s)     Idle      Location
*  2 vty 0    admin      idle        00:00:00  10.10.10.5

7. Configuration — RADIUS Authentication

The following shows how to configure a Cisco IOS device as a RADIUS client. Note: The legacy radius-server host command is deprecated in modern IOS — use the radius server block syntax instead.

Modern IOS RADIUS Configuration (Recommended)

! Step 1: Enable AAA
Router(config)# aaa new-model

! Step 2: Define RADIUS server using block syntax
Router(config)# radius server ISE-PRIMARY
Router(config-radius-server)# address ipv4 10.1.1.50 auth-port 1812 acct-port 1813
Router(config-radius-server)# key RadiusSharedSecret1!
Router(config-radius-server)# timeout 5
Router(config-radius-server)# retransmit 3

! Step 3: Create a server group (optional but best practice)
Router(config)# aaa group server radius CORP-RADIUS
Router(config-sg-radius)# server name ISE-PRIMARY

! Step 4: Define method list — RADIUS first, local as fallback
Router(config)# aaa authentication login default group CORP-RADIUS local

! Step 5: Apply to lines
Router(config)# line vty 0 4
Router(config-line)# login authentication default
Router(config-line)# transport input ssh

Legacy Syntax (Older IOS — for Reference)

aaa new-model
radius-server host 192.168.1.10 key rad123
aaa authentication login default group radius local

Ports to know for the exam: RADIUS uses UDP 1812 for authentication/authorization and UDP 1813 for accounting. Some older implementations use ports 1645/1646 — know both pairs.

Verify RADIUS Operation

Router# show aaa servers
RADIUS: id 1, priority 1, host 10.1.1.50, auth-port 1812, acct-port 1813
     State: current UP, duration 3600s, previous duration 0s
     Dead: total time 0s, count 0
     Authen: request 42, timeouts 0, failover 0, retransmit 0
             Response: accept 38, reject 4, challenge 0

Router# debug radius
*Mar 1 12:01:05.123: RADIUS: Send Access-Request to 10.1.1.50:1812
*Mar 1 12:01:05.234: RADIUS: Received Access-Accept from 10.1.1.50:1812

8. Configuration — TACACS+ Authentication

TACACS+ configuration on Cisco IOS uses a similar structure to RADIUS but with distinct commands and additional authorization/accounting capabilities.

Full TACACS+ Configuration with Authorization and Accounting

! Step 1: Enable AAA
Router(config)# aaa new-model

! Step 2: Define TACACS+ server
Router(config)# tacacs server CORP-TACS
Router(config-server-tacacs)# address ipv4 10.1.1.100
Router(config-server-tacacs)# key TacacsSharedKey1!
Router(config-server-tacacs)# timeout 5

! Step 3: Authentication — TACACS+ first, local fallback
Router(config)# aaa authentication login default group tacacs+ local

! Step 4: Executive authorization (assigns privilege level from server)
Router(config)# aaa authorization exec default group tacacs+ local

! Step 5: Per-command authorization at all levels
Router(config)# aaa authorization commands 1  default group tacacs+ local
Router(config)# aaa authorization commands 15 default group tacacs+ local

! Step 6: Accounting — log all sessions and commands
Router(config)# aaa accounting exec default start-stop group tacacs+
Router(config)# aaa accounting commands 15 default start-stop group tacacs+

! Step 7: Apply to lines
Router(config)# line console 0
Router(config-line)# login authentication default
Router(config-line)# exec-timeout 5 0

Router(config)# line vty 0 4
Router(config-line)# login authentication default
Router(config-line)# transport input ssh
Router(config-line)# exec-timeout 10 0

Verify TACACS+ Operation

Router# show tacacs
Tacacs+ Server - 10.1.1.100/49:
     Socket opens:      15
     Socket closes:     15
     Total packets sent: 30
     Total packets recv: 30

Router# debug tacacs
*Mar 1 12:01:05: TPLUS: Queuing AAA Authentication request
*Mar 1 12:01:05: TPLUS: Processing authentication start request
*Mar 1 12:01:05: TPLUS: Authentication response: PASS

Best Practice: Always configure aaa authorization exec default group tacacs+ local alongside authentication. Without exec authorization, TACACS+ will authenticate the user but may place them at privilege level 1 regardless of what the server assigns — because IOS applies privilege levels from the server only when exec authorization is enabled.

