This chapter covers a NEW objective in the CCNA v2 exam (200-301 v2.0, 2026 blueprint): configuring AAA with TACACS+ and RADIUS on IOS XE. Cisco added this to reflect the growing importance of centralized authentication, authorization, and accounting in modern networks. As a network engineer, you'll need to secure device access and track user activity—AAA is the standard framework for doing so, and both TACACS+ and RADIUS are widely deployed in enterprise environments. Mastering this topic will help you pass the exam and build real-world skills.
Jump to a section
Imagine a large hotel with multiple floors, rooms, and restricted areas like the pool, gym, and executive lounge. The hotel uses a centralized key card system. When a guest wants to enter a room or facility, they swipe their key card at a reader. The reader sends the card's ID to a central security server, which checks a database to see if the guest is authorized for that specific area. The server then sends back a response: 'access granted' or 'access denied'. This is exactly how AAA works: the guest is the user, the key card is the credentials, the card reader is the network device (like a switch or router), and the central server is the AAA server (TACACS+ or RADIUS). The server performs authentication (who you are), authorization (what you can do), and accounting (what you did). In the hotel analogy, authentication is verifying the guest's identity from the card, authorization is checking if the card allows entry to that area, and accounting is logging every entry and exit. TACACS+ and RADIUS are two different protocols for communicating with the central server—TACACS+ encrypts the entire packet and separates AAA functions, while RADIUS combines authentication and authorization and encrypts only the password. Just as a hotel might use different key card systems for different properties, a network might use TACACS+ for device administration and RADIUS for user network access.
What is AAA and Why It Exists
AAA stands for Authentication, Authorization, and Accounting. It is a framework for controlling who can access network devices (authentication), what they can do once logged in (authorization), and logging their actions (accounting). In small networks, local usernames and passwords on each device suffice. But in enterprise networks with hundreds of devices, managing local accounts is impractical and insecure. AAA centralizes these functions on a dedicated server, providing consistency, scalability, and detailed audit trails.
Cisco IOS XE supports two AAA protocols: RADIUS (Remote Authentication Dial-In User Service) and TACACS+ (Terminal Access Controller Access-Control System Plus). Both use a client-server model where the network device (NAS - Network Access Server) acts as the client and the AAA server handles requests. The exam objective 4.1 specifically requires you to configure AAA with both protocols on IOS XE.
How AAA Works: The Three A's
Authentication verifies the identity of a user or device. The user presents credentials (username/password, certificate, token), the device forwards them to the AAA server, and the server responds with accept or reject. Common authentication methods include login authentication for console, SSH, and VTY lines, and dot1x for port-based network access.
Authorization determines what services or commands a user can access after authentication. For example, after a network admin authenticates, the AAA server can send attributes that assign privilege level 15 (full access) or restrict certain commands. Authorization can be per-user, per-group, or per-service.
Accounting tracks what users do: when they logged in, what commands they ran, how long they were connected, etc. This data is sent to the AAA server as accounting records. Accounting is critical for security audits and troubleshooting.
TACACS+ vs RADIUS: Key Differences
Both protocols run on Cisco devices, but they differ in several ways:
Transport: TACACS+ uses TCP (port 49), while RADIUS uses UDP (ports 1812 for authentication/authorization, 1813 for accounting). TCP makes TACACS+ more reliable, but UDP gives RADIUS lower overhead.
Encryption: TACACS+ encrypts the entire packet body (except the header), including all usernames, passwords, and authorization data. RADIUS only encrypts the password in the Access-Request packet; other attributes (username, accounting data) are sent in cleartext.
Separation of AAA: TACACS+ separates authentication, authorization, and accounting into three distinct processes, allowing them to use different servers. RADIUS combines authentication and authorization into a single response (Access-Accept includes authorization attributes). Accounting is separate.
Standardization: RADIUS is an open standard (RFC 2865, 2866), widely used for network access (e.g., 802.1X, VPN). TACACS+ is a Cisco proprietary protocol, primarily used for device administration.
