AAA 101

Enabling AAA new-model

AAA stands for Authentication, Authorization and Accounting. Authentication is the process of identifying users based on some credentials (passwords, digital certificates, tokens). Authorization is the process of allowing an authenticated user to access specific services or a specific level of administration, while accounting is the process of tracking and logging a user’s actions while authenticated. To enable the new-model of AAA implementation on a Cisco device, use:

R(config)# aaa new-model


Authentication methods can be grouped in 2 categories: Group methods and Non-Group methods. Group methods include protocols such as RADIUS, TACACS+ or Kerberos. These protocols require an external server that handles authentication requests. The non-group methods include local login (usernames defined locally), enable passwords or line passwords.


RADIUS is now an industry standard and runs on UDP 1812 and UDP 1813. A RADIUS packet encrypts only the password field.

To define a radius server that will process AAA requests, use the following commands:

R(config)# radius-server host {HOST|IP-ADDR} [auth-port PORT] [acct-port PORT] [timeout SEC] [retransmit RETRIES] [key KEY] [alias {HOST|IP-ADDR}]
! Configures a radius server

All Radius servers are by default part of the radius group, but custom groups that include subsets of the radius group can be configured:

R(config)# aaa group server radius RADIUS-GROUP
R(config-sg-radius)# server IP-ADDR [auth-port PORT] [acct-port PORT]


TACACS+ is a Cisco proprietary protocol that runs on TCP 49. With TACACS the entire packet body is encrypted. TACACS+ is configured in a similar way as RADIUS:

R(config)# tacacs-server host {HOST|IP-ADDR} [single-connection] [port PORT] [timeout SEC] [key KEY] 

All TACACS+ servers are by default part of the tacacs+ group, but custom groups that include subsets of the tacacs+ group can be configured:

R(config)# aaa group server tacacs+ TACACS+GROUP
R(config-sg-tacacs)# server {HOST|IP-ADDR}

Local and Local-case

Just define the usernames on the local router:

R(config)# username USER [privilege {1-15}] [password PASS | secret SECRET]

The local method use the case-insensitive users locally defined, while the local-case method uses case-sensitive values.

Enable Password

R(config)# enable [password PASS | secret SECRET]

Line Passwords

Line password uses the passwords defined on each line:

R(config-line)# password PASS


Authentication lists

An authentication list consists of one or more authentication methods that are used, in order, for authentication. The first method in the list is used and if the result is an accept or a reject, the other methods are not used. They are used only if the previous methods are not available (like a server response timeout). Authentication lists can be defined for several features that may require authentication. A default list is already applied for each feature, but other lists can be defined, or the default list can be populated.

R(config)# aaa authentication LIST-TYPE {default|LIST-NAME} METHODS-LIST
! Some LIST-TYPEs can be:
  dot1x            Set authentication lists for IEEE 802.1x.
  enable           Set authentication list for enable (privileged mode)
  login            Set authentication lists for logins.
  ppp              Set authentication lists for ppp.
! METHODS LIST can include:
  enable       Use enable password for authentication.
  group {GROUP-NAME|radius|tacacs+}        Use Radius/Tacacas+ Server-group
  krb5         Use Kerberos 5 authentication.
  krb5-telnet  Allow logins only if already authenticated via Kerberos V Telnet.
  line         Use line password for authentication.
  local        Use local username authentication.
  local-case   Use case-sensitive local username authentication.
  none         NO authentication

Unless a LIST-NAME is specified, the router uses the default lists, but the default configuration of the default lists doesn’t show up in the configuration (by default). If you define the default lists yourself, they will show up in the config. If you don’t, the router uses the Permanenet lists, which are predefined.

! For PPP and VTY line authenticaion, it uses the Permanent Local list, which is similar to:
R(config)# aaa authentication ppp default local
! For Console line authentication, it uses the Permanent None list, which is similar to:
R(config)# aaa authentication ppp default none
! For Enable authentication, it uses the Permanent Enable list, which is similar to:
R(config)# aaa authentication enable default enable

Applying authentication lists

Line Authentication (console, vty)

R(config)# line {con | vty LINE-START [LINE-END]}
R(config-line)# login authentication {default|LOGIN-LIST-NAME}
! attach the LOGIN-LIST-NAME to a line

PPP Authentication

R(config-if)# ppp authentication {chap|pap|...} {default | PPP-LIST-NAME}
! authenticate using the PPP-LIST-NAME

Privilege mode Authentication

You can’t define custom lists, but you can change the authentication enable default list.


Authorization Lists

Authorization lists are created similarly to authentication lists:

R(config)# aaa authorization LIST-TYPE {LIST-NAME|default} METHODS-LIST 
! LIST-TYPE can be:
  commands         For exec (shell) commands.
  configuration    For downloading configurations from AAA server
  exec             For starting an exec (shell).
  network          For network services. (PPP, SLIP, ARAP)
  reverse-access   For reverse access connections
! methods in METHODS-LIST are similar to authorization methods, but there's a new one:
  if-authenticated  Succeed if user has already authenticated.

Applying authorization lists

Authorization usually works hand in hand with. But it can be also used with default privilege levels.

Authorize access to EXEC mode

By default, the VTY privilege level is set to 1. You can change this level if you set

R(config-line)# privilege level LEVEL

This means all users that login via the VTY will be assigned this privilege LEVEL.

You can use a dynamic method of assigning users with an authentication level (radius, tacacs, local) or you can fallback to the line configuration (if-authenticated). First define the EXEC-LIST-NAME method list, and then you apply it on the vty line:

R(config-line)# authorization exec {EXEC-LIST-NAME|default}

The same is true for console lines too, except by default authorization always succeeds and assigns the users to level 15 (Applies to router only, not switches), regardless of the authorization exec list defined on the console line. To enable the use of the list, you must also run:

R(config)# aaa authorization console

Authorize commands

R(config-line)# authorization commands PRIV-LEVEL {COMMANDS-LIST-NAME|default}

When command authorization is enabled, the router will check if the user is authorized to run the specified command. It is useless to authorize both exec and commands against the local database since the privilege level defined there will be the same for both authorization types. It makes sense to authorize commands against another server where allowed commands for each user can be defined. A user is able to run all commands enabled for its privilege level and all inferior levels, but authorization will only be checked for the commands enabled at the PRIV-LEVEL specified in the authorization command. By default, only exec commands are checked. To enable authorization for configuration commands also, use:

R(config)# aaa authorization config-commands

Authorize PPP

To enable authorization for PPP, use:

R(config-if)# ppp autorization {default|LIST-NAME}


Accounting keeps track of the users’s actions while connected to the system.

Accounting Lists

To define an accounting list, use:

R(config)# aaa accounting LIST-TYPE {default|LIST-NAME} {start-stop|stop-only|none} METHOD-LIST
 network           For network services. (PPP, SLIP, ARAP)
 connection        For outbound connections. (telnet, rlogin)
 exec              For starting an exec (shell).
 system            For system events.
 commands          For exec (shell) commands.
 group radius      Uses RADIUS
 group tacacs+     Uses TACACS+

Applying accounting lists

Line accounting

To enable line accounting, use:

R(config)# accounting {exec|connection|commands|resource} {default|LIST-NAME}
! exec = info about EXEC sessions
! commands = info about commands issued
! connections = info about outbound connections
! resource = info about passed and failed authentications

Interface accounting

PPP Accounting

To enable PPP accounting, use:

R(config-if)# ppp accounting {default|LIST-NAME}
! info about PPP sessions, including packet and byte count

Last updated