9. AAA Method Lists — How They Work

A method list defines the ordered sequence of authentication methods IOS will try. The device works through the list left to right, moving to the next method only under specific conditions.

Method List Fallback Rules

If a server returns ERROR (unreachable / no response / timeout) → move to the next method.
If a server returns REJECT (valid response — wrong credentials) → deny immediately, no fallback. This is the most commonly misunderstood behavior on the CCNA exam.
If the last method also fails → the login is denied.

  aaa authentication login default group tacacs+ group radius local

  User connects
       │
       ▼
  Try TACACS+ server
       │
  ┌────┴──────────────┐
  │                   │
REJECT             ERROR (unreachable)
  │                   │
❌ Deny            Try RADIUS server
                       │
                  ┌────┴──────────────┐
                  │                   │
                REJECT             ERROR (unreachable)
                  │                   │
                ❌ Deny            Try local database
                                       │
                                  ┌────┴─────┐
                                  │          │
                               ACCEPT      REJECT
                                  │          │
                               ✅ Grant   ❌ Deny

Named vs. Default Method Lists

Type	Command	Scope
Default list	`aaa authentication login default group tacacs+ local`	Applies automatically to all lines unless overridden
Named list	`aaa authentication login MGMT group tacacs+ local`	Applied explicitly to specific lines with `login authentication MGMT`

Scenario — different method lists per line:

! Management engineers use TACACS+ (full command authorization)
aaa authentication login MGMT-AUTH group tacacs+ local
line vty 0 2
 login authentication MGMT-AUTH

! Read-only monitoring staff use RADIUS (simpler access)
aaa authentication login MON-AUTH group radius local
line vty 3 4
 login authentication MON-AUTH

10. Server Redundancy and High Availability

In production networks, a single AAA server is a single point of failure. If authentication is unavailable and no local fallback exists, administrators can be locked out entirely. Always deploy redundant servers and test failover regularly.

Multiple RADIUS Servers

! Define two RADIUS servers — IOS tries them in order
Router(config)# radius server ISE-PRIMARY
Router(config-radius-server)# address ipv4 10.1.1.50 auth-port 1812 acct-port 1813
Router(config-radius-server)# key RadiusKey1!

Router(config)# radius server ISE-SECONDARY
Router(config-radius-server)# address ipv4 10.1.1.51 auth-port 1812 acct-port 1813
Router(config-radius-server)# key RadiusKey1!

! Group both servers — IOS fails over automatically if primary is down
Router(config)# aaa group server radius CORP-RADIUS
Router(config-sg-radius)# server name ISE-PRIMARY
Router(config-sg-radius)# server name ISE-SECONDARY

Router(config)# aaa authentication login default group CORP-RADIUS local

Multiple TACACS+ Servers

Router(config)# tacacs server TACS-PRIMARY
Router(config-server-tacacs)# address ipv4 10.1.1.100
Router(config-server-tacacs)# key TacacsKey1!

Router(config)# tacacs server TACS-SECONDARY
Router(config-server-tacacs)# address ipv4 10.1.1.101
Router(config-server-tacacs)# key TacacsKey1!

High availability design: Always place at least one AAA server in the same site as each major network device. A remote-only AAA server means that a WAN failure can lock administrators out of all local devices. The local fallback account exists precisely for this scenario — test it periodically.

Recommended AAA Redundancy Architecture

  ┌───────────────────────────────────────────┐
  │           Enterprise Network              │
  │                                           │
  │   ┌──────────┐        ┌──────────────┐   │
  │   │ Router/  │◀──────▶│ TACACS+      │   │
  │   │ Switch   │  TCP49 │ Primary ISE  │   │
  │   │          │        │ 10.1.1.100   │   │
  │   │  (AAA    │        └──────────────┘   │
  │   │  client) │                           │
  │   │          │        ┌──────────────┐   │
  │   │          │◀──────▶│ TACACS+      │   │
  │   │          │  TCP49 │ Secondary    │   │
  │   │          │        │ 10.1.1.101   │   │
  │   └──────────┘        └──────────────┘   │
  │        │                                  │
  │   [Local fallback: username emergency]    │
  └───────────────────────────────────────────┘

11. Security Considerations

Shared Secret Security

The shared secret (key) is used to authenticate communication between the network device and the AAA server. Use long, complex, randomly generated keys — at least 16 characters.
Never use the same shared key across all devices — a compromised device exposes the key for all others.
Rotate shared secrets periodically, especially after staff changes.

