Mental model
Managing 50 switches without AAA: every switch has its own local user database. Hire someone? Update 50 devices. Fire someone? Update 50 devices. Audit who did what? Hope each device’s local log survived.
With AAA: every switch points to a central RADIUS or TACACS+ server. One place to add/remove users, one place to set permissions, one place to see who logged in where. Add the 51st switch? It just points at the same server.
Three letters, three jobs:
| What it answers | |
|---|---|
| Authentication | Who are you? (proves identity — username + password, certificate, token) |
| Authorization | What are you allowed to do? (commands, services, privilege level) |
| Accounting | What did you do? (logs of commands, sessions, byte counts) |
You can use all three or just authentication. Most networks start with auth only, add authorization later.
RADIUS vs TACACS+
| RADIUS | TACACS+ | |
|---|---|---|
| Origin | Open standard (IETF) | Cisco proprietary (mostly) |
| Transport | UDP 1812 (auth) + 1813 (accounting) | TCP 49 |
| Encryption | Only password is encrypted | Entire packet body encrypted |
| AAA separation | Auth + authz combined in one exchange | Auth, authz, accounting are separate exchanges |
| Typical use | 802.1X, Wi-Fi, VPN clients | Device admin (router/switch login) |
| Per-command authorization | Limited | Full support — TACACS+ can authorize every command typed |
Rule of thumb:
- RADIUS for client/user-side auth (Wi-Fi, 802.1X port auth, VPN client login)
- TACACS+ for admin login to network devices (because of per-command authorization and full encryption)
Many large networks run both — TACACS+ for engineer logins, RADIUS for end-user Wi-Fi.
Commands — typical TACACS+ for admin login
! Enable AAA
R1(config)# aaa new-model
! Define the TACACS+ server
R1(config)# tacacs server CORP-TAC
R1(config-server-tacacs)# address ipv4 10.0.99.5
R1(config-server-tacacs)# key supersecret123
! Build a server group (lets you reference multiple servers)
R1(config)# aaa group server tacacs+ TACGROUP
R1(config-sg-tacacs+)# server name CORP-TAC
! Method list: try TACACS+ first, fall back to local if server unreachable
R1(config)# aaa authentication login default group TACGROUP local
R1(config)# aaa authorization exec default group TACGROUP local
R1(config)# aaa accounting commands 15 default start-stop group TACGROUP
! Make sure a local user exists for fallback
R1(config)# username admin privilege 15 secret rescuepass
Critical detail: the local keyword at the end of aaa authentication login default group TACGROUP local is what saves you when the TACACS+ server is down. Without it, no one can log in.
Commands — typical RADIUS for 802.1X port auth
R1(config)# aaa new-model
R1(config)# radius server CORP-RAD
R1(config-radius-server)# address ipv4 10.0.99.6 auth-port 1812 acct-port 1813
R1(config-radius-server)# key supersecret456
R1(config)# aaa group server radius RADGROUP
R1(config-sg-radius)# server name CORP-RAD
R1(config)# aaa authentication dot1x default group RADGROUP
R1(config)# aaa authorization network default group RADGROUP
R1(config)# dot1x system-auth-control
! On an access port that should enforce 802.1X
R1(config)# interface GigabitEthernet0/5
R1(config-if)# switchport mode access
R1(config-if)# authentication port-control auto
R1(config-if)# dot1x pae authenticator
Method lists — the magic of “try this, then that”
A method list says: “try authentication via X. If X says no, deny. If X is unreachable, try Y. If Y is unreachable, try Z.”
aaa authentication login default group TACGROUP local enable
Read aloud: “For login, first ask TACGROUP. If TACGROUP can be reached and says no, deny. If TACGROUP is unreachable, try the local user database. If that’s empty, try the enable password.”
Critical safety net: always include local or enable at the end so you can recover if the server is unreachable.
Verification
R1# show aaa servers
R1# show tacacs
R1# show radius statistics
R1# debug aaa authentication ! temporary — don't leave on
Common mistakes
-
Forgetting the local fallback.
aaa authentication login default group TACGROUP(withoutlocal) → if the server is unreachable, you can’t log in. Always addlocal. -
No local user account. You added
localto the method list, but no local users exist. Same problem. Always create at least one local admin user withusername ... privilege 15 secret .... -
Confusing RADIUS and TACACS+ ports. RADIUS: UDP 1812 auth, 1813 accounting (sometimes legacy 1645/1646). TACACS+: TCP 49. Get them mixed up and the server seems unreachable.
-
Pre-shared key mismatch. The
key supersecret123on the device must exactly match the corresponding entry on the AAA server. One typo and authentication silently fails. -
Skipping accounting. Authentication tells you someone logged in. Accounting tells you what they did. For compliance / forensics, accounting is often required.
-
TACACS+ over a slow / lossy link. TCP means retransmits — if your management link is congested, login attempts hang. Have a fallback method (RADIUS over UDP, or local).
-
Using
enableas the only fallback.enablepassword is shared by everyone who knows it. Uselocalinstead — at least each rescue user has their own credential.
Lab to try tonight
- Install FreeRADIUS or TACACS+ server (
tacacs+package on Ubuntu). Configure one test user. - On a Cisco router, enable AAA, point at the server, configure a method list with local fallback.
- Add a local admin user as a safety net.
- Log out, log back in via SSH. Watch the AAA server log the request and the device accept.
- Make the server unreachable (firewall block / power off). Log in again — should fall back to the local user.
- Bonus: configure TACACS+ command authorization. Watch each command get authorized in real time.
Cheat strip
| Concept | Plain English |
|---|---|
| AAA | Authentication, Authorization, Accounting |
| RADIUS | Open standard. UDP 1812/1813. Encrypts only the password. |
| TACACS+ | Cisco-leaning. TCP 49. Encrypts the entire packet body. |
| Method list | Ordered list of auth sources to try |
local in the list | Critical safety net — fall back to local users |
aaa new-model | Must come first. Enables AAA. |
| Per-command authz | TACACS+ feature — authorize every CLI command |
enable as fallback | Shared password. Use local instead. |