AAA Framework
Authentication, authorization, and accounting framework for Cisco device and network access control.
Enable AAA Globally
aaa new-model — required before any AAA command takes effect
Switch(config)# aaa new-model
Once aaa new-model is enabled, all authentication falls under AAA control. If you lose your RADIUS/TACACS+ server without a local fallback method, you lock yourself out. Always configure local fallback before enabling.
|
Authentication Method Lists
Default login authentication — RADIUS first, local database fallback
Switch(config)# aaa authentication login default group radius localNamed method list — apply to specific lines instead of all
Switch(config)# aaa authentication login ADMIN-ACCESS group tacacs+ local
Switch(config)# line vty 0 15
Switch(config-line)# login authentication ADMIN-ACCESSEnable password authentication — TACACS+ first, then enable secret
Switch(config)# aaa authentication enable default group tacacs+ enableAuthorization
Exec authorization — controls shell access and privilege level on login
Switch(config)# aaa authorization exec default group tacacs+ localNetwork authorization — required for RADIUS VLAN push and downloadable ACLs
Switch(config)# aaa authorization network default group radiusCommands authorization — per-command approval via TACACS+ (levels 1 and 15)
Switch(config)# aaa authorization commands 1 default group tacacs+ local
Switch(config)# aaa authorization commands 15 default group tacacs+ localAccounting
Exec accounting — log when users enter and exit exec sessions
Switch(config)# aaa accounting exec default start-stop group tacacs+Commands accounting — log every command entered at privilege level 15
Switch(config)# aaa accounting commands 15 default start-stop group tacacs+Network accounting — log 802.1X/MAB session start and stop
Switch(config)# aaa accounting network default start-stop group radiusLocal User Database
Create local admin with privilege 15 — fallback when RADIUS/TACACS+ unreachable
Switch(config)# username admin privilege 15 algorithm-type scrypt secret <PASSWORD>
algorithm-type scrypt is the strongest hash available on IOS-XE. Older platforms use secret 9 (scrypt) or secret 5 (MD5 — avoid).
|
RADIUS vs TACACS+ Method Groups
Assign specific servers to named groups — isolate auth domains
Switch(config)# aaa group server radius ISE-SERVERS
Switch(config-sg-radius)# server name ise-01
Switch(config-sg-radius)# server name ise-02
Switch(config)# aaa group server tacacs+ TAC-SERVERS
Switch(config-sg-tacacs+)# server name tac-01Use named groups in method lists
Switch(config)# aaa authentication login default group ISE-SERVERS local
Switch(config)# aaa authorization exec default group TAC-SERVERS localApplying to Lines
VTY lines — SSH access with named method list
Switch(config)# line vty 0 15
Switch(config-line)# login authentication ADMIN-ACCESS
Switch(config-line)# authorization exec ADMIN-ACCESS
Switch(config-line)# accounting commands 15 ADMIN-ACCESS
Switch(config-line)# transport input sshConsole line — local-only fallback for out-of-band recovery
Switch(config)# aaa authentication login CONSOLE local
Switch(config)# line con 0
Switch(config-line)# login authentication CONSOLEVerification
Show the active AAA configuration
Switch# show aaa method-lists all
Switch# show aaa servers
Switch# show aaa sessionsTest AAA authentication against a specific server
Switch# test aaa group ISE-SERVERS admin <PASSWORD> new-codeExpected output: User successfully authenticated
Method List Evaluation Order
The method list is a prioritized fallback chain. AAA tries each method left to right:
-
If the server responds with reject — authentication fails immediately (no fallback).
-
If the server is unreachable — AAA moves to the next method in the list.
-
localat the end catches server-unreachable scenarios, not rejected credentials.
This distinction matters: a typo in your RADIUS shared secret causes the server to silently drop packets, which looks like "unreachable" and falls through to local. A correct secret with wrong credentials returns an explicit reject and stops.