Back to Dashboard
Module 37
AAA (Authentication, Authorization, Accounting)
โ Previous Module
Next Module โ
# ๐ CCNA 200-301 - Video 37: AAA (Authentication, Authorization, Accounting) ## Deep Study Notes --- ## ๐ Learning Objectives By the end of this video, you should understand: - What AAA is and why it's used - AAA components (Authentication, Authorization, Accounting) - RADIUS vs. TACACS+ comparison - AAA configuration on Cisco devices - Local authentication vs. server-based authentication - AAA troubleshooting and verification --- ## ๐ง Core Concepts ### 1. What is AAA? **Definition:** Authentication, Authorization, and Accounting (AAA) is a framework for controlling access to network resources, enforcing policies, and auditing usage. **Analogy:** Think of AAA like a secure building access system: - **Authentication:** Showing your ID badge to prove who you are - **Authorization:** Determining which rooms you're allowed to enter - **Accounting:** Logging when you entered and left the building ``` โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ AAA COMPONENTS โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ AUTHENTICATION โ โ โ โ "Who are you?" โ โ โ โ โ โ โ โ โข Verifies user identity โ โ โ โ โข Uses username/password, certificates, tokens โ โ โ โ โข Determines if access is allowed โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โ โ โผ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ AUTHORIZATION โ โ โ โ "What can you do?" โ โ โ โ โ โ โ โ โข Defines user privileges โ โ โ โ โข Controls command access โ โ โ โ โข Determines network resource access โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โ โ โผ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ ACCOUNTING โ โ โ โ "What did you do?" โ โ โ โ โ โ โ โ โข Logs user activity โ โ โ โ โข Tracks command execution โ โ โ โ โข Records session start/stop times โ โ โ โ โข Provides audit trail โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ ``` --- ### 2. AAA Protocols: RADIUS vs. TACACS+ | Feature | RADIUS | TACACS+ | |---------|--------|---------| | **Transport** | UDP (ports 1812/1813) | TCP (port 49) | | **Encryption** | Encrypts only password | Encrypts entire packet | | **AAA Separation** | Combined Auth + Author | Separated (Auth, Author, Accounting) | | **Protocol** | IETF Standard | Cisco Proprietary | | **Command Authorization** | No (limited) | Yes (per-command) | | **Accounting** | Basic | Detailed | | **Best For** | Network access (VPN, 802.1X) | Device administration | ``` โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ RADIUS vs. TACACS+ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค โ โ โ RADIUS (Remote Authentication Dial-In User Service): โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โข UDP transport (faster but less reliable) โ โ โ โ โข Combines authentication and authorization โ โ โ โ โข Only encrypts the password โ โ โ โ โข Uses ports 1812 (Auth) and 1813 (Accounting) โ โ โ โ โข Open standard โ โ โ โ โข Best for: VPN, wireless, switch port authentication (802.1X) โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โ TACACS+ (Terminal Access Controller Access-Control System Plus): โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โข TCP transport (reliable, connection-oriented) โ โ โ โ โข Separates authentication, authorization, accounting โ โ โ โ โข Encrypts entire packet โ โ โ โ โข Uses TCP port 49 โ โ โ โ โข Cisco proprietary โ โ โ โ โข Best for: Device administration, command authorization โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ ``` --- ### 3. AAA Configuration Methods | Method | Description | Use Case | |--------|-------------|----------| | **Local AAA** | Uses local username/password database | Small networks, backup authentication | | **Server-Based AAA** | Uses RADIUS/TACACS+ server | Large networks, centralized management | | **Method Lists** | Ordered list of authentication methods | Fallback configuration | ``` โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ AAA AUTHENTICATION METHODS โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค โ โ โ Method List Example: โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ aaa authentication login default group tacacs+ local โ โ โ โ โ โ โ โ Process: โ โ โ โ 1. Try TACACS+ server โ โ โ โ 2. If TACACS+ unavailable, use local database โ โ โ โ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โ Common Authentication Methods: โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โข group [radius|tacacs+] - Use AAA server group โ โ โ โ โข local - Use local username database โ โ โ โ โข enable - Use enable password โ โ โ โ โข line - Use line password โ โ โ โ โข none - No authentication โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ ``` --- ### 4. Local AAA Configuration **Basic Local Authentication:** ```cisco ! Enable AAA Router(config)# aaa new-model ! Configure local users Router(config)# username admin privilege 15 secret AdminP@ss123 Router(config)# username operator privilege 5 secret OperatorP@ss123 Router(config)# username viewer privilege 1 secret ViewerP@ss123 ! Configure AAA authentication for login Router(config)# aaa authentication login default local ! Apply to VTY lines Router(config)# line vty 0 15 Router(config-line)# login authentication default Router(config-line)# exit ! Configure AAA authorization for EXEC Router(config)# aaa authorization exec default local ! Configure AAA accounting Router(config)# aaa accounting exec default start-stop local ``` **Privilege Levels:** | Level | Description | |-------|-------------| | **0** | Minimal access (disable, enable, exit, help, logout) | | **1** | User EXEC mode (default for normal users) | | **15** | Privileged EXEC mode (full access) | | **2-14** | Custom privilege levels | ```cisco ! Configure custom privilege level Router(config)# privilege exec level 5 show running-config Router(config)# privilege exec level 5 configure terminal Router(config)# privilege exec level 5 show ip route ! Assign user to privilege level Router(config)# username operator privilege 5 secret OperatorP@ss123 ``` --- ### 5. TACACS+ Configuration **TACACS+ Server Configuration:** ```cisco ! Enable AAA Router(config)# aaa new-model ! Configure TACACS+ server Router(config)# tacacs server TACACS1 Router(config-server-tacacs)# address ipv4 192.168.1.100 Router(config-server-tacacs)# key SecureTacacsKey123 Router(config-server-tacacs)# exit ! Configure TACACS+ server group Router(config)# aaa group server tacacs+ TACACS-GROUP Router(config-sg-tacacs+)# server name TACACS1 Router(config-sg-tacacs+)# exit ! Configure authentication (login) Router(config)# aaa authentication login default group TACACS-GROUP local ! Configure authorization (EXEC) Router(config)# aaa authorization exec default group TACACS-GROUP local ! Configure command authorization Router(config)# aaa authorization commands 15 default group TACACS-GROUP local ! Configure accounting Router(config)# aaa accounting exec default start-stop group TACACS-GROUP Router(config)# aaa accounting commands 15 default start-stop group TACACS-GROUP ! Apply to VTY lines Router(config)# line vty 0 15 Router(config-line)# login authentication default Router(config-line)# authorization exec default Router(config-line)# accounting exec default Router(config-line)# exit ``` --- ### 6. RADIUS Configuration **RADIUS Server Configuration:** ```cisco ! Enable AAA Router(config)# aaa new-model ! Configure RADIUS server Router(config)# radius server RADIUS1 Router(config-radius-server)# address ipv4 192.168.1.100 auth-port 1812 acct-port 1813 Router(config-radius-server)# key SecureRadiusKey123 Router(config-radius-server)# exit ! Configure RADIUS server group Router(config)# aaa group server radius RADIUS-GROUP Router(config-sg-radius)# server name RADIUS1 Router(config-sg-radius)# exit ! Configure authentication (login) Router(config)# aaa authentication login default group RADIUS-GROUP local ! Configure authorization (EXEC) Router(config)# aaa authorization exec default group RADIUS-GROUP local ! Configure accounting Router(config)# aaa accounting exec default start-stop group RADIUS-GROUP Router(config)# aaa accounting network default start-stop group RADIUS-GROUP ! Apply to VTY lines Router(config)# line vty 0 15 Router(config-line)# login authentication