Management Network Isolation

Place AAA servers on a dedicated, isolated management network or out-of-band management VLAN.
Apply ACLs to restrict which devices can reach the RADIUS/TACACS+ server ports.
Use a separate VRF (VRF-Lite) for management traffic to isolate it from production data flows — see VRF-Lite Configuration.

Encryption Comparison

Method	What Is Encrypted	Risk If Traffic Is Intercepted
Local auth (secret)	Password stored as one-way hash on device	Low — hash cannot be reversed; no network traffic
RADIUS	Password field only (MD5 hashed)	Medium — username, attributes, and accounting visible in clear text
TACACS+	Entire packet payload	Low — all data including username and authorization encrypted

Additional Hardening Steps

Apply login block-for on all devices to prevent brute-force attacks against local accounts.
Restrict VTY access with access-class ACLs — only management subnets should be able to SSH to network devices.
Enable login on-failure log and login on-success log to capture all authentication events in syslog. Forward these to a central Syslog server and configure SNMP traps for authentication failures.
Use WPA3-Enterprise (RADIUS) for wireless authentication — never WPA2-PSK in enterprise environments. See 802.1X – Port-Based Network Access Control for how RADIUS integrates with wired and wireless 802.1X.

See: Login Security & Brute-Force Protection | 802.11 Wi-Fi Standards & WPA3

12. Use Cases — Choosing the Right Method

When to Use Local Authentication

Networks with 1–5 devices and a single administrator.
Emergency break-glass access — even in AAA environments, always keep one local account.
Isolated devices that have no network path to an AAA server (out-of-band management segments).
Lab and test environments where simplicity is preferred over security.

When to Use RADIUS

Wi-Fi networks using WPA2-Enterprise or WPA3-Enterprise authentication.
802.1X wired port authentication — verifying endpoints before granting LAN access.
VPN gateways authenticating remote users (Cisco AnyConnect, SSL VPN).
ISP and carrier environments billing users based on session duration/data usage.
Multi-vendor environments where an open standard is required.

When to Use TACACS+

Enterprise networks where network engineers need CLI access to routers and switches.
Environments requiring per-command authorization — restrict NOC operators to show commands only.
Compliance frameworks (PCI-DSS, HIPAA, SOC 2) requiring detailed command-level audit trails.
Cisco-heavy environments where the proprietary feature set is fully supported.

Real-World Scenario: Enterprise Network with Mixed Authentication

A company has 60 Cisco routers and switches, 200 Wi-Fi APs, and 500 remote VPN users. Here is how they deploy each method:

Wi-Fi users (802.1X): RADIUS via Cisco ISE — employees authenticate with AD credentials; ISE enforces posture compliance before granting network access.
VPN users: RADIUS via ISE + Cisco Duo MFA — credentials validated against AD, Duo push notification required as second factor.
Network device CLI access: TACACS+ via ISE — engineers get privilege 15, NOC operators get privilege 5 with show commands only. Every command is logged for audit.
Emergency fallback: Local account username emergency privilege 15 secret ... on every device — tested quarterly, password known only to the security team.

13. Troubleshooting Authentication Issues

Problem	Likely Cause	Diagnostic Steps & Solution
Login fails immediately	Wrong credentials; or server is reachable but rejected login (REJECT — no fallback)	Verify username/password on server; check if server policy is blocking the user; remember REJECT has no fallback
Login hangs then fails	AAA server unreachable — ERROR; IOS is waiting for timeout before trying next method	Check IP reachability to server; verify shared key matches; check firewall rules on ports 1812/1813 or 49; reduce server timeout value
Logged in but placed at wrong privilege level	Exec authorization not configured; server not returning privilege attribute	Add `aaa authorization exec default group tacacs+ local`; verify server policy assigns correct privilege level to the user
Local fallback not working	`local` not listed last in method list; or local account does not exist	Verify method list: `group tacacs+ local`; confirm local user exists with `show run \| section username`
TACACS+ accounting not recording	Accounting not configured; or server not reachable on accounting requests	Add `aaa accounting exec default start-stop group tacacs+`; check server logs and `show aaa servers`
Complete lockout — no access	AAA server down, no local fallback, or `login block-for` in quiet mode	Use console access with local credentials; check `show login` for quiet mode; wait for lockout timer or use management bypass ACL