Command Authorization: TACACS+ supports per-command authorization, where each command is checked against the server. RADIUS does not natively support command-level authorization; instead, it assigns a privilege level, and the device enforces commands based on that level.
The exam expects you to know these differences and when to use each: TACACS+ for device admin, RADIUS for user network access.
Configuring AAA on IOS XE: Step-by-Step Overview
Configuration involves several steps:
Enable AAA globally: aaa new-model - this command activates AAA on the device. Without it, no AAA commands work.
Define the AAA server: Specify the server IP, key, and protocol. For TACACS+: tacacs server server-name then address ipv4 x.x.x.x and key secret-key. For RADIUS: radius server server-name then address ipv4 x.x.x.x auth-port 1812 acct-port 1813 and key secret-key.
Create AAA authentication lists: Define how users are authenticated. Example: aaa authentication login default group tacacs+ local - first try TACACS+, if unavailable fall back to local.
Create AAA authorization lists: Define what authenticated users can do. For exec (shell) access: aaa authorization exec default group tacacs+ local. For command authorization: aaa authorization commands 15 default group tacacs+ local.
Create AAA accounting lists: Define what to log. Example: aaa accounting exec default start-stop group tacacs+.
Apply the lists to lines: On the console, VTY, or AUX lines, use login authentication default and authorization exec default. If you don't apply them, the lists won't take effect.
Verification Commands
Use show aaa servers to see the status of configured AAA servers, including the number of requests, responses, and failures. Example output:
R1# show aaa servers
RADIUS: id 1, priority 1, host 192.168.1.10, auth-port 1812, acct-port 1813
State: current UP, duration 3600s, previous duration 0s
Dead: total time 0s, count 0
Authen: request 10, timeouts 0, failover 0, retransmission 0
Response: accept 8, reject 2, challenge 0
Accounting: request 5, timeouts 0, failover 0
TACACS+: id 2, priority 1, host 192.168.1.20, port 49
State: current UP, duration 1800s
Single-connection: disabled
Authen: request 5, timeouts 0, failover 0
Response: pass 4, fail 1
Accounting: request 3, timeouts 0Use debug aaa authentication and debug aaa authorization to troubleshoot AAA issues (careful in production).
How AAA Interacts with Other Protocols
AAA is often used with 802.1X for port-based network access control. The switch acts as the authenticator, the client (supplicant) provides credentials, and the AAA server (RADIUS) authenticates. AAA also integrates with TACACS+ for device administration, and with RADIUS for VPN authentication (IPsec, SSL VPN). Additionally, AAA can be used with NTP and logging for time-stamped accounting records.
Defaults and Timers
RADIUS default auth-port: 1645 (deprecated) or 1812 (official). IOS XE defaults to 1645 unless specified. Always set to 1812 for standards compliance.
RADIUS default acct-port: 1646 (deprecated) or 1813 (official). IOS XE defaults to 1646. Set to 1813.
TACACS+ default port: 49.
RADIUS retransmit count: default 3. Configurable with radius-server retransmit.
RADIUS timeout: default 5 seconds. Configurable with radius-server timeout.
TACACS+ timeout: default 5 seconds. Configurable with tacacs-server timeout.
AAA server dead detection: If a server fails to respond, it is marked dead for a default of 0 seconds (immediate retry). Use radius-server dead-criteria or tacacs-server dead-criteria to tune.
Trap Patterns on the Exam
Confusing TACACS+ and RADIUS port numbers: TACACS+ uses TCP 49; RADIUS uses UDP 1812/1813. Many candidates mix them up.
Forgetting `aaa new-model`: Without this command, no AAA configuration works. The exam often has a question where AAA is not working because this command is missing.
Applying authentication list to lines: Configuring the list globally is not enough; it must be applied to the line (e.g., login authentication default).
Mixing up authentication and authorization: Authentication verifies identity; authorization grants permissions. A common wrong answer is to use aaa authorization login instead of aaa authentication login.