default Router(config-line)# exit ``` --- ### 7. AAA Method Lists **Custom Method Lists:** ```cisco ! Create custom method list for console access Router(config)# aaa authentication login CONSOLE-AUTH local Router(config)# line console 0 Router(config-line)# login authentication CONSOLE-AUTH ! Create custom method list for VTY access Router(config)# aaa authentication login VTY-AUTH group TACACS-GROUP local Router(config)# line vty 0 15 Router(config-line)# login authentication VTY-AUTH ! Create custom method list for enable access Router(config)# aaa authentication enable default group TACACS-GROUP enable ``` **Method List Fallback:** ``` โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ METHOD LIST FALLBACK โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค โ โ โ aaa authentication login default group tacacs+ local โ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ User tries to login โ โ โ โ โ โ โ โ โ โผ โ โ โ โ TACACS+ server reachable? โ โ โ โ โ โ โ โ โ โโโโโโดโโโโโ โ โ โ โ โ โ โ โ โ โ YES NO โ โ โ โ โ โ โ โ โ โ โผ โผ โ โ โ โ TACACS+ Local database โ โ โ โ auth auth โ โ โ โ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ ``` --- ### 8. AAA Authorization **Authorization Types:** | Type | Description | |------|-------------| | **exec** | Controls user access to EXEC shell | | **commands** | Controls command execution at privilege levels | | **network** | Controls network access (PPP, VPN) | | **reverse-access** | Controls reverse Telnet | ```cisco ! EXEC authorization aaa authorization exec default group TACACS-GROUP local ! Command authorization (privilege level 15) aaa authorization commands 15 default group TACACS-GROUP local ! Network authorization (for PPP) aaa authorization network default group RADIUS-GROUP ``` --- ### 9. AAA Accounting **Accounting Types:** | Type | Description | |------|-------------| | **exec** | Records EXEC session start/stop | | **commands** | Records commands executed | | **network** | Records network connections (PPP, VPN) | | **system** | Records system events | | **connection** | Records outbound connections | ```cisco ! EXEC accounting aaa accounting exec default start-stop group TACACS-GROUP ! Command accounting aaa accounting commands 15 default start-stop group TACACS-GROUP ! Network accounting aaa accounting network default start-stop group RADIUS-GROUP ! System accounting aaa accounting system default start-stop group TACACS-GROUP ``` **Accounting Records:** ``` TACACS+ Accounting Record: โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ User: admin Service: shell Start Time: Mar 21 2024 10:30:45 Stop Time: Mar 21 2024 11:15:30 Duration: 44 minutes 45 seconds Command: configure terminal Command: interface gig0/0 Command: ip address 10.1.1.1 255.255.255.0 Command: no shutdown Command: exit ``` --- ### 10. AAA Verification Commands | Command | Purpose | |---------|---------| | `show aaa servers` | Display AAA server status | | `show aaa sessions` | Display active AAA sessions | | `show aaa user` | Display authenticated users | | `show tacacs` | Display TACACS+ configuration | | `show radius` | Display RADIUS configuration | | `debug aaa authentication` | Debug AAA authentication | | `debug aaa authorization` | Debug AAA authorization | | `debug aaa accounting` | Debug AAA accounting | **Example Outputs:** ```cisco Router# show aaa servers RADIUS: id 1, priority 1, host 192.168.1.100, auth-port 1812, acct-port 1813 State: current UP, duration 1234 secs Dead: total time 0 secs Socket-Number: 1 Socket-State: ready Number of pending packets 0 Number of retransmissions 0 TACACS+: id 1, priority 1, host 192.168.1.100, port 49, socket 2 State: current UP, duration 5678 secs Last transaction: success Router# show aaa sessions Total sessions: 2 Type: EXEC Session ID: 12345678 Username: admin TTY: vty0 Login time: 10:30:45 EST Mar 21 2024 Type: EXEC Session ID: 12345679 Username: operator TTY: vty1 Login time: 10:45:12 EST Mar 21 2024 ``` --- ### 11. AAA Troubleshooting | Problem | Symptom | Solution | |---------|---------|----------| | **Authentication Failed** | "Authentication Failed" message | Verify username/password, server