show aaa servers
Displays the status and statistics of all configured AAA (Authentication, Authorization, and Accounting) servers, used to verify server reachability and authentication activity.
show aaa serversWhen to Use This Command
- Troubleshooting AAA authentication failures by checking if the RADIUS or TACACS+ server is reachable and responding.
- Monitoring the number of pending requests to identify server overload or network issues.
- Verifying that the correct AAA server group is being used after configuration changes.
- Auditing authentication activity by reviewing the number of accepted vs rejected requests.
Command Examples
Basic show aaa servers output
show aaa serversRADIUS: id 1, priority 1, host 192.168.1.10, auth-port 1812, acct-port 1813 State: current UP, duration 2d1h, previous duration 0s Dead: total 0, retries 0, retry timeout 0s Requests: 150, Auth: 150, Acct: 0 Accepts: 145, Rejects: 5, Challenges: 0 Authen Success: 145, Authen Failure: 5 Timeouts: 0, Unexpected Responses: 0 TACACS+: id 2, priority 2, host 10.0.0.1, port 49, timeout 5s State: current UP, duration 1d6h, previous duration 2h30m Dead: total 1, retries 2, retry timeout 15s Requests: 200, Auth: 200, Acct: 0 Accepts: 195, Rejects: 5 Timeouts: 3, Unexpected Responses: 0
Line 1: RADIUS server ID, priority, IP, ports. Line 2: Current state (UP/DOWN), uptime, previous downtime. Line 3: Dead count, retries, timeout. Line 4: Total requests, authentication requests, accounting requests. Line 5: Accepts, rejects, challenges. Line 6: Authen success/failure. Line 7: Timeouts, unexpected responses. TACACS+ section similar but with port and timeout.
Show aaa servers with dead server
show aaa serversRADIUS: id 1, priority 1, host 192.168.1.10, auth-port 1812, acct-port 1813 State: current DOWN, duration 0s, previous duration 5d12h Dead: total 3, retries 3, retry timeout 30s Requests: 500, Auth: 500, Acct: 0 Accepts: 0, Rejects: 0, Challenges: 0 Authen Success: 0, Authen Failure: 0 Timeouts: 10, Unexpected Responses: 0
Server is DOWN; previous uptime was 5d12h. Dead total 3 indicates it has been marked dead 3 times. Retries and timeout show recovery attempts. Zero accepts/rejects confirm no successful authentication. High timeouts suggest network or server issue.
Understanding the Output
The output lists each AAA server (RADIUS or TACACS+) with its configuration and statistics. Key fields: 'State' shows current UP or DOWN; 'duration' indicates how long it has been in that state. 'Dead' shows how many times the server has been marked dead (unreachable) and the retry settings. 'Requests' total includes authentication and accounting. 'Accepts' and 'Rejects' show successful and failed authentications. 'Timeouts' indicate requests that did not get a response. A high number of timeouts or rejects suggests server or network problems. For CCNA, focus on verifying server reachability (UP/DOWN) and checking for excessive timeouts or rejects.
CCNA Exam Tips
Remember that 'show aaa servers' shows both RADIUS and TACACS+ servers; the exam may ask you to identify which protocol is in use based on port numbers (1812/1813 for RADIUS, 49 for TACACS+).
If a server is DOWN, check 'dead' count and 'retry timeout' to understand recovery behavior; the exam might test the default dead detection mechanism.
The output differentiates between 'Authen Success/Failure' and 'Accepts/Rejects' — know that Accepts/Rejects include both authentication and authorization responses.
A common exam scenario: a server shows many timeouts — this indicates network connectivity issues or server overload, not a configuration error on the router.
Common Mistakes
Confusing 'Accepts' with 'Authen Success' — Accepts include both authentication and authorization, while Authen Success is only authentication.
Assuming a server is working because it is UP, but ignoring high reject counts that indicate incorrect credentials or server-side issues.
Forgetting that 'show aaa servers' only shows configured servers; if no output appears, AAA is not configured or servers are not defined.
Related Commands
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions