AAA Authentication with TACACS+ and RADIUS – Step-by-Step Cisco Guide [CCNP ENTERPRISE]

---

Let me take you back to my early network engineering days. We had 10 routers and 20 engineers—and we used the same username and password across all devices. No logs. No traceability. Just convenience… until one fine day, someone made a change that brought the network down—and we had zero visibility into who did it.

That day, I realized that security and accountability in network access isn’t optional—it’s essential.
That’s where AAA (Authentication, Authorization, and Accounting) with RADIUS and TACACS+ comes in.

If you’re preparing for CCNA/CCNP or managing an enterprise network, this article will be your go-to guide to implement AAA with CLI examples, real use cases, and an EVE-NG lab to tie it all together.

---

Theory in Brief

What is AAA?

AAA stands for Authentication, Authorization, and Accounting, and it’s the framework for managing who can access a network device, what they can do, and tracking every action.

• Authentication: Who are you? (Username/Password check)
• Authorization: What are you allowed to do?
• Accounting: What did you do, and when?

---

What are RADIUS and TACACS+?

AAA uses backend servers to process credentials. Two protocols dominate:

1. RADIUS (Remote Authentication Dial-In User Service):
   • Combines authentication and authorization
   • Uses UDP (port 1812)
   • Encrypts only passwords
   • Mostly used for network access (Wi-Fi, VPN, etc.)
2. TACACS+ (Terminal Access Controller Access-Control System Plus):
   • Separates authentication and authorization
   • Uses TCP (port 49)
   • Encrypts entire payload
   • Commonly used for device admin access

---

Local vs Server-Based AAA

You can configure local AAA with usernames stored in the router/switch, or you can point the device to a TACACS+/RADIUS server like Cisco ISE, FreeRADIUS, or TACACS.net.

Server-based AAA is scalable, auditable, and secure—perfect for production environments.

---

Why Use AAA?

• Role-based access control
• Log every change made via CLI
• Block/allow users from a central server
• Compliance (PCI-DSS, ISO, etc.)

If your network matters, AAA matters.

---

AAA: RADIUS vs TACACS+ Comparison

Feature	RADIUS	TACACS+
Transport Protocol	UDP	TCP
Port	1812 (Auth), 1813 (Acct)	49
Encryption	Password Only	Full Payload
Authentication/Authz	Combined	Separate
Use Case	Access (VPN, Wi-Fi)	Admin Login (SSH, Console, Telnet)
Cisco Recommended	Yes (For Network Access)	Yes (For Device Admin Access)

---

Summary

Task	CLI Command Example	Description
Enable AAA	aaa new-model	Turns on AAA framework
Define TACACS+ server	tacacs-server host 10.1.1.100 key Network@123	Add TACACS+ server details
Define RADIUS server	radius-server host 10.1.1.101 key Radius@123	Add RADIUS server details
Define method list	aaa authentication login default group tacacs+ local	Use TACACS+, fallback to local
Apply AAA on VTY lines	line vty 0 4 login authentication default	Apply method list to remote access
View active users	show users	See who’s logged in
View AAA config	`show run	include aaa`
Debug AAA	debug aaa authentication, debug tacacs, debug radius	Real-time troubleshooting

---

Use Case

Scenario	Problem	AAA Benefit
ISP with 50+ routers	No central login control, passwords everywhere	Centralize login with TACACS+
Financial institution	Needs audit logs of CLI commands	Use TACACS+ with accounting
Wi-Fi Access via Captive Portal	Users connect without tracking	Use RADIUS for 802.1X authentication
Multi-admin environment	Everyone uses shared credentials	AAA assigns unique users with per-user access

---

Lab: TACACS+ Configuration (With Realistic Testing)

TOPOLOGY OVERVIEW

---

Step-by-Step Lab Configuration

Step 1: Enable AAA

aaa new-model

---

Step 2: Configure TACACS+ Server

tacacs-server host 10.1.1.100 key Network@123

---

Step 3: Define Authentication Method List

aaa authentication login default group tacacs+ local

---

Step 4: Apply AAA to VTY Lines

line vty 0 4
login authentication default

---

Step 5: Optional Local Fallback User

username admin secret fallback@123

---

Testing Scenarios

Test Case	Expected Result
TACACS+ login from Admin PC	Successful if user is valid
Invalid TACACS+ user login	Access Denied
TACACS+ server offline + local user	Fallback login allowed

---

Troubleshooting Tips

Symptom	Possible Cause	Fix
Login always fails	Wrong key or server IP	Recheck tacacs-server host config
Login times out	UDP packet drop (RADIUS) or port issue	Check firewall, verify UDP/1812 or TCP/49
Local fallback not working	Not defined or wrong method list	Add local to end of method list
Debug not showing results	Debug not enabled or logging turned off	Run debug aaa authentication, term mon
Wrong method list used	Misapplied under VTY or not named properly	Apply with login authentication <list>

---

FAQs

What is the primary purpose of implementing AAA in a network?

