Imagine a nightclub where anyone can walk in, grab a drink, and start a fight—no ID check, no bouncer, no accountability. That's a network without AAA. The Authentication, Authorization, and Accounting (AAA) framework is the bouncer, the ID scanner, and the logbook of your network. For CCNA 200-301 exam objective 5.3, you must understand how AAA centralizes access control, enforces policies, and tracks user activity. In real networks, AAA is what keeps the bad guys out and tells you exactly what happened when something goes wrong.
Jump to a section
Think of a high-end nightclub with three layers of security: the doorman (Authentication), the VIP host (Authorization), and the accountant with a clipboard (Accounting). The doorman checks your ID—he verifies you are who you say you are. He doesn't care if you're on the list or not; he just confirms your identity. That's authentication: proving you have a valid credential (password, fingerprint, key card). Once inside, the VIP host looks at your name on a list and decides what you can do. Maybe you're a VIP with access to the rooftop lounge, or a regular guest restricted to the main floor. That's authorization: what resources you can access and what actions you can perform. Finally, the accountant with a clipboard follows you around, noting every drink you order, every time you enter the restroom, and when you leave. That's accounting: logging all your activities for billing, audit, or security review. In a network, AAA works the same way. The Authentication process (doorman) verifies the user or device identity, usually via a username/password or certificate. Authorization (VIP host) then determines what that authenticated entity is allowed to do—which VLAN, which ACL, which services. Accounting (accountant) records start and stop times, data transferred, commands executed. The key insight: these three functions are separate but work together. A user might be authenticated but not authorized for anything (like a guest with no privileges). Or they might be authorized but not yet authenticated (impossible in practice—authorization always follows authentication). The nightclub analogy breaks down if you think of them as one person; they are three distinct roles that communicate via a shared database (the club's reservation system), just like a RADIUS or TACACS+ server.
What is AAA and Why Does It Exist?
AAA stands for Authentication, Authorization, and Accounting. It is a framework for intelligently controlling access to network resources, enforcing policies, and auditing usage. Before AAA, network devices used local databases (username/password stored on the device itself) for authentication. That works for a router or two, but in an enterprise with hundreds of devices, managing local accounts is a nightmare. AAA centralizes user management on a dedicated server (RADIUS or TACACS+), so you change one password on the server and it propagates everywhere. AAA also provides detailed logs (accounting) that are essential for security audits and billing.
How AAA Works Step by Step
Let's walk through a typical AAA login sequence using RADIUS:
User initiates connection: A network administrator connects to a router via SSH. The router is configured to use AAA for login authentication.
Router prompts for credentials: The router sends a login prompt to the user, who enters a username and password.
Router creates an Access-Request packet: The router (acting as a RADIUS client) encrypts the password using a shared secret and sends an Access-Request packet to the RADIUS server. The packet includes the username, encrypted password, and identifying information like the NAS IP address and port.
RADIUS server checks credentials: The server looks up the username in its database, decrypts the password, and compares it to the stored hash. If it matches, the server checks what authorization attributes should be returned (e.g., privilege level, ACL name).
Server sends response: The server sends back an Access-Accept (success) or Access-Reject (failure). If Accept, it includes authorization attributes in vendor-specific attributes (VSAs).
Router applies authorization: The router processes the attributes: sets the user's privilege level, applies an ACL, or places the user in a specific VLAN. Then the user gets a shell.
Accounting starts: The router sends an Accounting-Start packet to the RADIUS server, recording that the user logged in. When the user logs out, an Accounting-Stop packet is sent with session duration, input/output octets, and reason for termination.
Key States, Timers, and Defaults
Authentication methods: On Cisco IOS, the aaa authentication login command defines a list of methods. Default is local (uses local username database). Common methods: local, group radius, group tacacs+, enable, none.
Authorization methods: aaa authorization exec controls shell access; aaa authorization commands controls command execution; aaa authorization network controls network access (e.g., VPN).
Accounting types: aaa accounting exec logs user sessions; aaa accounting commands logs every command; aaa accounting network logs network access.
