AAA – Authentication, Authorisation & Accounting Overview
1. What Is AAA?
AAA stands for Authentication, Authorisation, and Accounting — three distinct security services that together form the foundation of controlled network access. Rather than relying on simple shared passwords or static line configurations, AAA provides a structured, scalable, and auditable framework for deciding who can connect, what they are allowed to do, and what they actually did.
AAA is applied in two broad contexts on Cisco networks: device access AAA (controlling who can log in to routers, switches, and firewalls via the console, VTY lines, or auxiliary port) and network access AAA (controlling which end devices can use the network, as in 802.1X port authentication).
| Pillar | Question Answered | Example |
|---|---|---|
| Authentication | Who are you? — Verify the identity of the user or device | Engineer logs in with username "jsmith" and a password; RADIUS server verifies the credentials against Active Directory |
| Authorisation | What are you allowed to do? — Determine what actions or resources the authenticated identity may access | After login, "jsmith" is permitted only show commands (read-only);
"netadmin" is permitted all commands including configuration mode |
| Accounting | What did you do? — Record what the authenticated user did and when, for auditing and compliance | RADIUS/TACACS+ server logs that "jsmith" logged in at 09:14, ran
show running-config, and logged out at 09:22 |
Related pages: AAA – Local vs RADIUS | AAA Authentication Methods | AAA Configuration | 802.1X Port-Based NAC | SSH Configuration | Port Security | Wi-Fi Security | AAA RADIUS Configuration Lab | AAA TACACS+ Configuration Lab
2. The Three Pillars in Detail
2.1 Authentication
Authentication verifies identity. On a Cisco device, authentication is triggered when a user attempts to access the device — connecting via SSH, Telnet, the console port, or the auxiliary port. The device challenges the user for credentials and validates them either locally (checking its own running configuration) or by forwarding the credentials to an external server (RADIUS or TACACS+).
| Authentication Factor Type | What It Is | Example |
|---|---|---|
| Something you know | A secret the user memorises | Password, PIN, passphrase |
| Something you have | A physical or digital token | Smart card, hardware token (RSA SecurID), digital certificate |
| Something you are | A biometric characteristic | Fingerprint, retina scan, facial recognition |
2.2 Authorisation
Authorisation answers the question of privilege level. After a user is authenticated, the AAA system determines what that user is permitted to do. On a Cisco router or switch, this typically means assigning a privilege level (0–15) or controlling which specific commands can be executed. Authorisation is often done per-command — meaning every command entered can be checked against the TACACS+ server before being executed, providing very granular control.
Cisco Privilege Levels:
Level 0 — Minimal access: logout, enable, disable, help, exit
Level 1 — User EXEC: basic show commands (default login level)
Level 15 — Privileged EXEC: full access including configuration mode
Levels 2–14 are customisable — administrators can assign specific
commands to any level. For example:
privilege exec level 5 show running-config
privilege exec level 5 show ip route
With TACACS+ per-command authorisation:
Every command typed → sent to TACACS+ server → Permit or Deny returned
This provides a complete audit trail at the command level.
2.3 Accounting
Accounting records information about network access sessions for auditing, billing, and compliance. The AAA client (router or switch) sends accounting records to the AAA server at specific trigger points: when a session starts, when it ends, and at periodic intervals during the session.
| Accounting Record Type | When Sent | Typical Content |
|---|---|---|
| Start | When an authenticated session begins | Username, NAS IP, session ID, start timestamp, access type (SSH, console) |
| Stop | When the session ends (logout, timeout, or disconnect) | Username, session duration, bytes in/out, stop timestamp, termination reason |
| Interim-Update | Periodically during long sessions | Running session statistics — bytes transferred, elapsed time |
| Command (TACACS+ only) | After each command is executed | Username, command entered, timestamp, permit/deny result |
3. Local AAA vs Server-Based AAA
Cisco devices can perform AAA using a local database (credentials stored directly on the device) or by forwarding authentication requests to an external AAA server (RADIUS or TACACS+). Both approaches have their place.
