AAA - jibingl/CCNA-CCNP GitHub Wiki

Triple A	Known as
Authentication	Check credentials
Authorization	Check privileges
Accounting	Logging

Protocols

	Ports	Encryption	Use Case
RADIUS	UDP 1812/1813	Encrypt passwords only	Network access control
TACACS+	TCP 49	Encrypt all packages	Cisco devices access control

---

Configuration Example

When you execute the global command aaa new-model, all authentication is now handled by AAA method rather than individual line commands.

hostname R1
no ip domain lookup
ip domain name cisco.lab

username admin privilege 15 secret cisco0
username user1 privilege 1 secret cisco1

aaa new-model                                                     //Enable AAA

tacacs server TACACS1                                             //Define a TACACS+ server named TACACS1
 address ipv4 1.1.1.1                                             //The TACACS+ server IP
 key class                                                        //A key to validate the TACACS+ server identity
tacacs server TACACS2
 address fqdn tacacs2.cisco.lab
 key class

radius server RADIUS1                                             //Define a RADIUS server named RADIUS1
 address ipv4 2.2.2.2 auth-port 1812 acct-port 1813               //Optional to ports

aaa group server tacacs+ TACACS_GROUP1                            //Define a group of TACACS+ servers
 server name TACACS1                                              //Add the TACACS+ server TACACS1 into the group
 server name TACACS2

aaa authentication login default group TACACS_GROUP1 local        //Configure authentication for login - Check the TACACS+ group, if fail, then local users
aaa authorization exec default group TACACS_GROUP1 local          //Configure authorization for accessing CLI

password encryption aes

crypto key generate rsa modulus 2048 general-keys

interface Ethernet0/1
 ip address 192.168.1.1 255.255.255.0

line vty 0 4
 transport input ssh