RADIUS defaults: UDP ports 1812 for authentication, 1813 for accounting (older Cisco devices use 1645/1646). Shared secret is case-sensitive, max 128 characters.
TACACS+ defaults: TCP port 49. Encrypts the entire packet body (not just password). Separates authentication, authorization, and accounting into separate packets.
Timeout and retransmit: Default RADIUS timeout is 5 seconds, retransmit count is 2. Change with timeout and retransmit under the RADIUS server configuration.
IOS CLI Verification Commands
After configuring AAA, verify with these commands:
R1# show aaa servers
RADIUS: id 1, priority 1, host 192.168.1.100, auth-port 1812, acct-port 1813
State: current UP, duration 2d3h, previous duration 0s
Dead: total 0, retransmit 0, retry 0R1# show aaa sessions
Total sessions since last reload: 15
Session Id: 10
Unique Id: 10
User Name: admin
IP Address: 10.0.0.2
Idle Time: 0
Timeout: 0
Caller Id: vty0
Session Start: *08:12:34.123 UTC Mon Mar 1 2021
Session Stop: *08:45:12.456 UTC Mon Mar 1 2021R1# debug aaa authentication
AAA Authentication debugging is on
*Mar 1 08:15:00.123: AAA/BIND(00000001): Bind i/f
*Mar 1 08:15:00.123: AAA/AUTHEN/LOGIN (00000001): Pick method list 'default'How AAA Interacts with Related Protocols
AAA is not a protocol itself; it's a framework that uses RADIUS or TACACS+. RADIUS is an open standard (RFC 2865) widely used for network access (VPN, 802.1X wireless). TACACS+ is Cisco proprietary and more commonly used for device administration (router/switch login). AAA can also integrate with LDAP, Kerberos, or Active Directory via a RADIUS proxy. For 802.1X port-based authentication, AAA works with EAP (Extensible Authentication Protocol) to authenticate endpoints before granting network access.
Configure a RADIUS server
First, define the RADIUS server on the Cisco device. Use the `radius server` command in global configuration mode. Specify the hostname or IP address, authentication and accounting ports, and the shared secret key. The key must match the one configured on the RADIUS server. Example: ``` R1(config)# radius server RADIUS-SERVER R1(config-radius-server)# address ipv4 192.168.1.100 auth-port 1812 acct-port 1813 R1(config-radius-server)# key cisco123 ``` This creates a server group automatically; you can also create a named server group with `aaa group server radius` if you need multiple servers.
Enable AAA globally
Turn on AAA with the `aaa new-model` command. This enables AAA on the device and changes the default authentication behavior. After this command, all login attempts will use AAA unless you configure method lists. Without AAA new-model, the device uses local authentication by default. Example: ``` R1(config)# aaa new-model ``` This command also enables TACACS+ and RADIUS client functionality. Note: once you issue this command, you must configure at least one authentication method for console and VTY lines, or you might lock yourself out.
Create authentication method list
Define an authentication list for login. The `aaa authentication login default group radius local` command tells the device to first try RADIUS, then fall back to local if the RADIUS server is unreachable. The keyword `default` applies this list to all lines that do not have a specific list assigned. Example: ``` R1(config)# aaa authentication login default group radius local ``` You can also create named lists (e.g., `aaa authentication login SSH-LOGIN group radius`) and apply them to specific lines. The order of methods matters: the device tries them in sequence until one succeeds or all fail.
Configure authorization (optional)
Authorization controls what an authenticated user can do. For exec (shell) access, use `aaa authorization exec default group radius local`. This tells the device to request authorization attributes (like privilege level) from the RADIUS server. If the server doesn't respond, fall back to local. Example: ``` R1(config)# aaa authorization exec default group radius local ``` For command authorization (privilege level 15 commands), use `aaa authorization commands 15 default group radius local`. This logs every command to the RADIUS server for accounting and can deny commands not authorized.
Configure accounting (optional)
Accounting logs user activity. For exec sessions, use `aaa accounting exec default start-stop group radius`. This sends an Accounting-Start when the session begins and Accounting-Stop when it ends. The `start-stop` keyword means the device sends a start record immediately and a stop record at the end. Example: ``` R1(config)# aaa accounting exec default start-stop group radius ``` You can also account for commands: `aaa accounting commands 15 default start-stop group radius`. This logs every command executed by privilege level 15 users.
