5.1 Configure and verify device access control
📘CCNP Encore (350-401-ENCORE-v1.1)
1. What is AAA?
AAA stands for:
- Authentication – Who are you?
- Authorization – What are you allowed to do?
- Accounting – What did you do?
AAA is a security framework used on Cisco devices (routers, switches, wireless controllers) to control who can access the device, what commands they can run, and to keep logs of their actions.
AAA is mandatory knowledge for the CCNP ENCOR exam.
2. Why AAA Is Needed
Without AAA:
- Anyone who knows a password may get full access
- No command-level control
- No logging of user activity
- Weak security
With AAA:
- Each user logs in with their own username
- Different users get different privilege levels
- All login attempts and commands can be tracked
AAA is commonly used with:
- Local user database
- RADIUS servers
- TACACS+ servers
3. AAA Components Explained
3.1 Authentication
Authentication answers the question:
“Is this user really who they claim to be?”
On Cisco devices, authentication can use:
- Local username/password
- RADIUS server
- TACACS+ server
Example (IT Environment)
- Network administrator connects via SSH
- Device asks for username and password
- Credentials are checked locally or on a server
- Access is granted or denied
Authentication Methods
Authentication can be done for:
- Device login (console, VTY/SSH)
- Enable mode
- Network access (VPN, wireless, wired)
3.2 Authorization
Authorization answers the question:
“What is this authenticated user allowed to do?”
Authorization controls:
- Privilege level
- Allowed commands
- Allowed services
Example
- User1 can run
showcommands only - User2 can configure interfaces
- User3 has full administrative access
Authorization can control:
- EXEC shell access
- Privilege levels (0–15)
- Individual commands
3.3 Accounting
Accounting answers the question:
“What actions did the user perform?”
Accounting keeps logs of:
- Login and logout times
- Commands executed
- Session duration
These logs are sent to:
- Local device
- RADIUS server
- TACACS+ server
Accounting is important for:
- Security audits
- Troubleshooting
- Compliance requirements
4. AAA Operation Flow
The typical AAA process follows this order:
- Authentication
- Verify username/password
- Authorization
- Assign permissions and privilege level
- Accounting
- Log user activity
If authentication fails → access is denied
If authorization fails → access is limited
If accounting fails → access may still work, but logs are missing
5. Enabling AAA on Cisco Devices
AAA is disabled by default.
Command to Enable AAA
aaa new-model
Once this command is entered:
- The device switches to AAA mode
- Legacy login commands are ignored
- AAA policies must be configured properly
⚠️ Important for exam:
Enabling AAA without proper configuration can lock you out.
6. Authentication Using AAA
6.1 Local Authentication
Uses usernames stored on the device.
Create Local User
username admin privilege 15 secret Cisco123
Configure Authentication Method List
aaa authentication login LOCAL_AUTH local
Apply to VTY Lines
line vty 0 4
login authentication LOCAL_AUTH
transport input ssh
Now:
- SSH users must authenticate using local usernames
6.2 RADIUS Authentication
RADIUS is commonly used for:
- Network access (VPN, Wi-Fi)
- Centralized authentication
RADIUS Characteristics
- Uses UDP
- Combines authentication and authorization
- Less granular command control
Configure RADIUS Server
radius server RAD1
address ipv4 192.168.1.10 auth-port 1812 acct-port 1813
key CiscoKey
Use RADIUS for Login
aaa authentication login RAD_AUTH group radius local
If RADIUS fails → fallback to local database
6.3 TACACS+ Authentication
TACACS+ is preferred for device administration.
TACACS+ Characteristics
- Uses TCP port 49
- Separates authentication, authorization, accounting
- Supports command-level authorization
- Encrypts entire packet
Configure TACACS+ Server
tacacs server TAC1
address ipv4 192.168.1.20
key CiscoKey
Authentication Method List
aaa authentication login TAC_AUTH group tacacs+ local
7. Authorization Using AAA
Authorization defines what the user can do after login.
7.1 EXEC Authorization
Controls access to EXEC mode and privilege levels.
aaa authorization exec EXEC_AUTH group tacacs+ local
This allows:
- Server to assign privilege level
- Local fallback if server is unreachable
7.2 Command Authorization
Controls which commands a user can run.
aaa authorization commands 15 CMD_AUTH group tacacs+ local
This means:
- Every command at privilege level 15 is checked
- TACACS+ server decides whether it is allowed
8. Accounting Using AAA
Accounting records user activity.
8.1 Login Accounting
aaa accounting exec EXEC_ACCT start-stop group tacacs+
Records:
- Login time
- Logout time
- User identity
8.2 Command Accounting
aaa accounting commands 15 CMD_ACCT start-stop group tacacs+
Records:
- Every command entered at privilege level 15
9. Method Lists (Very Important for Exam)
AAA uses method lists to define behavior.
Structure
aaa <function> <type> <method-list-name> <methods>
Example
aaa authentication login DEFAULT group tacacs+ local
Order matters:
- Try TACACS+
- If unreachable → try local
Common Method List Names:
default(applies automatically)- Custom names (applied manually to lines)
10. Verification Commands (Exam-Critical)
Check AAA Configuration
show running-config | section aaa
Check Authentication Status
show aaa servers
Test Authentication
test aaa group tacacs+ username password
Check Accounting Logs
show accounting
11. AAA vs Local Authentication (Exam Comparison)
| Feature | Local | AAA |
|---|---|---|
| Centralized control | No | Yes |
| Per-user permissions | Limited | Full |
| Command authorization | No | Yes |
| Accounting | No | Yes |
| Scalable | No | Yes |
12. RADIUS vs TACACS+ (Must Remember)
| Feature | RADIUS | TACACS+ |
|---|---|---|
| Protocol | UDP | TCP |
| Port | 1812/1813 | 49 |
| Encryption | Password only | Full packet |
| Command authorization | No | Yes |
| Best use | Network access | Device admin |
13. Common Exam Mistakes to Avoid
- Forgetting
aaa new-model - No local fallback configured
- Wrong method list applied to lines
- Confusing authentication vs authorization
- Thinking RADIUS supports command control
14. Key Exam Takeaways
- AAA = Authentication, Authorization, Accounting
- Authentication verifies identity
- Authorization controls permissions
- Accounting logs activity
- TACACS+ is best for device administration
- Method lists control AAA behavior
- Order of methods is critical
- Always configure fallback access