| Factor | Local AAA | Server-Based AAA |
|---|---|---|
| Where credentials are stored | In the device's running/startup config
(username <name> secret <pass>) |
On a centralised RADIUS or TACACS+ server (ISE, NPS, ACS, FreeRADIUS) |
| Scalability | Poor — each device must be updated individually when passwords change or users are added/removed | Excellent — change once on the server; all devices pick it up immediately |
| Centralised auditing | None — no central log of who logged in to what device | Full centralised accounting — all access events logged to the AAA server |
| Complexity | Simple — no external infrastructure required | Higher — requires RADIUS/TACACS+ server deployment and maintenance |
| Availability | Always available — does not depend on network reachability | Depends on server reachability — local fallback essential for resilience |
| Per-command authorisation | Not available — privilege levels only | Available with TACACS+ — every command can be individually permitted or denied |
| Typical use case | Small networks, lab environments, out-of-band fallback for server outage | Enterprise networks with multiple devices; compliance-driven environments |
4. RADIUS vs TACACS+ – Full Comparison
RADIUS and TACACS+ are the two industry-standard protocols used to carry AAA traffic between the Cisco device (NAS — Network Access Server) and the AAA server. They are fundamentally different in design and serve different primary use cases.
| Feature | RADIUS | TACACS+ |
|---|---|---|
| Developed by | Livingston Enterprises; IETF standard (RFC 2865, 2866) | Cisco proprietary (evolved from TACACS — RFC 1492) |
| Transport protocol | UDP — port 1812 (authentication), port 1813 (accounting) | TCP — port 49 (all AAA traffic) |
| Encryption | Encrypts the password field only — username and other attributes sent in clear text | Encrypts the entire packet body — full payload encryption |
| AAA separation | Combines authentication and authorisation in a single response (Access-Accept) — they cannot be separated | Separates authentication, authorisation, and accounting into independent transactions — maximum flexibility |
| Per-command authorisation | Not supported | Supported — each command can be checked individually before execution |
| Multiprotocol support | Limited — primarily IPv4; some extensions for IPv6 | Supports multiple protocols: IP, IPX, AppleTalk (legacy) |
| Primary use case | Network access authentication — 802.1X, VPN, wireless clients, dial-up (historically) | Device administration — controlling who can log in to routers and switches and what commands they can run |
| Vendor support | Universal — supported by all vendors and operating systems | Primarily Cisco environments — limited non-Cisco support |
| Reliability | UDP — no connection confirmation; packet loss = silent failure | TCP — connection-oriented; delivery confirmed; cleaner failure detection |
| Cisco recommended for | Network access (802.1X, VPN users, wireless) | Device administration (SSH/console/VTY login to IOS devices) |
4.1 The Key Distinction — One Sentence
RADIUS: Best for NETWORK ACCESS authentication (who can use the network)
→ 802.1X, VPN, wireless clients, dial-up
TACACS+: Best for DEVICE ADMINISTRATION authentication (who can manage devices)
→ SSH login to routers/switches, per-command authorisation, full audit trail
Memory aid:
TACACS+ = TCP + Total encryption + Tight command control = Device Admin
RADIUS = UDP + User network access = Network Access
4.2 Can You Use Both at the Same Time?
Yes — and this is common in enterprise deployments. A typical design uses TACACS+ for all device management (SSH/console access to routers, switches, and firewalls) while simultaneously using RADIUS for network access control (802.1X wired/wireless authentication, VPN). Each AAA server group is defined separately and applied to the appropriate AAA method list.
5. Where AAA Is Applied
On a Cisco IOS device, AAA can be applied to three distinct access contexts. Each context has its own method list that specifies which authentication source to use and in what order.
| Context | Description | Method List Applied To | Common Config |
|---|---|---|---|
| VTY Lines | Remote management access via SSH or Telnet | line vty 0 4 using login authentication
<list-name> |
TACACS+ primary, local fallback |
| Console Line | Physical console port access — direct serial connection | line console 0 using login authentication
<list-name> |
Local only (console should always work even if network is down) |
| Auxiliary Line | Modem or out-of-band access via the AUX port | line aux 0 using login authentication
<list-name> |
Local or TACACS+ |
| Enable / Privileged EXEC | Entering privileged EXEC mode (enable command) |
aaa authentication enable default |
TACACS+ or enable secret fallback |
| Network Access (802.1X) | Port-based authentication for wired and wireless end devices | Applied globally via aaa authentication dot1x default |
RADIUS only (TACACS+ does not support 802.1X) |
| VPN / Remote Access | IPsec VPN, SSL VPN, or PPP dial-in authentication | Applied via aaa authentication ppp or tunnel group config |
RADIUS (with TACACS+ sometimes used for admin access to VPN headend) |
5.1 Method Lists Explained
A method list is an ordered list of authentication sources that the device tries in sequence. If the first method is unavailable (server unreachable), the device moves to the next. If a method returns an explicit reject (wrong password), the authentication fails immediately — the next method is not tried.