Apply authentication to lines
By default, the `default` authentication list applies to all lines (console, VTY, AUX). But it's good practice to explicitly apply it. For VTY lines, enter line configuration mode and use `login authentication default`. For console, use the same command under `line console 0`. Example: ``` R1(config)# line vty 0 4 R1(config-line)# login authentication default R1(config-line)# transport input ssh ``` This ensures that SSH sessions use the AAA authentication list. Always configure a fallback method (like local) to avoid lockout if the RADIUS server is down.
In a large enterprise with 5000 employees, managing local accounts on every router and switch is impossible. AAA solves this by centralizing authentication on a RADIUS server (often integrated with Active Directory). Here are three real-world scenarios:
1. VPN Remote Access: Employees connecting via IPsec VPN are authenticated against a RADIUS server that checks their AD credentials. Authorization attributes (like ACL name or VLAN) are returned to the VPN gateway. Accounting logs track connection time and data usage for billing or security incident response. Misconfiguration: if the RADIUS server is unreachable, users cannot connect unless a fallback method (like local) is configured. Without fallback, the entire remote workforce is locked out.
2. Network Device Administration: Network engineers SSH into core routers. TACACS+ is preferred over RADIUS because it separates authentication, authorization, and accounting. Each command is logged and can be authorized. For example, a junior engineer might be allowed show commands but not configure terminal. If TACACS+ fails, fallback to local accounts prevents lockout. Common mistake: forgetting to add the TACACS+ server to the device's server group, causing authentication failures.
3. 802.1X Wired Access: Employees plug into an office switch and are authenticated via 802.1X using a RADIUS server. The switch acts as the authenticator, the client (supplicant) sends credentials, and the RADIUS server decides whether to grant access. Authorization can place the user in a specific VLAN (e.g., employee VLAN vs. guest VLAN). Accounting tracks MAC addresses and session duration. Misconfiguration: if the RADIUS server doesn't respond, the switch might fail open (allow all) or fail closed (deny all), depending on the configuration. In production, fail closed is more secure but can cause support calls.
Scale and performance: A single RADIUS server can handle thousands of authentications per second. For redundancy, use multiple servers in a group (primary and secondary). Load balancing is achieved by configuring multiple servers with the same priority. Accounting logs can generate gigabytes of data per day; ensure the server has enough disk space and log rotation.
What happens when misconfigured: The most common issue is lockout. If you enable aaa new-model without configuring an authentication method for console, you will be locked out of the device. The fix is to reload the device and break into ROMMON, or use the password recovery procedure. Another issue: mismatched shared secret between the device and RADIUS server causes "authentication failed" for all users. Always test with a known working user after configuration.
Exam Objective 5.3: Configure and verify AAA for device access. The CCNA 200-301 exam focuses on understanding the AAA framework, not deep configuration. You must know the difference between authentication, authorization, and accounting. You must know that RADIUS uses UDP (ports 1812/1813) and encrypts only the password, while TACACS+ uses TCP (port 49) and encrypts the entire packet. You must be able to interpret show aaa servers and show aaa sessions output.
Common Wrong Answers and Why Candidates Choose Them:
"RADIUS encrypts the entire packet." Candidates confuse RADIUS with TACACS+. RADIUS only encrypts the password attribute; TACACS+ encrypts the entire body. This is a classic exam trap.
"TACACS+ uses UDP." Candidates remember that RADIUS uses UDP and assume TACACS+ does too. TACACS+ uses TCP for reliability.
"AAA is a protocol." Candidates think AAA is a protocol like RADIUS. AAA is a framework; RADIUS and TACACS+ are protocols that implement it.
"Authorization happens before authentication." Candidates misunderstand the order. Authentication must succeed before authorization can be performed.
Specific Values and Commands:
RADIUS ports: auth 1812, acct 1813 (older: 1645/1646).
TACACS+ port: 49.
Command to enable AAA: aaa new-model.
