Troubleshoot device security using IOS AAA (TACACS+, RADIUS, local database)

📘CCNP Enterprise – ENARSI (300-410)

1️⃣ What is AAA?

AAA stands for Authentication, Authorization, and Accounting. It’s a framework used on Cisco devices to control who can access the device, what they can do, and track their actions. Think of it as a security system for your network devices.

  • Authentication – “Who are you?”
    Confirms the identity of a user or device. Example: When someone logs in to a router, AAA checks their username/password.
  • Authorization – “What can you do?”
    Determines what actions the user is allowed to perform. Example: A network engineer can configure interfaces, but a helpdesk technician might only view the configuration.
  • Accounting – “What did you do?”
    Tracks what the user did after logging in. Example: Logs show that a user changed an ACL or updated a VLAN.

Key point for the exam: AAA is all about security and tracking on network devices.

2️⃣ AAA Methods Supported by IOS

Cisco IOS supports three main AAA methods for network devices:

a) Local Database

  • Uses usernames and passwords stored locally on the device.
  • Good for small networks or backup access if external servers fail.
  • Example commands: username admin privilege 15 secret Cisco123 aaa new-model aaa authentication login default local
  • Exam tip: The local database is configured with username commands and can include privilege levels.

b) TACACS+ (Terminal Access Controller Access-Control System Plus)

  • TCP-based protocol (port 49) used for network device administration.
  • Provides separate authentication, authorization, and accounting.
  • Example: You can allow a user to log in (authentication), but restrict which commands they can run (authorization), and track every command they enter (accounting).
  • Advantages:
    • Encrypts the entire packet (more secure than RADIUS).
    • Granular control over commands.
  • Example IOS configuration: aaa new-model tacacs-server host 192.168.1.10 key MySecretKey aaa authentication login default group tacacs+ local aaa authorization exec default group tacacs+ local aaa accounting exec default start-stop group tacacs+
  • Exam tip: TACACS+ is preferred for device administration due to command-level authorization.

c) RADIUS (Remote Authentication Dial-In User Service)

  • UDP-based protocol (ports 1812 for authentication, 1813 for accounting).
  • Combines authentication and authorization, but does not provide per-command authorization.
  • Often used for network access control (VPN, 802.1X, wireless LAN).
  • Example IOS configuration: aaa new-model radius-server host 192.168.1.20 auth-port 1812 acct-port 1813 key MySecretKey aaa authentication login default group radius local aaa accounting exec default start-stop group radius
  • Exam tip: RADIUS is usually used for user access to network devices, not detailed command control.

3️⃣ AAA Troubleshooting Steps

When troubleshooting AAA, there are common things to check:

Step 1: Check AAA Configuration

  • Verify aaa new-model is enabled. Without it, AAA commands won’t work.
  • Check authentication, authorization, and accounting lists: show running-config | include aaa

Step 2: Test Authentication

  • Use test commands to check login: test aaa group tacacs+ username admin password Cisco123
  • Or attempt to log in with SSH/telnet and see if the user can authenticate.

Step 3: Verify Server Reachability

  • Ping the TACACS+/RADIUS server from the device: ping 192.168.1.10
  • Ensure proper secret/key matches between the device and server.

Step 4: Check Logs for Errors

  • Enable debugging: debug aaa authentication debug aaa authorization debug aaa accounting
  • Look for messages like TACACS+ server unreachable or authentication failed.

Step 5: Fallback Mechanism

  • If AAA server fails, ensure local login fallback is configured: aaa authentication login default group tacacs+ local
  • This allows device login using local database if the external server is down.

4️⃣ Key Exam Points

  1. AAA must be enabled using aaa new-model.
  2. TACACS+: TCP, command-level authorization, full encryption.
  3. RADIUS: UDP, combines auth & authorization, less granular control, often used for network access.
  4. Local Database: fallback or small deployments.
  5. Order of AAA methods matters: device tries methods in order; local database is a common fallback.
  6. Debug commands (debug aaa authentication, etc.) are vital for troubleshooting.
  7. Always verify connectivity to AAA servers.
  8. Accounting tracks all user activity; can send logs to TACACS+/RADIUS or local logging.

✅ Quick Troubleshooting Checklist for the Exam

IssueWhat to check
User cannot log inIs AAA enabled? Check aaa new-model and authentication list.
Commands deniedCheck TACACS+ authorization settings.
AAA server unreachablePing the server, check keys/secrets, firewall, or connectivity.
Accounting not loggingVerify aaa accounting configuration and server reachability.
Failover loginEnsure local database is configured as fallback.

This content covers everything a CCNP ENARSI candidate needs to pass questions on AAA, TACACS+, RADIUS, and the local database, including troubleshooting.

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by