Sunday, December 1, 2013

Implementing AAA Services on IOS Devices with RADIUS and TACACS

December 2013 • 7 min read

In modern enterprise networks, robust user authentication and access control mechanisms are critical to maintaining a secure infrastructure. Cisco IOS devices offer support for Authentication, Authorization, and Accounting (AAA) services, which enable administrators to enforce consistent access policies and monitor network usage. Two widely adopted AAA protocols in IOS environments are RADIUS and TACACS+.

Understanding AAA

AAA stands for Authentication, Authorization, and Accounting:

  • Authentication verifies a user's identity before granting access to network resources.
  • Authorization determines what an authenticated user is allowed to do.
  • Accounting tracks what users do on the network, including commands entered and sessions initiated.

RADIUS vs TACACS+

Both protocols are used to implement AAA, but they differ in how they handle communication and capabilities:

  • RADIUS (Remote Authentication Dial-In User Service) combines authentication and authorization in a single process. It uses UDP and is widely used for network access authentication (e.g., VPN, Wi-Fi).
  • TACACS+ (Terminal Access Controller Access-Control System Plus) separates all three functions (authentication, authorization, accounting), uses TCP, and provides more granular command-level control. It is typically preferred for administrative access control on IOS devices.

Configuring AAA on Cisco IOS

To begin using AAA services, you must first enable AAA on the device:

Router(config)# aaa new-model

Configuring RADIUS

Add a RADIUS server and define its shared secret:

Router(config)# radius-server host 192.168.1.10 key radiusSecret
Router(config)# aaa authentication login default group radius local

Configuring TACACS+

For TACACS+, define the server and set up the AAA method:

Router(config)# tacacs-server host 192.168.1.20
Router(config)# tacacs-server key tacacsSecret
Router(config)# aaa authentication login default group tacacs+ local

Fallback Authentication

In both cases, using local as a fallback ensures access if the external server is unavailable.

Authorization and Accounting Examples

To authorize exec shell access and account for user commands:

Router(config)# aaa authorization exec default group tacacs+ local
Router(config)# aaa accounting exec default start-stop group tacacs+

Use Cases and Deployment Considerations

RADIUS is ideal for end-user authentication, such as wireless access or VPN logins. TACACS+ is preferred for network device management due to its superior command control and logging granularity. Enterprises often deploy both simultaneously, using RADIUS for end-user access and TACACS+ for admin access.

Best Practices

  • Use encrypted transport and strong shared secrets.
  • Segment AAA traffic on a dedicated management network.
  • Regularly audit AAA logs to detect anomalies.
  • Ensure backup user access methods are available.
 
✅ Want to improve your network security posture?
Try implementing AAA services in your test environment to gain better visibility and control.



Eduardo Wnorowski is a network infrastructure consultant and technologist.
With over 18 years of experience in IT and consulting, he brings deep expertise in networking, security, infrastructure, and transformation.
 Connect on Linkedin

at No comments:
Labels: , , , , , , ,
Subscribe to: Posts (Atom)

AI-Augmented Network Management: Architecture Shifts in 2025

August, 2025 · 9 min read As enterprises grapple with increasingly complex network topologies and operational environments, 2025 mar...