Configure AAA for device and network access such as TACACS+ and RADIUS

📘CompTIA Security+ (SY0-701)

1. What is AAA?

AAA stands for:

  • Authentication
  • Authorization
  • Accounting

AAA is a security framework used to control who can access network devices and services, what they are allowed to do, and to keep records of their actions.

AAA is used on:

  • Routers
  • Switches
  • Firewalls
  • VPN gateways
  • Wireless controllers
  • Network access servers

AAA is very important for enterprise security and is heavily tested in the 350-701 exam.

2. Why AAA is Important in Networks

Without AAA:

  • Devices use local usernames and passwords
  • No centralized control
  • No logging of user actions
  • Hard to manage many devices

With AAA:

  • Centralized user management
  • Strong authentication
  • Role-based access
  • Full logging and auditing
  • Better compliance and security

3. The Three Parts of AAA

3.1 Authentication – “Who are you?”

Authentication verifies the identity of a user or device.

Examples in an IT environment:

  • Network administrator logging into a router
  • User connecting to Wi-Fi
  • VPN user accessing the corporate network

Common authentication methods:

  • Username and password
  • Certificates
  • Tokens
  • Multi-factor authentication (MFA)

3.2 Authorization – “What are you allowed to do?”

Authorization decides what actions the authenticated user can perform.

Examples:

  • Read-only access to a switch
  • Full administrative access to a firewall
  • Permission to access specific network services

Authorization can control:

  • CLI commands
  • Configuration modes
  • Network services
  • VLAN or policy assignment

3.3 Accounting – “What did you do?”

Accounting records user activity.

It logs:

  • Login and logout time
  • Commands entered
  • Services accessed
  • Session duration

Accounting is used for:

  • Auditing
  • Compliance
  • Troubleshooting
  • Security investigations

4. AAA Deployment Models

4.1 Local AAA

  • User accounts stored locally on the device
  • Suitable only for small networks
  • Not scalable

Limitations:

  • No centralized management
  • No detailed accounting
  • Difficult to maintain

4.2 Centralized AAA

  • AAA server stores user information
  • Devices communicate with the server
  • Scalable and secure

Common AAA servers:

  • Cisco ISE
  • Cisco Secure ACS (legacy)
  • FreeRADIUS
  • Microsoft NPS

Centralized AAA is the recommended and exam-relevant approach.

5. AAA Protocols Used in Cisco Networks

Cisco mainly uses two AAA protocols:

  1. TACACS+
  2. RADIUS

Understanding the differences between TACACS+ and RADIUS is critical for the exam.

6. TACACS+

6.1 What is TACACS+?

TACACS+ (Terminal Access Controller Access-Control System Plus) is a Cisco-developed AAA protocol.

It is mainly used for:

  • Device administration
  • Management plane access

6.2 TACACS+ Characteristics

FeatureTACACS+
Transport protocolTCP
Port number49
EncryptionEntire payload encrypted
AuthenticationYes
AuthorizationYes (command-level)
AccountingYes
Cisco supportExcellent

6.3 TACACS+ Functions

TACACS+ separates:

  • Authentication
  • Authorization
  • Accounting

This allows:

  • Very detailed control
  • Per-command authorization

Example in IT environment:

  • Administrator logs into a router
  • Server allows only show commands
  • Configuration commands are denied

6.4 TACACS+ Use Cases (Exam-Relevant)

TACACS+ is best used for:

  • Router and switch CLI access
  • Firewall administration
  • Network device management
  • Privileged access control

7. RADIUS

7.1 What is RADIUS?

RADIUS (Remote Authentication Dial-In User Service) is an industry-standard AAA protocol.

It is widely used for:

  • Network access
  • User authentication

7.2 RADIUS Characteristics

FeatureRADIUS
Transport protocolUDP
Port number1812 (auth), 1813 (accounting)
EncryptionPassword only
AuthenticationYes
AuthorizationLimited
AccountingYes
Vendor supportMulti-vendor

7.3 RADIUS Functions

RADIUS combines:

  • Authentication and authorization together

It does not support command-level authorization.

Example in IT environment:

  • User connects to wireless network
  • RADIUS verifies credentials
  • Assigns VLAN or access policy

7.4 RADIUS Use Cases (Exam-Relevant)

RADIUS is best used for:

  • Wireless authentication (802.1X)
  • VPN user access
  • Network access control (NAC)
  • User-based access

8. TACACS+ vs RADIUS (Very Important for Exam)

FeatureTACACS+RADIUS
Primary useDevice managementNetwork access
ProtocolTCPUDP
EncryptionFull packetPassword only
Command authorizationYesNo
ReliabilityHigh (TCP)Lower (UDP)
Cisco preferenceYesNeutral
Best forAdmin accessUser access

Exam Tip:
If the question mentions device administration or command control → TACACS+
If the question mentions user access or network login → RADIUS

9. AAA Process Flow (Step-by-Step)

  1. User attempts access
  2. Device contacts AAA server
  3. Authentication is performed
  4. Authorization rules are applied
  5. Access is granted or denied
  6. Accounting records are generated

10. AAA Configuration Concepts (Exam Focus)

10.1 AAA Method Lists

A method list defines the order of authentication methods.

Example:

  • Try TACACS+ first
  • If unavailable, use local database

This ensures:

  • High availability
  • Backup access

10.2 Fallback Mechanism

Fallback is used when:

  • AAA server is unreachable

Common fallback:

  • Local username/password

Exam Tip: Always ensure fallback access is configured.

10.3 Server Groups

AAA servers can be grouped:

  • Load sharing
  • Redundancy
  • High availability

Example:

  • Multiple TACACS+ servers in a group

11. AAA and Network Security

AAA supports:

  • Principle of least privilege
  • Role-based access control (RBAC)
  • Centralized policy enforcement
  • Compliance requirements

AAA integrates with:

  • Firewalls
  • VPNs
  • Wireless controllers
  • Network access control systems

12. Common Exam Scenarios

You should be able to:

  • Identify when to use TACACS+ vs RADIUS
  • Understand AAA workflow
  • Recognize authentication vs authorization vs accounting
  • Select the correct protocol based on use case
  • Understand centralized vs local AAA

13. Key Exam Points to Remember

  • AAA = Authentication, Authorization, Accounting
  • TACACS+ is best for device administration
  • RADIUS is best for network user access
  • TACACS+ encrypts the entire packet
  • RADIUS uses UDP and encrypts only passwords
  • Accounting is used for auditing and logging
  • Centralized AAA is more secure and scalable

14. Summary

AAA is a core security concept in the Cisco 350-701 exam.
It ensures:

  • Secure access
  • Controlled permissions
  • Full activity tracking

Understanding how TACACS+ and RADIUS work, their differences, and where they are used is essential to pass the exam and design secure networks.

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by