connectivity | | **Server Not Reachable** | AAA server dead, fallback to local | Check network connectivity, firewall, server status | | **Authorization Failed** | User can log in but commands fail | Verify user privileges on AAA server | | **Accounting Not Logging** | No accounting records | Verify accounting configuration, server reachability | | **No Fallback** | All access fails when server down | Configure method list with local fallback | **Troubleshooting Commands:** ```cisco ! Test AAA server connectivity Router# test aaa group tacacs+ admin password123 new-code ! Debug authentication Router# debug aaa authentication ! Debug authorization Router# debug aaa authorization ! Debug accounting Router# debug aaa accounting ! Test local authentication Router# show running-config | include username ``` --- ### 12. AAA Best Practices ``` โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ AAA BEST PRACTICES โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค โ โ โ 1. USE METHOD LISTS WITH FALLBACK โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ aaa authentication login default group tacacs+ local โ โ โ โ โข Always include local fallback for server outages โ โ โ โ โข Order matters (try server first, then local) โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โ 2. SECURE AAA SERVERS โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โข Use strong shared secrets โ โ โ โ โข Place AAA servers in secure VLANs โ โ โ โ โข Use management VRF if available โ โ โ โ โข Implement server redundancy โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โ 3. USE TACACS+ FOR DEVICE ADMINISTRATION โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โข TACACS+ encrypts entire packet โ โ โ โ โข Supports command authorization โ โ โ โ โข Separates AAA functions โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โ 4. USE RADIUS FOR NETWORK ACCESS โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โข Standard protocol for 802.1X, VPN โ โ โ โ โข Widely supported by third-party devices โ โ โ โ โข Efficient for high-volume authentication โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โ 5. ENABLE ACCOUNTING โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โข Track who made changes โ โ โ โ โข Audit trail for compliance โ โ โ โ โข Monitor failed login attempts โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ ``` --- ## ๐ง Complete Configuration Examples ### Lab 1: Local AAA with Privilege Levels **Router Configuration:** ```cisco hostname Router ! ! Enable AAA aaa new-model ! ! Create local users username admin privilege 15 secret AdminP@ss123 username operator privilege 5 secret OperatorP@ss123 username viewer privilege 1 secret ViewerP@ss123 ! ! Configure authentication aaa authentication login default local aaa authentication enable default enable ! ! Configure authorization aaa authorization exec default local ! ! Configure accounting aaa accounting exec default start-stop local aaa accounting commands 15 default start-stop local ! ! Apply to lines line console 0 login authentication default exec-timeout 5 0 ! line vty 0 15 login authentication default authorization exec default accounting exec default transport input ssh ! ! Enable SSH ip domain-name example.com crypto key generate rsa modulus 2048 ip ssh version 2 ! end ``` --- ### Lab 2: TACACS+ Configuration **Router Configuration:** ```cisco hostname Router ! ! Enable AAA aaa new-model ! ! Configure TACACS+ servers tacacs server TACACS-PRIMARY address ipv4 192.168.1.100 key SecureTacacsKey123 ! tacacs server TACACS-BACKUP address ipv4 192.168.1.101 key SecureTacacsKey123 ! ! Configure server group aaa group server tacacs+ TACACS-GROUP server name TACACS-PRIMARY server name TACACS-BACKUP ! ! Authentication method list aaa authentication login default group TACACS-GROUP local aaa authentication enable default group TACACS-GROUP enable ! ! Authorization method list aaa authorization exec default group TACACS-GROUP local aaa authorization commands 15 default group TACACS-GROUP local ! ! Accounting aaa accounting exec default start-stop group TACACS-GROUP aaa accounting commands 15 default start-stop