Method list logic:
aaa authentication login VTY-AUTH group TACACS-SVR local
Step 1: Try TACACS+ server
→ Server responds with PASS → Authentication succeeds ✓
→ Server responds with FAIL → Authentication fails immediately ✗
(local is NOT tried — FAIL is a definitive rejection, not an error)
→ Server UNREACHABLE (timeout/no response) → try next method
Step 2: Try local database (fallback — only if TACACS+ is unreachable)
→ Local PASS → Authentication succeeds ✓
→ Local FAIL → Authentication fails ✗
KEY POINT: Fallback only triggers on server UNAVAILABILITY, not on
wrong credentials. If TACACS+ says "wrong password", local is not tried.
6. Cisco IOS AAA Configuration
The following is a complete, commented Cisco IOS configuration covering all three AAA pillars for both device administration (TACACS+) and network access (RADIUS), with local fallback.
! ══════════════════════════════════════════════════════════════════ ! Step 1: Enable AAA — this single command activates the AAA model ! ══════════════════════════════════════════════════════════════════ aaa new-model ! WARNING: Once 'aaa new-model' is entered, all line authentication ! switches to AAA immediately. Ensure local users exist first! ! ══════════════════════════════════════════════════════════════════ ! Step 2: Create local users (fallback if server is unreachable) ! ══════════════════════════════════════════════════════════════════ username admin privilege 15 secret Str0ngP@ss! username readonly privilege 1 secret R3adOnly! ! ══════════════════════════════════════════════════════════════════ ! Step 3: Define TACACS+ server (for device administration) ! ══════════════════════════════════════════════════════════════════ tacacs server TACACS-SVR address ipv4 10.0.0.200 key T@cacs$ecretKey aaa group server tacacs+ TACACS-GROUP server name TACACS-SVR ! ══════════════════════════════════════════════════════════════════ ! Step 4: Define RADIUS server (for network access / 802.1X) ! ══════════════════════════════════════════════════════════════════ radius server RADIUS-SVR address ipv4 10.0.0.100 auth-port 1812 acct-port 1813 key R@dius$ecretKey aaa group server radius RADIUS-GROUP server name RADIUS-SVR ! ══════════════════════════════════════════════════════════════════ ! Step 5: Define AAA method lists ! ══════════════════════════════════════════════════════════════════ ! Login authentication — TACACS+ first, local fallback aaa authentication login VTY-AUTH group TACACS-GROUP local aaa authentication login CON-AUTH local ! Console: local only ! Enable authentication — TACACS+ first, enable secret fallback aaa authentication enable default group TACACS-GROUP enable ! EXEC authorisation — TACACS+ controls privilege level on login aaa authorization exec VTY-AUTH group TACACS-GROUP local aaa authorization exec default group TACACS-GROUP if-authenticated ! Per-command authorisation — every command checked by TACACS+ aaa authorization commands 1 default group TACACS-GROUP local aaa authorization commands 15 default group TACACS-GROUP local ! Network access authentication — RADIUS for 802.1X aaa authentication dot1x default group RADIUS-GROUP ! Network authorisation — RADIUS returns VLAN, ACL attributes aaa authorization network default group RADIUS-GROUP ! Accounting — log all exec sessions and commands to TACACS+ aaa accounting exec default start-stop group TACACS-GROUP aaa accounting commands 15 default start-stop group TACACS-GROUP ! Accounting — log all 802.1X sessions to RADIUS aaa accounting dot1x default start-stop group RADIUS-GROUP ! ══════════════════════════════════════════════════════════════════ ! Step 6: Apply method lists to lines ! ══════════════════════════════════════════════════════════════════ line vty 0 15 login authentication VTY-AUTH authorization exec VTY-AUTH transport input ssh ! SSH only — no Telnet line console 0 login authentication CON-AUTH ! ══════════════════════════════════════════════════════════════════ ! Step 7: Enable 802.1X globally (uses AAA dot1x method list) ! ══════════════════════════════════════════════════════════════════ dot1x system-auth-control
aaa new-model safely: Entering aaa
new-model immediately changes how line authentication works. If you have
an active SSH or console session, you will not be immediately disconnected —
but the next login attempt will use AAA. Always create local fallback users
with username <name> privilege 15 secret <password>
before entering aaa new-model, or you risk locking
yourself out on the next login.