Command to create authentication list: aaa authentication login default group radius local.
Verification: show aaa servers shows server status; show aaa sessions shows active sessions.
Decision Rule for Scenario Questions:
If the question asks about "centralized authentication for network devices" and mentions "encrypts entire packet", choose TACACS+. If it mentions "UDP" or "encrypts password only", choose RADIUS. If it asks about "logging user commands", it's accounting. If it asks about "what a user can do after login", it's authorization.
Trap Calculation: None directly, but be aware that RADIUS retransmission timers can cause authentication delays if the server is slow. The default timeout is 5 seconds with 2 retries, so a user might wait up to 15 seconds before fallback.
AAA stands for Authentication, Authorization, and Accounting.
RADIUS uses UDP ports 1812 (auth) and 1813 (acct); encrypts only the password.
TACACS+ uses TCP port 49; encrypts the entire packet body.
The command 'aaa new-model' enables AAA on a Cisco device.
Authentication must occur before authorization; accounting can occur before or after.
'show aaa servers' displays RADIUS/TACACS+ server status and statistics.
Always configure a fallback method (e.g., local) to prevent lockout.
These come up on the exam all the time. Here's how to tell them apart.
RADIUS
Uses UDP ports 1812/1813 (auth/acct)
Encrypts only the password attribute
Combines authentication and authorization in one packet
Open standard (RFC 2865)
Widely used for network access (VPN, 802.1X)
TACACS+
Uses TCP port 49
Encrypts the entire packet body
Separates authentication, authorization, and accounting into separate packets
Cisco proprietary
Primarily used for device administration (router/switch login)
Mistake
RADIUS encrypts the entire packet.
Correct
RADIUS only encrypts the password attribute in the Access-Request packet. The rest of the packet (username, NAS IP) is sent in cleartext.
Candidates often assume encryption applies to the whole packet because TACACS+ does that.
Mistake
TACACS+ uses UDP.
Correct
TACACS+ uses TCP port 49 for reliable delivery. RADIUS uses UDP.
Both are AAA protocols, so candidates mix up their transport protocols.
Mistake
AAA is a protocol.
Correct
AAA is a framework; RADIUS and TACACS+ are protocols that implement AAA services.
The term 'AAA' is often used loosely, leading candidates to think it's a specific protocol.
Mistake
Authorization can occur before authentication.
Correct
Authorization always occurs after successful authentication. You cannot authorize an unknown user.
Candidates confuse the logical order because both start with 'A' and happen in quick succession.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Authentication verifies who the user is (e.g., username/password). Authorization determines what the user can do (e.g., which commands they can run, which VLAN they can access). On Cisco IOS, authentication happens first; if it fails, the user is denied. If it succeeds, authorization is applied. Authorization can return attributes like privilege level or ACL name.
RADIUS uses UDP port 1812 for authentication and 1813 for accounting. Some older Cisco devices use ports 1645 and 1646. The exam expects 1812/1813. The ports are configurable on both the server and the client (router). Make sure both sides match.
Yes, you can configure both protocols and use them in different method lists. For example, you might use TACACS+ for device administration (SSH) and RADIUS for VPN authentication. The router can act as a client for both simultaneously.
The router will try the next method in the method list. For example, if you configure 'aaa authentication login default group radius local', the router will fall back to local authentication if the RADIUS server does not respond. If no fallback is configured, authentication fails.
Use 'show aaa servers' to see server status (UP/DOWN). Use 'show aaa sessions' to view active user sessions. Use 'debug aaa authentication' to see real-time authentication attempts. Also check 'show running-config | include aaa' to see the AAA configuration.
It enables the AAA security services on the router. Without it, the router uses legacy authentication (local database). After this command, you must configure AAA method lists; otherwise, all logins will be denied. It also enables RADIUS and TACACS+ client functionality.
TACACS+ encrypts the entire packet body, including the username, password, and authorization attributes. RADIUS only encrypts the password. Additionally, TACACS+ separates authentication, authorization, and accounting into separate packets, allowing more granular control. RADIUS combines authentication and authorization in a single packet.
You've just covered AAA Framework — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?