Authentication Diagnostic Commands

Command	What It Shows
`show aaa servers`	Server status, reachability, request/response counts for all AAA servers
`show tacacs`	TACACS+ server IP, port, socket statistics, and connection state
`show radius statistics`	RADIUS packet counts, timeouts, and retransmit statistics
`show running-config \| section aaa`	All AAA configuration including method lists, server groups, and accounting
`show running-config \| section line`	Line-level authentication method assignments and transport settings
`debug aaa authentication`	Real-time AAA decision flow — shows exactly which method is tried and the result
`debug radius`	RADIUS packet exchange — request/response contents in real time
`debug tacacs`	TACACS+ packet exchange — authentication, authorization, accounting in real time

Debug warning: Always run undebug all immediately after diagnosis. Debug output can consume significant CPU on busy devices. Use terminal monitor to redirect debug output to your SSH session.

14. Common Misconceptions

"RADIUS fallback to local happens when the server rejects the login."
Fallback only occurs on ERROR (server unreachable/timeout), never on REJECT (wrong credentials actively denied by a reachable server). This is the single most tested AAA concept on CCNA.
"RADIUS encrypts the full authentication packet."
RADIUS only encrypts the password field using MD5. The username, attributes (VLAN, privilege level), and accounting data are transmitted in clear text — making TACACS+ the more secure choice for sensitive administrative access.
"TACACS+ is an open standard like RADIUS."
TACACS+ is a Cisco-proprietary protocol. While a TACACS+ daemon (tac_plus) exists as open source, the protocol itself is not an IETF standard. RADIUS is the IETF open standard (RFC 2865).
"Local authentication is insecure because credentials are exposed."
When configured with secret, local passwords are stored as one-way hashes (Type 5 or Type 9) that cannot be reversed — they are not exposed. The scalability limitation is the real concern, not the security of the credential storage.
"You only need one AAA method — either RADIUS or TACACS+, not both."
Many enterprise networks intentionally use both: RADIUS for user network access (802.1X/VPN) and TACACS+ for administrative device access. They solve different problems and are commonly deployed together.

15. Key Points & Exam Tips

Topic	Key Facts to Remember
Local	Credentials stored on device; not scalable; always configure as fallback; use `secret` not `password`
RADIUS	UDP ports 1812/1813; open standard; encrypts password only; combines auth + authZ; best for user network access, Wi-Fi, VPN
TACACS+	TCP port 49; Cisco-proprietary; encrypts entire payload; separates AAA; supports per-command authorization; best for device admin CLI
Fallback rule	Next method tried on ERROR only — never on REJECT. REJECT = immediate deny.
Method list order	Always append `local` last to prevent lockout if all servers are down
Exec authorization	Required with TACACS+ to assign server-defined privilege levels after authentication
Shared secret	Must match exactly on both device and server — mismatch = no authentication
Redundancy	Configure multiple servers per group; test failover; always have local emergency account

16. Local and RADIUS/TACACS+ Authentication Quiz

1. A network admin configures `aaa authentication login default group radius local` on a router. The RADIUS server is reachable but rejects the admin's login attempt. What happens next?

A. IOS tries the local database immediately as a fallback B. IOS waits for the RADIUS timeout and then tries local C. Access is denied immediately — REJECT has no fallback D. IOS disables RADIUS and switches permanently to local

Correct answer is C. When a reachable AAA server actively rejects a login, IOS treats this as a final denial — no fallback to the next method occurs. Fallback only happens when the server returns ERROR (unreachable / no response). This is one of the most tested AAA behaviors on the CCNA exam.

2. Which combination of ports does RADIUS use for authentication and accounting respectively?

A. TCP 49 and TCP 50 B. UDP 1645 only (combined) C. TCP 22 and TCP 23 D. UDP 1812 for authentication and UDP 1813 for accounting

Correct answer is D. RADIUS uses UDP port 1812 for authentication/authorization and UDP port 1813 for accounting. Older implementations may use ports 1645/1646 — know both pairs for the exam. TACACS+ uses TCP port 49.

3. A security audit finds that router configurations show passwords in a partially obscured format after running `service password-encryption`. The auditor flags these as insecure. Why?