group TACACS-GROUP ! ! Apply to lines line vty 0 15 login authentication default authorization exec default accounting exec default transport input ssh ! end ``` --- ### Lab 3: RADIUS Configuration for 802.1X (Switch) **Switch Configuration:** ```cisco hostname Switch ! ! Enable AAA aaa new-model ! ! Configure RADIUS server radius server RADIUS-PRIMARY address ipv4 192.168.1.100 auth-port 1812 acct-port 1813 key SecureRadiusKey123 ! ! Configure server group aaa group server radius RADIUS-GROUP server name RADIUS-PRIMARY ! ! Authentication for 802.1X aaa authentication dot1x default group RADIUS-GROUP ! ! Authorization for network access aaa authorization network default group RADIUS-GROUP ! ! Accounting aaa accounting network default start-stop group RADIUS-GROUP ! ! Enable 802.1X globally dot1x system-auth-control ! ! Configure interface for 802.1X interface FastEthernet0/1 switchport mode access authentication port-control auto dot1x pae authenticator ! end ``` --- ### Lab 4: AAA with Fallback Method **Router Configuration:** ```cisco hostname Router ! aaa new-model ! ! TACACS+ servers tacacs server TACACS1 address ipv4 192.168.1.100 key Key123 ! ! Authentication with multiple fallback methods aaa authentication login DEFAULT group tacacs+ local line none ! ! Custom method list for console (only local) aaa authentication login CONSOLE-AUTH local ! ! Custom method list for VTY (tacacs+ then local) aaa authentication login VTY-AUTH group tacacs+ local ! ! Apply method lists line console 0 login authentication CONSOLE-AUTH ! line vty 0 15 login authentication VTY-AUTH ! end ``` --- ## โ Exam Tips (For CCNA 200-301) | Topic | What Cisco Tests | |-------|------------------| | **AAA Purpose** | Authentication, Authorization, Accounting | | **RADIUS vs. TACACS+** | RADIUS (UDP, password only), TACACS+ (TCP, full packet) | | **Method Lists** | Ordered list of authentication methods | | **Local AAA** | Uses local username database | | **TACACS+ Port** | TCP 49 | | **RADIUS Ports** | UDP 1812 (auth), UDP 1813 (acct) | | **Command Authorization** | TACACS+ only | ### Common Exam Scenarios: **Scenario 1:** "A network administrator needs to authenticate users for device management with per-command authorization. Which protocol should be used?" - **Answer:** TACACS+ (supports command authorization) **Scenario 2:** "What is the purpose of the `aaa new-model` command?" - **Answer:** Enables AAA on the device **Scenario 3:** "A user can log in but cannot execute any commands. What AAA function is likely causing this?" - **Answer:** Authorization (user authenticated but not authorized) ### Mnemonics: **AAA Functions:** **"A-A-A" - Auth, Auth, Acct** - **A**uthentication: Who are you? - **A**uthorization: What can you do? - **A**ccounting: What did you do? **RADIUS vs. TACACS+:** **"RUD TCP" - RADIUS UDP, TACACS+ TCP** - RADIUS: UDP - TACACS+: TCP --- ## ๐ Summary (1-Minute Revision) ``` AAA (Authentication, Authorization, Accounting): AAA COMPONENTS: โโโ Authentication: Verifies user identity โโโ Authorization: Defines user privileges โโโ Accounting: Logs user activity RADIUS vs. TACACS+: RADIUS: โโโ Transport: UDP (1812/1813) โโโ Encryption: Only password โโโ Combined Auth + Author โโโ Best for: Network access (VPN, 802.1X) TACACS+: โโโ Transport: TCP (49) โโโ Encryption: Entire packet โโโ Separated AAA functions โโโ Best for: Device administration โโโ Supports command authorization LOCAL AAA: โโโ aaa new-model โโโ username [user] privilege [level] secret [pass] โโโ aaa authentication login default local โโโ line vty 0 15 login authentication default SERVER-BASED AAA: โโโ radius server / tacacs server โโโ aaa group server radius / tacacs+ โโโ aaa authentication login default group [name] local โโโ aaa authorization exec default group [name] local ACCOUNTING: โโโ aaa accounting exec default start-stop group [name] โโโ aaa accounting commands 15 default start-stop group [name] โโโ aaa accounting network default start-stop group [name] VERIFICATION: โโโ show aaa servers โโโ show aaa sessions โโโ debug aaa authentication โโโ test aaa group [name] [user] [pass] ``` --- ## ๐งช Practice Questions **1. What are the three components of AAA?