Enable AAA Globally
Enter global configuration mode and issue the command `aaa new-model`. This single command activates the AAA feature set on the IOS XE device. Without it, no AAA commands (authentication, authorization, accounting) are available. After enabling, all existing local usernames and passwords remain valid but are now part of the local fallback method. The device will now use AAA for all login attempts unless you configure specific authentication lists. This is a critical step that candidates often forget, leading to "AAA not working" scenarios on the exam.
Configure AAA Server (TACACS+)
Define a TACACS+ server using the `tacacs server` command. Example: ``` tacacs server TACACS1 address ipv4 192.168.1.20 key MySecretKey123 ``` The server name is an arbitrary label. The `address` command specifies the IPv4 address of the TACACS+ server. The `key` command sets the shared secret used to encrypt communication between the device and the server. The key must match on both sides. You can configure multiple TACACS+ servers for redundancy. TACACS+ uses TCP port 49 by default; no need to specify the port unless it's non-standard.
Configure AAA Server (RADIUS)
Define a RADIUS server using the `radius server` command. Example: ``` radius server RADIUS1 address ipv4 192.168.1.10 auth-port 1812 acct-port 1813 key MyRadiusKey456 ``` Note the explicit auth-port and acct-port. IOS XE defaults to deprecated ports 1645/1646; setting 1812/1813 ensures standards compliance. The key is the shared secret. RADIUS uses UDP, so the device will retransmit if no response is received. You can configure multiple RADIUS servers; the device tries them in order of priority (configured via `priority` under the server, or order of configuration).
Create Authentication Lists
Define authentication method lists using `aaa authentication login`. Example: ``` aaa authentication login default group tacacs+ local ``` This creates a default list that first tries TACACS+ servers (any configured TACACS+ servers), then falls back to local usernames. You can also create named lists: `aaa authentication login SSH-LOGIN group radius local`. The list name is then applied to specific lines. Common methods: `group tacacs+`, `group radius`, `local`, `enable`, `none` (not recommended). The order matters; the device tries methods in sequence until a server responds or all methods fail.
Configure Authorization and Accounting
Authorization controls what users can do. Example for exec (shell) authorization: ``` aaa authorization exec default group tacacs+ local ``` For command authorization (privilege level 15): ``` aaa authorization commands 15 default group tacacs+ local ``` Accounting tracks actions. Example: ``` aaa accounting exec default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ ``` The `start-stop` keyword sends a start record when the session begins and a stop record when it ends. Other options: `stop-only`, `none`. For TACACS+, accounting records include command details; for RADIUS, accounting is more limited. The exam may ask about the difference in accounting granularity.
Apply AAA to Lines and Verify
Apply the authentication and authorization lists to the console, VTY, and AUX lines. Example: ``` line console 0 login authentication default authorization exec default line vty 0 4 login authentication default authorization exec default ``` If you don't apply the lists, the global lists are not used. Verify with `show running-config | section aaa` and `show aaa servers`. Test by logging in via SSH: the device should prompt for credentials, forward them to the AAA server, and grant access based on the server's response. Use `debug aaa authentication` to see the process. If the server is unreachable, the device falls back to local (if configured).
In a typical enterprise network, AAA is deployed for two main use cases: device administration and network access control. For device administration, network engineers configure TACACS+ on all routers, switches, and firewalls. A central TACACS+ server (e.g., Cisco ISE, ACS) stores user credentials and authorization policies. When an engineer SSHs into a switch, the switch sends the credentials to the TACACS+ server. The server authenticates the user and returns an authorization profile that might grant privilege level 15 or restrict certain commands. Accounting logs every command typed, which is invaluable for security audits and troubleshooting. For example, if a switch configuration changes unexpectedly, the accounting logs show who ran what command and when.
For network access control, RADIUS is used with 802.1X to authenticate end users connecting to switch ports or wireless networks. The switch (authenticator) forwards EAP frames from the client (supplicant) to a RADIUS server (e.g., Cisco ISE). The server authenticates the user and returns authorization attributes like VLAN assignment or ACL name. This ensures that only authenticated users gain network access, and they are placed in the correct VLAN. Accounting tracks when users connect and disconnect.