7. The Default Method List
Every AAA method list has a name. The special name default is applied
automatically to all lines and interfaces that do not have an explicit method
list assigned. Understanding when to use default vs a named list
is important for both exam questions and avoiding accidental access issues.
Named list vs default: ! Named list — only applied to lines/interfaces explicitly configured: aaa authentication login ADMIN-AUTH group TACACS-GROUP local line vty 0 15 login authentication ADMIN-AUTH ← explicit assignment ! Default list — automatically applies wherever no named list is assigned: aaa authentication login default group TACACS-GROUP local ! No 'login authentication' on the line → default list is used automatically Best practice: ┌────────────────────────────────────────────────────────────────────┐ │ Always define a 'default' list as a safety net. If you create a │ │ named list but forget to apply it to a line, the default list │ │ kicks in rather than leaving the line with no authentication. │ └────────────────────────────────────────────────────────────────────┘
8. AAA in a Network Diagram
╔══════════════════════════════════════════════════════════════════════════╗ ║ Enterprise AAA Architecture ║ ╠══════════════════════════════════════════════════════════════════════════╣ ║ ║ ║ [Network Engineer]──SSH──►[Router / Switch]──TACACS+ (TCP 49)──►[ISE] ║ ║ (Authenticator) Device Admin Auth ║ ║ │ ║ ║ RADIUS (UDP 1812) ║ ║ │ ║ ║ [End Device / PC]──EAPoL──►[Access Switch]──RADIUS (UDP 1812)──►[ISE] ║ ║ (802.1X Auth) Network Access Auth ║ ║ ║ ║ ISE = Cisco Identity Services Engine (combined RADIUS + TACACS+ server)║ ║ ║ ╠══════════════════════════════════════════════════════════════════════════╣ ║ What ISE stores / validates: ║ ║ • Active Directory user accounts (via AD connector) ║ ║ • Device certificate store (for EAP-TLS) ║ ║ • MAC address approved list (for MAB) ║ ║ • Authorisation policies (VLAN, ACL, privilege level per user/group) ║ ║ • Accounting database (all access events, commands, session durations) ║ ╚══════════════════════════════════════════════════════════════════════════╝
9. Verification Commands
| Command | What It Shows |
|---|---|
show aaa servers |
All configured AAA servers — reachability, packets sent/received, Access-Accepts, Access-Rejects, round-trip time |
show aaa method-lists all |
All defined AAA method lists for authentication, authorisation, and accounting |
show aaa sessions |
Currently active AAA sessions — user, method, session ID, start time |
show aaa local user lockout |
Local usernames that have been locked out due to too many failed login attempts |
show tacacs |
TACACS+ server configuration and statistics — packets, responses, errors |
show radius server-group all |
All configured RADIUS server groups and their member servers with statistics |
show running-config | section aaa |
All AAA-related configuration in the running config filtered for quick review |
debug aaa authentication |
Real-time AAA authentication events — method list selection, server queries, pass/fail results |
debug tacacs |
Real-time TACACS+ packet exchanges — connection attempts, authorisation queries, accounting records |
debug radius authentication |
Real-time RADIUS authentication packet exchanges — Access-Request, Challenge, Accept/Reject |
9.1 Sample Output – show aaa servers
Router# show aaa servers
TACACS+ Server : 10.0.0.200/49 is DOWN ← server reachability
Single connection : no
Batch size : 1
Keepalive Interval: 60 sec, retry 3
Requests 15 Timeouts 3 Responses 12
AccessReqs 12 AccessAccepts 10 AccessRejects 2
RADIUS Server : 10.0.0.100/1812,1813 is UP
Batch size : 1
Requests 42 Timeouts 0 Responses 42
AccessReqs 42 AccessAccepts 40 AccessRejects 2
Acct-Reqs 38 Acct-Responses 38
10. Troubleshooting AAA
| Symptom | Likely Cause | Fix |
|---|---|---|
All users locked out after aaa new-model |
No local users defined before enabling AAA; default method list has no fallback | Access via console with break sequence or password recovery; define local users; always create fallback before enabling AAA |
| Authentication fails with correct credentials | TACACS+/RADIUS shared key mismatch between router and server | Verify key on both router (key under server config) and the