Answer:
AAA helps secure access to network devices by:

• Authentication: Verifying user identity before allowing access
• Authorization: Granting specific permissions based on user roles
• Accounting: Logging actions performed by users for auditing purposes

This framework ensures only authorized users gain access and their activities are traceable.

---

2: How does RADIUS differ from TACACS+ in terms of functionality?

Answer:
Here’s a comparison between the two:

• RADIUS:
  • Uses UDP (faster, less reliable)
  • Combines authentication and authorization
  • Encrypts only the password
  • Suitable for Wi-Fi, VPN, and user access
• TACACS+:
  • Uses TCP (connection-oriented)
  • Separates authentication, authorization, and accounting
  • Encrypts the entire payload
  • Preferred for device administration and command-level control

---

3: Can I use both RADIUS and TACACS+ in a single network?

Answer:
Yes, you can. Many organizations use:

• TACACS+ for network device (router/switch) administrative access
• RADIUS for user authentication on VPN, Wi-Fi, and 802.1X setups

You can define separate AAA method lists for different services.

---

4: What happens if the AAA server goes down?

Answer:
If the AAA server becomes unreachable, the device will:

• Check the method list applied to the login method (VTY, Console, etc.)
• If the list includes a fallback (e.g., local), it will use local credentials
• If no fallback is configured, access will be denied

Best Practice: Always include local at the end of the method list for redundancy.

---

5: Is TACACS+ a Cisco proprietary protocol?

Answer:
Yes, TACACS+ is Cisco proprietary, but it is widely supported by:

• Third-party devices like Fortinet, Palo Alto, and Juniper
• Open-source tools like tacacs.net, FreeTACACS+, and commercial systems like Cisco ISE

---

6: What is the best way to test AAA authentication in a lab?

Answer:
Follow these steps in an EVE-NG or GNS3 lab:

1. Set up a Cisco router or switch with aaa new-model
2. Configure a TACACS+ or RADIUS server VM (tacacs.net or FreeRADIUS)
3. Create a user on the server
4. Try logging into the router via SSH
5. Observe whether access is granted or denied and check logs/debugs

Use debug aaa authentication and debug tacacs or debug radius for real-time output.

---

7: Can I log every command a user runs using AAA?

Answer:
Yes, especially with TACACS+, which supports command accounting.

You can:

• Log each EXEC and configuration command
• Track time, user, device, and command history centrally
• Use Cisco ISE, ACS, or other TACACS+ servers with accounting enabled

This helps in compliance and forensic audits.

---

8: How can I integrate Windows Server with RADIUS?

Answer:
You can use NPS (Network Policy Server), which is Microsoft’s implementation of RADIUS.

Steps:

1. Install NPS role on Windows Server
2. Register the server in Active Directory
3. Add the router/switch as a RADIUS client
4. Create a connection request and network policy
5. Define shared secrets and test login

NPS integrates with AD to use domain credentials.

---

9: What are the default ports used by TACACS+ and RADIUS?

Answer:

• TACACS+: TCP port 49
• RADIUS:
  • UDP port 1812 for Authentication
  • UDP port 1813 for Accounting

Make sure these ports are open on your firewalls between the device and the AAA server.

---

10: What are some common AAA misconfigurations to avoid?

Answer:
Some common issues include:

• Forgetting to add a local fallback in method lists
• Misconfiguring server IP or shared secret
• Not applying AAA to VTY or console lines
• Using default method list when a named list is required
• Incorrect debug usage (not enabling term mon while troubleshooting)

Tip: Always verify with show run | include aaa and test before deploying in production.

---

YouTube Link

Watch the Complete CCNP Enterprise: AAA Authentication with TACACS+ and RADIUS – Step-by-Step Cisco Guide Demo & Explanation on our channel:

---

Final Note

Understanding how to differentiate and implement AAA Authentication with TACACS+ and RADIUS – Step-by-Step Cisco Guide is critical for anyone pursuing CCNP Enterprise (ENCOR) certification or working in enterprise network roles. Use this guide in your practice labs, real-world projects, and interviews to show a solid grasp of architectural planning and CLI-level configuration skills.

If you found this article helpful and want to take your skills to the next level, I invite you to join my Instructor-Led Weekend Batch for:

CCNP Enterprise to CCIE Enterprise – Covering ENCOR, ENARSI, SD-WAN, and more!

Get hands-on labs, real-world projects, and industry-grade training that strengthens your Routing & Switching foundations while preparing you for advanced certifications and job roles.

Email: info@networkjourney.com
WhatsApp / Call: +91 97395 21088

Upskill now and future-proof your networking career!

---