A. The passwords are not encrypted at all — they are stored as plain text B. Type 7 encoding is reversible and can be decoded with freely available tools in seconds C. The encryption key is transmitted to the RADIUS server unprotected D. Service password-encryption disables AAA authentication

Correct answer is B. service password-encryption applies Cisco's Type 7 encoding — a reversible cipher that only prevents casual shoulder-surfing. Any attacker with access to the config can decode Type 7 passwords instantly. The solution is to use the secret keyword, which stores a one-way hash (Type 5 or Type 9) that cannot be reversed.

4. An enterprise requires that NOC operators can run `show` commands on routers but are blocked from making any configuration changes. Which solution achieves this most effectively across 100 devices?

A. Deploy TACACS+ and use aaa authorization commands to enforce per-command restrictions centrally B. Use local authentication with privilege level 1 for all NOC accounts on every device C. Deploy RADIUS and assign privilege level 1 to NOC users in the server policy D. Configure service password-encryption on all devices

Correct answer is A. TACACS+ is the only protocol that supports per-command authorization — allowing the server to permit or deny individual IOS commands per user or group. This is managed centrally on the TACACS+ server (e.g., Cisco ISE) and applies to all 100 devices automatically. RADIUS does not support command-level authorization. Local auth does not scale to 100 devices.

5. What is the key technical difference in how RADIUS and TACACS+ handle the AAA functions?

A. RADIUS separates all three AAA functions; TACACS+ combines them B. Both protocols handle AAA identically — the only difference is the transport layer C. RADIUS combines authentication and authorization in one response; TACACS+ fully separates all three AAA functions independently D. TACACS+ only handles authentication; RADIUS handles all three AAA functions

Correct answer is C. RADIUS sends authentication and authorization together in a single Access-Accept packet. TACACS+ handles authentication, authorization, and accounting as fully independent exchanges — each can use a different policy or even a different server. This separation is what enables TACACS+'s granular per-command authorization capability.

6. A router is configured with two RADIUS servers in a group. The primary server is unreachable. An admin attempts to log in. What is the correct sequence of events?

A. The login fails immediately because the primary server is unavailable B. IOS waits for the primary server timeout, then automatically tries the secondary server in the group C. IOS skips the entire RADIUS group and goes directly to local D. IOS sends the request to both servers simultaneously

Correct answer is B. When a RADIUS server group contains multiple servers, IOS tries them in order. If the primary returns ERROR (unreachable / timeout), IOS automatically tries the next server in the group. Only if all servers in the group return ERROR does IOS move to the next method in the method list (e.g., local).

7. Which of the following correctly describes why TACACS+ is preferred over RADIUS for network device administration security?

A. TACACS+ uses UDP which provides lower latency for admin logins B. TACACS+ is an open IETF standard, making it more trustworthy than Cisco's RADIUS C. TACACS+ encrypts only the password, reducing processing overhead D. TACACS+ encrypts the entire payload and supports per-command authorization, providing greater security and control for admin access

Correct answer is D. TACACS+ encrypts the entire packet payload (not just the password like RADIUS), protecting usernames and authorization data from interception. It also uniquely supports per-command authorization — restricting which specific CLI commands each administrator can run. These two features make it the preferred choice for device administration. Note: TACACS+ uses TCP (not UDP) and is Cisco-proprietary (not an IETF standard).

8. After enabling TACACS+ authentication, a network engineer successfully logs in but finds they are placed at privilege level 1 instead of their expected level 15. What is the most likely cause?

A. Exec authorization is not configured — IOS defaults to privilege 1 without aaa authorization exec B. The TACACS+ server shared key is incorrect C. The user should use enable to reach privilege 15 D. TACACS+ does not support privilege level assignment

Correct answer is A. Authentication alone verifies identity, but it does not assign the privilege level from the TACACS+ server. For the server-assigned privilege level to take effect, exec authorization must be explicitly configured: aaa authorization exec default group tacacs+ local. Without this command, IOS ignores the privilege-level attribute returned by the server and defaults to privilege level 1.

9. A company deploys 802.1X on their wired network and WPA3-Enterprise on Wi-Fi. Both require centralized user authentication. Which protocol and server should they use?