Common scale considerations: A single AAA server can handle thousands of requests per second, but redundancy is critical. Enterprises deploy two or more servers in a load-balanced or failover configuration. The network devices are configured with multiple server entries; if the primary server fails, the device automatically tries the secondary. The dead-criteria command controls how quickly a failed server is retried. Misconfiguration can lead to lockouts: if the AAA server is unreachable and no local fallback is configured, administrators cannot log in. This is a classic production outage. Best practice is to always configure local as a fallback and maintain a local account with privilege 15. Also, ensure the AAA server is reachable from the management network; if the management interface goes down, AAA fails.
Another real-world scenario: integrating AAA with TACACS+ for command authorization. In a large team, junior engineers might be restricted to show commands, while senior engineers have full access. The TACACS+ server returns a privilege level or a custom attribute that the IOS device interprets to allow or deny specific commands. This is far more flexible than using local privilege levels. Accounting then records all commands, providing an audit trail that satisfies compliance requirements like PCI-DSS or SOX.
Exam Objective 4.1: Configure AAA with TACACS+ and RADIUS on IOS XE
The 200-301 v2.0 exam tests your ability to configure AAA authentication, authorization, and accounting using both TACACS+ and RADIUS. You must know the configuration steps, the differences between the two protocols, and how to verify AAA operation. Expect scenario-based questions where you must choose the correct commands or identify why AAA is failing.
New in CCNA v2
This topic is entirely new in the 2026 blueprint. In CCNA v1.1, AAA was not explicitly tested; you only needed to know basic local authentication and privilege levels. Now, Cisco expects you to configure centralized AAA with external servers. Candidates who studied v1.1 materials will miss this entirely. The new 5-domain blueprint places AAA under "Network Services and Security" (20% weight), alongside topics like NTP, SNMP, and ACLs. This reflects the industry shift toward centralized security and compliance.
Common Wrong Answers and Why
Using `aaa authentication login` instead of `aaa new-model`: Candidates often start configuring authentication lists without enabling AAA globally. The device will accept the commands but they won't work. The correct first step is always aaa new-model.
Confusing TACACS+ and RADIUS ports: TACACS+ uses TCP 49; RADIUS uses UDP 1812/1813. A common trap is to see "TCP 1812" or "UDP 49" in an answer choice.
Forgetting to apply the authentication list to lines: Configuring aaa authentication login default group tacacs+ local is not enough; you must also apply it with login authentication default under the line. The exam may present a scenario where AAA is configured but not working because the line lacks the login authentication command.
Mixing up authentication and authorization: A question might ask for the command to restrict commands; the correct answer is aaa authorization commands, not aaa authentication commands. Many candidates use authentication when they mean authorization.
Specific Values and Commands to Memorize
aaa new-model enables AAA.
tacacs server and radius server define servers.
aaa authentication login {list-name} group {tacacs+|radius} local.
aaa authorization exec {list-name} group {tacacs+|radius} local.
aaa accounting exec {list-name} start-stop group {tacacs+|radius}.
Default RADIUS ports: 1645 (auth), 1646 (acct) — but always configure 1812/1813.
Default TACACS+ port: 49.
show aaa servers displays server status.
debug aaa authentication shows authentication process.
Decision Rule for Scenario Questions
If the question asks why a user cannot log in despite correct credentials, check: (1) Is aaa new-model enabled? (2) Is the server reachable? (3) Is the authentication list applied to the line? (4) Is the key correct? If the question asks which protocol to use for command authorization, choose TACACS+. If the question asks for network access (802.1X), choose RADIUS.
[CCNA v2 NEW] AAA with TACACS+ and RADIUS is a new exam objective for 200-301 v2.0 (2026 blueprint).
AAA stands for Authentication, Authorization, and Accounting.
TACACS+ uses TCP port 49 and encrypts the entire packet; RADIUS uses UDP ports 1812/1813 and encrypts only the password.
The first command to enable AAA is `aaa new-model`.
Authentication lists must be applied to lines using `login authentication`.
