How to Configure AAA (Authentication, Authorization, and Accounting) in Cisco

What is AAA?

AAA stands for Authentication, Authorization, and Accounting. It's a security framework that controls access to network devices and tracks user activities. AAA provides centralized control over who can access your network devices, what they can do, and logs all their actions for audit purposes.

• Authentication: Verifies user identity (who you are)
• Authorization: Determines user privileges (what you can do)
• Accounting: Tracks and logs user activities (what you did)

In this article we will Learn how to configure AAA in Cisco devices using Local, TACACS+, and RADIUS with step-by-step examples, best practices, and troubleshooting tips.

AAA Methods

Cisco supports multiple AAA methods:

• Local: Uses local device database (username/password configured on device)
• RADIUS: Remote Authentication Dial-In User Service (centralized server)
• TACACS+: Terminal Access Controller Access-Control System Plus (Cisco proprietary)
• None: No authentication required

Basic AAA Configuration with Local Authentication

This is the simplest AAA setup using the device's local database. It's suitable for small networks or as a fallback method.

Step 1: Enable AAA

Router(config)# aaa new-model
  

This command activates the AAA access control model.

Step 2: Create Local Users

Router(config)# username admin privilege 15 secret Cisco@123
Router(config)# username operator privilege 7 secret Oper@123
  

Privilege levels range from 0 to 15, where 15 is the highest (full access).

Step 3: Configure Authentication for Login

Router(config)# aaa authentication login default local
  

Step 4: Configure Authentication for Enable Mode

Router(config)# aaa authentication enable default local
  

This is optional and uses the local enable password if configured.

Step 5: Apply to VTY Lines

Router(config)# line vty 0 15
Router(config-line)# login authentication default
Router(config-line)# exit
  

Step 6: Apply to Console

Router(config)# line console 0
Router(config-line)# login authentication default
Router(config-line)# exit
  

AAA Configuration with TACACS+ Server

TACACS+ provides centralized authentication and is Cisco's recommended protocol for device administration. It encrypts the entire authentication packet.

Step 1: Enable AAA

Router(config)# aaa new-model
  

Step 2: Define TACACS+ Server

Router(config)# tacacs server TACACS1
Router(config-server)# address ipv4 192.168.1.100
Router(config-server)# key SecretKey123
  

Replace 192.168.1.100 with your TACACS+ server IP and use a strong shared key.

Step 3: Configure Authentication with Fallback

Router(config)# aaa authentication login default group tacacs+ local
  

This tries TACACS+ first, then falls back to local authentication if the server is unreachable.

Step 4: Configure Authorization

Router(config)# aaa authorization exec default group tacacs+ local
Router(config)# aaa authorization commands 15 default group tacacs+ local
  

Step 5: Configure Accounting

Router(config)# aaa accounting exec default start-stop group tacacs+
Router(config)# aaa accounting commands 15 default start-stop group tacacs+
  

This logs all exec sessions and privilege level 15 commands to the TACACS+ server.

Step 6: Create Fallback Local User

Router(config)# username admin privilege 15 secret EmergencyPass@123
  

Always maintain a local emergency account in case the TACACS+ server fails.

AAA Configuration with RADIUS Server

RADIUS is commonly used for network access authentication (802.1X, VPN). It's an open standard protocol.

Step 1: Enable AAA

Router(config)# aaa new-model
  

Step 2: Define RADIUS Server

Router(config)# radius-server host 192.168.1.200 auth-port 1812 acct-port 1813 key RadiusKey@456
  

Step 3: Configure Authentication

Router(config)# aaa authentication login default group radius local
  

Step 4: Configure Authorization

Router(config)# aaa authorization exec default group radius local
Router(config)# aaa authorization network default group radius
  

Step 5: Configure Accounting

Router(config)# aaa accounting exec default start-stop group radius
Router(config)# aaa accounting network default start-stop group radius
  

Named Method Lists

Instead of using "default" method lists, you can create custom named lists for different access scenarios.

Router(config)# aaa authentication login CONSOLE_AUTH local
Router(config)# aaa authentication login VTY_AUTH group tacacs+ local
  

Apply to specific lines:

Router(config)# line console 0
Router(config-line)# login authentication CONSOLE_AUTH
Router(config-line)# exit

Router(config)# line vty 0 15
Router(config-line)# login authentication VTY_AUTH
Router(config-line)# exit
  

Configure Privilege Levels

Cisco IOS supports 16 privilege levels (0-15). You can assign specific commands to different levels.

Router(config)# privilege exec level 7 show running-config
Router(config)# privilege exec level 7 configure terminal
Router(config)# privilege configure level 7 interface
  

Create user with privilege level 7:

Router(config)# username operator privilege 7 secret Oper@Pass
  

Verification and Troubleshooting

Verify AAA Configuration

Router# show aaa servers
Router# show aaa user all
Router# show running-config | section aaa
  

Test Authentication

Router# test aaa group tacacs+ admin Cisco@123
Router# test aaa group radius admin Cisco@123
  

Debug AAA

Router# debug aaa authentication
Router# debug aaa authorization
Router# debug aaa accounting
Router# debug tacacs
Router# debug radius
  

Warning: Use debug commands carefully in production as they can impact performance.

View Active Sessions

Router# show users
Router# show line
  

Best Practices

• Always configure local fallback authentication in case AAA servers fail
• Use strong passwords and enforce password policies
• Implement TACACS+ for device administration
• Use RADIUS for network access control
• Enable accounting to track all administrative activities
• Create separate method lists for console and VTY access
• Test AAA configuration before logging out of current session
• Maintain console access for emergency recovery
• Use privilege levels to implement role-based access control
• Regularly review AAA logs and audit user activities
• Configure multiple AAA servers for redundancy
• Keep AAA server and network device time synchronized (NTP)

Common AAA Configuration Template

! Enable AAA
aaa new-model

! Configure TACACS+ servers
tacacs server TACACS1
 address ipv4 192.168.1.100
 key SecretKey123

tacacs server TACACS2
 address ipv4 192.168.1.101
 key SecretKey123

! Authentication
aaa authentication login default group tacacs+ local

! Authorization
aaa authorization exec default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local

! Accounting
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

! Local fallback user
username admin privilege 15 secret EmergencyPass@123

! Apply to VTY lines
line vty 0 15
 login authentication default
 authorization exec default
 accounting exec default

! Apply to Console
line console 0
 login authentication default
 authorization exec default
 accounting exec default
  

Conclusion

AAA is essential for securing Cisco network devices and maintaining accountability. Proper AAA configuration ensures that only authorized users can access your devices, limits what they can do based on their role, and logs all activities for security audits. Always implement AAA with fallback mechanisms and test thoroughly before deploying in production environments.