A. TACACS+ with Cisco ISE — it handles both wired and wireless 802.1X B. Local authentication on every switch and AP C. RADIUS with a server such as Cisco ISE, FreeRADIUS, or Microsoft NPS — 802.1X and WPA-Enterprise both use RADIUS as the authentication backend D. HTTPS-based web authentication on a central portal

Correct answer is C. Both 802.1X (wired) and WPA2/WPA3-Enterprise (wireless) use RADIUS as their authentication backend — it is the standardized protocol for these use cases. Switches and APs act as RADIUS clients forwarding credentials to the RADIUS server. TACACS+ is not used for 802.1X or WPA-Enterprise — it is designed for device administration, not user network access.

10. Which configuration correctly defines a named AAA method list that tries TACACS+ first, then RADIUS, then local — and applies it only to VTY lines 0 through 2?

A. aaa authentication login default group tacacs+ group radius local applied under line vty 0 4 B. aaa authentication login ADMIN group tacacs+ group radius local then login authentication ADMIN under line vty 0 2 C. aaa authentication login default local group tacacs+ group radius applied under line vty 0 2 D. radius-server host 10.1.1.50 key rad123 then login local under line vty 0 2

Correct answer is B. A named method list (not "default") must be explicitly applied to specific lines using login authentication <name>. The default list auto-applies everywhere. The method order must be group tacacs+ group radius local — left to right priority. Option A uses "default" (applies to all lines, not just 0–2). Option C places local first (wrong priority). Option D uses legacy syntax and does not define proper AAA method lists.

← Back to Home

Local and RADIUS/TACACS+ Authentication

1. What Is Local Authentication?

2. What Is RADIUS Authentication?

3. What Is TACACS+ Authentication?

4. Local vs. RADIUS vs. TACACS+ — Full Comparison

5. The AAA Model — Authentication, Authorization, Accounting

How TACACS+ Separates AAA

How RADIUS Handles AAA

6. Configuration — Local Authentication

Basic Local User Setup

Verify Local Users

7. Configuration — RADIUS Authentication

Modern IOS RADIUS Configuration (Recommended)

Legacy Syntax (Older IOS — for Reference)

Verify RADIUS Operation

8. Configuration — TACACS+ Authentication

Full TACACS+ Configuration with Authorization and Accounting

Verify TACACS+ Operation

9. AAA Method Lists — How They Work

Method List Fallback Rules

Named vs. Default Method Lists

10. Server Redundancy and High Availability

Multiple RADIUS Servers

Multiple TACACS+ Servers

Recommended AAA Redundancy Architecture

11. Security Considerations

Shared Secret Security

Management Network Isolation

Encryption Comparison

Additional Hardening Steps

12. Use Cases — Choosing the Right Method

When to Use Local Authentication

When to Use RADIUS

When to Use TACACS+

13. Troubleshooting Authentication Issues

Authentication Diagnostic Commands

14. Common Misconceptions

15. Key Points & Exam Tips

16. Local and RADIUS/TACACS+ Authentication Quiz

1. A network admin configures aaa authentication login default group radius local on a router. The RADIUS server is reachable but rejects the admin's login attempt. What happens next?

2. Which combination of ports does RADIUS use for authentication and accounting respectively?

3. A security audit finds that router configurations show passwords in a partially obscured format after running service password-encryption. The auditor flags these as insecure. Why?

4. An enterprise requires that NOC operators can run show commands on routers but are blocked from making any configuration changes. Which solution achieves this most effectively across 100 devices?

5. What is the key technical difference in how RADIUS and TACACS+ handle the AAA functions?

6. A router is configured with two RADIUS servers in a group. The primary server is unreachable. An admin attempts to log in. What is the correct sequence of events?

7. Which of the following correctly describes why TACACS+ is preferred over RADIUS for network device administration security?

8. After enabling TACACS+ authentication, a network engineer successfully logs in but finds they are placed at privilege level 1 instead of their expected level 15. What is the most likely cause?

9. A company deploys 802.1X on their wired network and WPA3-Enterprise on Wi-Fi. Both require centralized user authentication. Which protocol and server should they use?

10. Which configuration correctly defines a named AAA method list that tries TACACS+ first, then RADIUS, then local — and applies it only to VTY lines 0 through 2?

1. A network admin configures `aaa authentication login default group radius local` on a router. The RADIUS server is reachable but rejects the admin's login attempt. What happens next?

3. A security audit finds that router configurations show passwords in a partially obscured format after running `service password-encryption`. The auditor flags these as insecure. Why?

4. An enterprise requires that NOC operators can run `show` commands on routers but are blocked from making any configuration changes. Which solution achieves this most effectively across 100 devices?