5.1.b Authentication and authorization using AAA
Aligned to Cisco's 350-401 ENCOR v1.2 exam topics.
On this page
AAA is how network devices stop being a pile of shared passwords. It centralizes identity, policy, and logging. ENCOR expects you to understand what authentication and authorization do, how method lists work, and how to verify them.
AAA in plain English
- Authentication: prove the user is who they claim to be.
- Authorization: decide what the authenticated user is allowed to access.
- Accounting: record what happened.
Admin opens SSH to router
Authentication: TACACS+ (or local fallback if server ERROR)
Authorization: permitted privilege level / command set
Accounting: session start, commands, session stop loggedA common production pattern is TACACS+ for device administration because it separates authentication, authorization, and accounting and can authorize commands. RADIUS is common for network access such as 802.1X, VPN, and wireless authentication. You may see either in enterprise networks.
Method lists
A method list tells the device what sources to try and in what order.
aaa authentication login default group TACACS-SERVERS localRead it like this:
> For login authentication, use the default method list. Try the TACACS+ server group first. If that method is unavailable, fall back to the local user database.
The exam trap: fallback does not mean “let a denied user try local.” A server outage and a bad password are not the same event.
Method-list behavior depends on the result returned by the current method:
| Result | Meaning | What usually happens next |
|---|---|---|
| PASS | The user was accepted. | Stop; login succeeds. |
| FAIL | The method rejected the user, such as a bad password. | Stop; do not try local fallback. |
| ERROR | The method is unavailable or cannot answer. | Try the next method if one exists. |
That distinction is why group TACACS-SERVERS local is a break-glass pattern for server unavailability, not a second chance after a central policy denial.
TACACS+ vs. RADIUS recognition
| Feature | TACACS+ | RADIUS |
|---|---|---|
| Common transport | TCP/49 | UDP/1812 authentication, UDP/1813 accounting |
| Common use | Device administration | Network access such as 802.1X, VPN, and VPN-adjacent access services |
| Authorization model | Separates authentication, authorization, and accounting | Often returns authorization attributes with authentication |
| Command authorization | Strong fit for per-command device admin control | Not the usual choice for per-command device administration |
Keep this framed around ENCOR Enterprise core. Wireless itself has moved out of the core exam path, but RADIUS remains a common enterprise access-control protocol.
TACACS+ example
aaa new-model
username breakglass privilege 15 algorithm-type scrypt secret LocalOnly!234
tacacs server ISE-TACACS-1
address ipv4 10.10.20.10
key 0 SharedSecretHere
tacacs server ISE-TACACS-2
address ipv4 10.10.20.11
key 0 SharedSecretHere
aaa group server tacacs+ TACACS-SERVERS
server name ISE-TACACS-1
server name ISE-TACACS-2
ip tacacs source-interface Loopback0
aaa authentication login default group TACACS-SERVERS local
aaa authorization exec default group TACACS-SERVERS local if-authenticated
aaa accounting exec default start-stop group TACACS-SERVERS
line vty 0 4
transport input ssh
login authentication default
authorization exec defaultRADIUS example
aaa new-model
radius server ISE-RADIUS-1
address ipv4 10.10.30.10 auth-port 1812 acct-port 1813
key 0 SharedSecretHere
aaa group server radius RADIUS-SERVERS
server name ISE-RADIUS-1
ip radius source-interface Loopback0
aaa authentication login default group RADIUS-SERVERS local
aaa authorization exec default group RADIUS-SERVERS local if-authenticated
aaa accounting exec default start-stop group RADIUS-SERVERSVerification
show aaa servers
show running-config | section aaa
show running-config | section tacacs
show running-config | section radius
test aaa group tacacs+ TACACS-SERVERS alice MyPassword legacy
test aaa group radius RADIUS-SERVERS alice MyPassword legacyDuring troubleshooting, you may also see debugs in labs:
debug aaa authentication
debug aaa authorization
undebug allUse debugs carefully on production devices.
Lab
Goal: Configure AAA login with local fallback.
Topology:
Admin PC
R1
AAA server 10.10.20.10Tasks:
- Enable
aaa new-model. - Create a local break-glass user.
- Configure a TACACS+ or RADIUS server group.
- Source AAA traffic from Loopback0.
- Configure login authentication to use the server group, then local fallback.
- Configure exec authorization.
- Apply the method list to VTY lines.
- Test successful login, failed password, and server-unavailable fallback.
Success criteria:
show aaa serversshows the server as reachable or configured.- A centralized user can log in.
- A wrong centralized password fails.
- Local fallback works only when the AAA method is unavailable.
- Accounting logs show exec starts/stops if the server supports accounting.
Exam traps
aaa new-modelchanges login behavior. Do not enable it casually on a remote production device without a fallback plan.defaultmethod list applies where no named method list overrides it.- Authentication and authorization are separate. A user can authenticate and still not get privileged access if authorization denies it.
- Source interface matters when the AAA server expects requests from a specific device IP.