Skip to content
Study CCNP

5.1.b Authentication and authorization using AAA

3 min read ENCOR 350-401 v1.2

Aligned to Cisco's 350-401 ENCOR v1.2 exam topics.

On this page

AAA is how network devices stop being a pile of shared passwords. It centralizes identity, policy, and logging. ENCOR expects you to understand what authentication and authorization do, how method lists work, and how to verify them.

AAA in plain English

  • Authentication: prove the user is who they claim to be.
  • Authorization: decide what the authenticated user is allowed to access.
  • Accounting: record what happened.
Admin opens SSH to router
Authentication: TACACS+ (or local fallback if server ERROR)
Authorization: permitted privilege level / command set
Accounting: session start, commands, session stop logged

A common production pattern is TACACS+ for device administration because it separates authentication, authorization, and accounting and can authorize commands. RADIUS is common for network access such as 802.1X, VPN, and wireless authentication. You may see either in enterprise networks.

Method lists

A method list tells the device what sources to try and in what order.

aaa authentication login default group TACACS-SERVERS local

Read it like this:

> For login authentication, use the default method list. Try the TACACS+ server group first. If that method is unavailable, fall back to the local user database.

The exam trap: fallback does not mean “let a denied user try local.” A server outage and a bad password are not the same event.

Method-list behavior depends on the result returned by the current method:

ResultMeaningWhat usually happens next
PASSThe user was accepted.Stop; login succeeds.
FAILThe method rejected the user, such as a bad password.Stop; do not try local fallback.
ERRORThe method is unavailable or cannot answer.Try the next method if one exists.

That distinction is why group TACACS-SERVERS local is a break-glass pattern for server unavailability, not a second chance after a central policy denial.

TACACS+ vs. RADIUS recognition

FeatureTACACS+RADIUS
Common transportTCP/49UDP/1812 authentication, UDP/1813 accounting
Common useDevice administrationNetwork access such as 802.1X, VPN, and VPN-adjacent access services
Authorization modelSeparates authentication, authorization, and accountingOften returns authorization attributes with authentication
Command authorizationStrong fit for per-command device admin controlNot the usual choice for per-command device administration

Keep this framed around ENCOR Enterprise core. Wireless itself has moved out of the core exam path, but RADIUS remains a common enterprise access-control protocol.

TACACS+ example

aaa new-model

username breakglass privilege 15 algorithm-type scrypt secret LocalOnly!234

tacacs server ISE-TACACS-1
 address ipv4 10.10.20.10
 key 0 SharedSecretHere

tacacs server ISE-TACACS-2
 address ipv4 10.10.20.11
 key 0 SharedSecretHere

aaa group server tacacs+ TACACS-SERVERS
 server name ISE-TACACS-1
 server name ISE-TACACS-2
 ip tacacs source-interface Loopback0

aaa authentication login default group TACACS-SERVERS local
aaa authorization exec default group TACACS-SERVERS local if-authenticated
aaa accounting exec default start-stop group TACACS-SERVERS

line vty 0 4
 transport input ssh
 login authentication default
 authorization exec default

RADIUS example

aaa new-model

radius server ISE-RADIUS-1
 address ipv4 10.10.30.10 auth-port 1812 acct-port 1813
 key 0 SharedSecretHere

aaa group server radius RADIUS-SERVERS
 server name ISE-RADIUS-1
 ip radius source-interface Loopback0

aaa authentication login default group RADIUS-SERVERS local
aaa authorization exec default group RADIUS-SERVERS local if-authenticated
aaa accounting exec default start-stop group RADIUS-SERVERS

Verification

show aaa servers
show running-config | section aaa
show running-config | section tacacs
show running-config | section radius
test aaa group tacacs+ TACACS-SERVERS alice MyPassword legacy
test aaa group radius RADIUS-SERVERS alice MyPassword legacy

During troubleshooting, you may also see debugs in labs:

debug aaa authentication
debug aaa authorization
undebug all

Use debugs carefully on production devices.

Lab

Goal: Configure AAA login with local fallback.

Topology:

Admin PC
R1
AAA server 10.10.20.10

Tasks:

  1. Enable aaa new-model.
  2. Create a local break-glass user.
  3. Configure a TACACS+ or RADIUS server group.
  4. Source AAA traffic from Loopback0.
  5. Configure login authentication to use the server group, then local fallback.
  6. Configure exec authorization.
  7. Apply the method list to VTY lines.
  8. Test successful login, failed password, and server-unavailable fallback.

Success criteria:

  • show aaa servers shows the server as reachable or configured.
  • A centralized user can log in.
  • A wrong centralized password fails.
  • Local fallback works only when the AAA method is unavailable.
  • Accounting logs show exec starts/stops if the server supports accounting.

Exam traps

  • aaa new-model changes login behavior. Do not enable it casually on a remote production device without a fallback plan.
  • default method list applies where no named method list overrides it.
  • Authentication and authorization are separate. A user can authenticate and still not get privileged access if authorization denies it.
  • Source interface matters when the AAA server expects requests from a specific device IP.