TACACS+ separates authentication, authorization, and accounting; RADIUS combines authentication and authorization.
Use `show aaa servers` to verify server status and counters.
Always configure a local fallback to avoid lockout if the AAA server is unreachable.
RADIUS is typically used for network access (802.1X), TACACS+ for device administration.
The default RADIUS ports on IOS XE are 1645/1646; always set to 1812/1813 for standards compliance.
These come up on the exam all the time. Here's how to tell them apart.
TACACS+
Uses TCP port 49
Encrypts entire packet body
Separates authentication, authorization, and accounting
Supports per-command authorization
Cisco proprietary (though widely supported)
RADIUS
Uses UDP ports 1812/1813
Encrypts only password
Combines authentication and authorization in Access-Accept
No native per-command authorization; uses privilege levels
Open standard (RFC 2865, 2866)
Mistake
AAA and RADIUS are the same thing.
Correct
AAA is a framework; RADIUS and TACACS+ are protocols that implement AAA. RADIUS is one protocol for AAA, not AAA itself.
The acronym AAA is often used loosely; candidates confuse the framework with one of its implementations.
Mistake
TACACS+ and RADIUS both encrypt all data.
Correct
TACACS+ encrypts the entire packet body; RADIUS encrypts only the password in Access-Request packets. Other attributes like username are sent in cleartext.
Both protocols use a shared secret, leading to the assumption that encryption is identical.
Mistake
You must configure a separate authorization list for each line.
Correct
You can use a default list that applies to all lines, but you still must apply it with the `authorization exec` command on each line or use the default globally.
Candidates think the global list automatically applies, but line-level application is required.
Mistake
RADIUS is better than TACACS+ for device administration because it is an open standard.
Correct
TACACS+ is preferred for device administration because it supports per-command authorization and encrypts the entire session. RADIUS is better for network access due to its standard attributes and UDP efficiency.
Open standard vs proprietary bias leads to incorrect protocol selection.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The first command is `aaa new-model` entered in global configuration mode. This enables the AAA feature set. Without it, no AAA commands (authentication, authorization, accounting) are available. After this, you can configure servers, method lists, and apply them. Always verify with `show running-config | include aaa new-model`.
Use the `tacacs server` command followed by a name, then specify the IP address and key. Example: ``` tacacs server TACACS1 address ipv4 192.168.1.20 key MyKey ``` You can configure multiple servers. The device will try them in order. TACACS+ uses TCP port 49 by default. No port configuration is needed unless using a non-standard port.
Authentication verifies who the user is (e.g., checking username and password). Authorization determines what the user is allowed to do (e.g., privilege level, allowed commands). Authentication happens first; if it fails, authorization is not attempted. On the exam, remember: authentication = identity, authorization = permissions.
Local fallback ensures that if the AAA server is unreachable (e.g., network outage, server down), users can still log in using locally configured usernames and passwords. Without fallback, you risk being locked out of the device. Configure it by adding `local` at the end of the method list: `aaa authentication login default group tacacs+ local`. Also maintain a local user with privilege 15.
RADIUS uses UDP port 1812 for authentication and authorization, and UDP port 1813 for accounting. Older implementations used 1645 and 1646, but these are deprecated. On Cisco IOS XE, the default ports are 1645/1646 unless explicitly configured. Always set them to 1812/1813 for standards compliance using the `auth-port` and `acct-port` keywords under `radius server`.
RADIUS does not natively support per-command authorization. Instead, RADIUS assigns a privilege level (1-15) via attributes like Cisco-AVPair = "shell:priv-lvl=15". The device then enforces commands based on that privilege level. For granular command authorization, TACACS+ is recommended because it can authorize each command individually.
Use `show aaa servers` to see the status of configured servers, including request/response counts. Use `show running-config | section aaa` to review your configuration. To test, attempt to log in via SSH or console and watch the debug output with `debug aaa authentication` (use caution in production). Also check the local user database with `show running-config | include username`.
You've just covered Configuring AAA with TACACS+ and RADIUS on IOS XE — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?