Table of Contents Link to heading
- Authentication, Authorisation, and Accounting (AAA)
- Remote Authentication Dial-In User Service (RADIUS)
- Terminal Access Controller Access-Control System Plus (TACACS+)
- RADIUS versus TACACS+
- Configuration
Authentication, Authorisation, and Accounting (AAA) Link to heading
| Concept | ? | Example | Key Technologies |
|---|---|---|---|
| Authentication | Who are you? | Logging in with a username and password | RADIUS, TACACS+, local login |
| Authorisation | What can you do? | Allowing access to specific commands or files | ACLs, RBAC |
| Accounting | What did you do? | Logging time, commands used, data accessed | Syslog, AAA logs, SNMP |
When Cisco devices use AAA, you can authenticate users using:
| Method | Protocol/Server |
|---|---|
| Local | Local username/passwords on the router or switch |
| RADIUS | Centralised AAA server (UDP ports 1812/1813 or 1645/1646) |
| TACACS+ | Cisco-proprietary AAA (TCP port 49) |
Remote Authentication Dial-In User Service (RADIUS) Link to heading
Primarily designed for:
- Network access authentication
- End users connecting to network
Typical Uses:
- Wi-Fi authentication (802.1X)
- VPN remote access
- Wired 802.1X authentication
Terminal Access Controller Access-Control System Plus (TACACS+) Link to heading
Designed for:
- Device administration (management plane access)
Typical Uses:
- SSH login to routers/switches
- Privilege-level control
- Command authorisation
RADIUS versus TACACS+ Link to heading
| Feature | RADIUS | TACACS+ |
|---|---|---|
| Main purpose | Network access | Device administration |
| Who logs in | End users | Network admins |
| Best for | WiFi / VPN | SSH / console access |
| Cisco preference | 802.1X, VPN | CLI management |
| Transport | UDP | TCP |
| Port (Standard) | 1812 (auth), 1813 (acct) | 49 |
| Port (Cisco Use) | 1645 (auth), 1646 (acct) | 49 |
| Encryption | Password only | Entire payload |
| EAP Support | Yes - for 802.1X auth | No |
Configuration Link to heading
Enable AAA Link to heading
conf t
aaa new-model
Local AAA (Basic Setup) Link to heading
Used for:
- Small labs
- Emergency fallback
- Console + VTY login
Create local user
username admin privilege 15 secret Cisco123
Apply AAA authentication to login
aaa authentication login default local
Apply to VTY lines
line vty 0 4
login authentication default
transport input ssh
RADIUS Configuration (Network Access) Link to heading
Used for:
- 802.1X (WiFi + wired)
- VPN authentication
- End-user access
Define RADIUS server
radius server ISE
address ipv4 10.10.10.10 auth-port 1812 acct-port 1813
key radiuskey
Create RADIUS server group
aaa group server radius ISE-GROUP
server name ISE
Configure AAA Authentication
aaa authentication login default group ISE-GROUP local
Meaning:
Try RADIUS → If fail → Use local
Enable Accounting (Recommended)
aaa accounting exec default start-stop group ISE-GROUP
TACACS+ Configuration (Device Admin Access) Link to heading
Used for:
- SSH / CLI access
- Command authorisation
Define TACACS+ server
tacacs server ISE_TACACS
address ipv4 10.10.10.10
key tacacskey
Create TACACS+ server group
aaa group server tacacs+ TAC-GROUP
server name ISE_TACACS
Configure Authentication
aaa authentication login default group TAC-GROUP local
Configure Authorisation (IMPORTANT)
aaa authorization exec default group TAC-GROUP local
aaa authorization commands 15 default group TAC-GROUP local
This enables:
- Privilege-level control
- Per-command authorisation (key TACACS+ feature)
Enable Accounting
aaa accounting commands 15 default start-stop group TAC-GROUP
aaa accounting exec default start-stop group TAC-GROUP
Apply AAA to Lines Link to heading
line vty 0 4
login authentication default
authorization exec default
transport input ssh
Full Best-Practice Enterprise Template Link to heading
Example
aaa new-model
tacacs server ISE_TACACS
address ipv4 10.10.10.10
key tacacskey
aaa group server tacacs+ TAC-GROUP
server name ISE_TACACS
aaa authentication login default group TAC-GROUP local
aaa authorization exec default group TAC-GROUP local
aaa authorization commands 15 default group TAC-GROUP local
aaa accounting exec default start-stop group TAC-GROUP
aaa accounting commands 15 default start-stop group TAC-GROUP
username backup privilege 15 secret Backup123
line vty 0 4
login authentication default
authorization exec default
transport input ssh
Verification Link to heading
show aaa servers
show run | section aaa
show tacacs
show radius
debug tacacs
debug radius