AAA server's device entry; keys are case-sensitive |
| Server unreachable — fallback to local not working | Method list does not include local as a fallback method |
Update method list: aaa authentication login default group
TACACS-GROUP local |
| User authenticated but cannot enter privileged EXEC mode | Authorisation not configured — EXEC authorisation method list missing; or TACACS+ not returning the correct privilege level attribute | Add aaa authorization exec default group TACACS-GROUP
if-authenticated; verify TACACS+ policy returns
priv-lvl=15 for admin users |
| Per-command authorisation blocking valid commands | TACACS+ policy too restrictive; command not in the permitted list on the server | Check TACACS+ server logs for the denied command; add it to the permitted
command set for the user's group; use debug tacacs to trace
the deny |
| Accounting records not appearing on the server | Accounting method list not defined or not applied; server UDP 1813 blocked by firewall | Add aaa accounting exec default start-stop group and verify
UDP 1813 is open between the device and the RADIUS/TACACS+ server |
| Console port stops working after AAA is enabled | Console configured with a named list that does not exist, or default list requires a server that is unreachable and no local fallback | Ensure console uses login authentication CON-AUTH with a
local-only method list; the console must always be accessible without
server reachability |
See also: AAA RADIUS Configuration Lab | AAA TACACS+ Configuration Lab | Console & VTY Line Configuration Lab | Login Security & Brute-Force Protection Lab | SSH Configuration Lab | 802.1X Port-Based NAC | SSH Configuration
11. Key Terms Quick Reference
| Term | Definition |
|---|---|
| AAA | Authentication, Authorisation, and Accounting — the three-pillar security framework controlling who can access the network, what they can do, and logging what they did |
| Authentication | Verification of identity — confirming that a user or device is who they claim to be using credentials (password, certificate, token) |
| Authorisation | Determination of privilege — what an authenticated identity is permitted to access or execute; controlled by privilege levels or per-command TACACS+ policies |
| Accounting | Logging of access events — recording session start/stop, duration, commands executed, and bytes transferred for auditing and compliance |
| aaa new-model | The Cisco IOS global command that activates the AAA security model; all subsequent authentication uses AAA method lists instead of the legacy line password method |
| Method List | An ordered list of authentication sources (TACACS+, RADIUS, local) that the device tries in sequence; default applies to all unassigned lines automatically |
| Local AAA | Authentication using credentials stored in the device's running configuration (username <name> secret <pass>); simple but does not scale |
| RADIUS | Remote Authentication Dial-In User Service; IETF standard (RFC 2865); UDP port 1812/1813; encrypts password only; best for network access (802.1X, VPN) |
| TACACS+ | Terminal Access Controller Access-Control System Plus; Cisco proprietary; TCP port 49; encrypts entire packet; supports per-command authorisation; best for device administration |
| NAS | Network Access Server — the Cisco router or switch that acts as the AAA client, forwarding authentication requests to the RADIUS or TACACS+ server |
| Per-command authorisation | A TACACS+ feature where every command entered on the device is sent to the TACACS+ server for approval before execution — provides granular, auditable command control |
| Privilege Level | Cisco IOS access levels 0–15; level 1 = user EXEC (default login); level 15 = full privileged EXEC; levels 2–14 are customisable; assigned by AAA authorisation |
| Cisco ISE | Identity Services Engine — Cisco's enterprise AAA server platform supporting both RADIUS and TACACS+, with Active Directory integration, posture assessment, and dynamic policy |
| Local Fallback | A local authentication method included at the end of a AAA method list as a safety net; used only if all server-based methods are unreachable (not if they return a rejection) |