** - A) Authentication, Authorization, Accounting - B) Access, Authorization, Accounting - C) Authentication, Access, Accounting - D) Authorization, Access, Authentication <details> <summary>Answer</summary> <b>A) Authentication, Authorization, Accounting</b> - The three A's of AAA. </details> **2. Which protocol uses TCP port 49?** - A) RADIUS - B) TACACS+ - C) LDAP - D) Kerberos <details> <summary>Answer</summary> <b>B) TACACS+</b> - TACACS+ uses TCP port 49. </details> **3. Which protocol encrypts the entire packet?** - A) RADIUS - B) TACACS+ - C) Both - D) Neither <details> <summary>Answer</summary> <b>B) TACACS+</b> - TACACS+ encrypts the entire packet, while RADIUS encrypts only the password. </details> **4. Which command enables AAA on a Cisco router?** - A) `aaa enable` - B) `aaa new-model` - C) `aaa authentication` - D) `enable aaa` <details> <summary>Answer</summary> <b>B) `aaa new-model`</b> - This command enables AAA on the device. </details> **5. What is the purpose of a method list in AAA?** - A) List of users - B) Ordered list of authentication methods - C) List of commands - D) List of servers <details> <summary>Answer</summary> <b>B) Ordered list of authentication methods</b> - Method lists define the sequence of authentication methods to try. </details> **6. Which AAA function logs user activity?** - A) Authentication - B) Authorization - C) Accounting - D) Access <details> <summary>Answer</summary> <b>C) Accounting</b> - Accounting records user activity and session information. </details> **7. Which protocol supports per-command authorization?** - A) RADIUS - B) TACACS+ - C) LDAP - D) NTP <details> <summary>Answer</summary> <b>B) TACACS+</b> - TACACS+ supports per-command authorization for device management. </details> **8. What are the default RADIUS ports?** - A) UDP 1645/1646 - B) UDP 1812/1813 - C) TCP 49 - D) UDP 69 <details> <summary>Answer</summary> <b>B) UDP 1812/1813</b> - RADIUS uses UDP 1812 for authentication and 1813 for accounting. </details> **9. Which command configures a local user with privilege level 15?** - A) `username admin secret Admin123` - B) `username admin privilege 15 secret Admin123` - C) `user admin privilege 15 password Admin123` - D) `local-user admin privilege 15 secret Admin123` <details> <summary>Answer</summary> <b>B) `username admin privilege 15 secret Admin123`</b> - Creates a local user with privilege level 15. </details> **10. What happens when the TACACS+ server is unreachable with this configuration? `aaa authentication login default group tacacs+ local`** - A) Authentication fails - B) Router uses local database - C) Router uses enable password - D) Router allows any login <details> <summary>Answer</summary> <b>B) Router uses local database</b> - Local is the fallback method when TACACS+ is unavailable. </details> **11. Which command displays active AAA sessions?** - A) `show aaa` - B) `show aaa sessions` - C) `show sessions` - D) `show users` <details> <summary>Answer</summary> <b>B) `show aaa sessions`</b> - Displays active AAA sessions. </details> **12. Which AAA function is responsible for determining what commands a user can execute?** - A) Authentication - B) Authorization - C) Accounting - D) Auditing <details> <summary>Answer</summary> <b>B) Authorization</b> - Authorization defines user privileges and command access. </details> --- ## ๐ Next Steps After completing Video 37, you should be ready for: - **Video 38:** 802.1X and Network Access Control (NAC) - **Video 39:** VPN Configuration (Review and Advanced) **Lab Practice:** 1. Configure local AAA with privilege levels 2. Configure TACACS+ server authentication 3. Configure RADIUS server authentication 4. Test fallback authentication methods 5. Configure command authorization 6. Verify with `show aaa servers` and `show aaa sessions` 7. Configure accounting to log user activity --- **Ready for Video 38?** Share the link or say "next" and I'll continue with 802.1X and Network Access Control (NAC). I'll continue with **Video 38: 802.1X and Network Access Control (NAC)** based on the standard CCNA 200-301 curriculum. ---