AAA in Network Security

AAA is a foundational security framework used in networking to manage user access and enforce policies. It stands for:

Authentication – verifying a user’s identity.

Authorization – determining what resources a user is allowed to access.

Accounting – logging user activity for audit and billing purposes.

Origins and Purpose

AAA emerged from the need to secure increasingly complex and distributed networks. In early systems, access control was limited to simple passwords. As organizations adopted remote access, VPNs, and multi-user devices, a scalable and flexible access control method became necessary. AAA was formalized by protocols like RADIUS and TACACS+, and became a standard in enterprise-grade network infrastructure.

How it Works

AAA operates by decoupling access control from the device itself, enabling centralized control via an external server (such as a RADIUS or TACACS+ server). Here’s a high-level flow:

Authentication: When a user connects to a network device (via SSH, console, etc.), the device checks their credentials against an external source (e.g., RADIUS) or local database.

Authorization: Once authenticated, the server responds with a list of allowed privileges (e.g., can enter enable mode, execute certain commands).

Accounting: The device records the session details (login time, commands run, logout time) and sends them to the accounting server.

This approach allows network admins to centrally manage user permissions, enforce policy, and maintain logs for compliance and troubleshooting.

Configuration:

aaa new-model >> control is handled via AAA policies and external servers
radius-server host 192.0.2.1 key MySecretKey >> Define and point to ACS
aaa authentication login default group radius local >> 
aaa authorization exec default group radius local
aaa accounting exec default start-stop group radius

Authentication

aaa authentication login default group radius local

This command defines how users are authenticated when logging in (e.g., via console or VTY) using the default method list. It attempts to authenticate via RADIUS first, and if that fails, falls back to the local user database.

🔍 Keyword-by-Keyword Breakdown

Keyword	Meaning
`aaa`	Begins an AAA-related configuration line
`authentication`	Specifies the configuration is for authentication (who the user is)
`login`	Applies this method list to login events (e.g., console, VTY, SSH access)
`default`	Name of the method list; `default` applies to all lines unless overridden
`group radius`	First tries authentication via the configured RADIUS server(s)
`local`	If RADIUS fails or is unreachable, fallback to the local user database

⚙️ Available Options

After `aaa authentication`:

login – For user login (VTY, console)
enable – For enable mode access
dot1x – For 802.1X port authentication
ppp – For PPP session authentication
arap – For AppleTalk Remote Access Protocol

For `default`:

You can specify any custom method list name (e.g., vpn-users, console-auth).
default is a reserved keyword that applies to all interfaces unless a specific method list is applied.

After `group`:

radius – Use RADIUS servers
tacacs+ – Use TACACS+ servers
Custom-defined server groups can also be used

Final methods (fallback options):

local – Use local user database (username commands)
line – Use password defined under line vty or line console
none – No authentication (⚠️ not recommended)

💡 Example Configuration

username admin privilege 15 secret StrongPass123

aaa new-model
radius-server host 192.0.2.10 key RadiusSecret
aaa authentication login default group radius local

line vty 0 4
 login authentication default

Authorization

aaa authorization exec default group radius local

This command controls what happens after a user successfully logs in. Specifically, it determines whether the user is allowed to enter EXEC mode (e.g., shell or CLI access), and where those permissions are verified.

🔍 Keyword-by-Keyword Breakdown

Keyword	Meaning
`aaa`	Begins an AAA-related configuration line
`authorization`	Specifies the configuration is for authorization (what you can do)
`exec`	Refers to EXEC mode (user shell/CLI access after login)
`default`	Method list name; `default` applies globally unless overridden
`group radius`	Try RADIUS server(s) first to authorize the user
`local`	Fallback to local authorization (local user database) if RADIUS fails

⚙️ Available Options

After `aaa authorization`:

exec – Authorize access to EXEC mode
commands <level> – Authorize individual commands (if supported)
network – Authorize access to network services
reverse-access – For reverse Telnet/SSH sessions
configuration – Authorize config commands
Note: Some options may not be supported on all platforms (e.g., Catalyst 2960).

After `group`:

radius – Use RADIUS servers
tacacs+ – Use TACACS+ servers

Final methods:

local – Use local user roles/privileges
none – Allow without any authorization checks (⚠️ not secure)

💡 Example Configuration

username admin privilege 15 secret StrongPass123

aaa new-model
radius-server host 192.0.2.10 key RadiusSecret
aaa authorization exec default group radius local

line vty 0 4
 	authorization exec default

## Accounting

aaa accounting connection default start-stop group radius

This command enables accounting for network connection sessions — such as PPP, VPN, or reverse Telnet — and logs both the start and end of those sessions by sending data to a RADIUS server.

🔍 Keyword-by-Keyword Breakdown

Keyword	Meaning
`aaa`	Begins an AAA-related configuration line
`accounting`	Specifies this is for accounting (tracking and logging activity)
`connection`	Tracks network session connections (e.g., PPP, VPN, reverse Telnet)
`default`	Method list name; applies globally unless overridden
`start-stop`	Sends an accounting record when the session starts and ends
`group radius`	Sends accounting records to the configured RADIUS server group

⚙️ Available Options

After `aaa accounting`:

exec – Account for CLI EXEC sessions
commands <level> – Account for command executions
connection – Account for PPP or terminal sessions (e.g., modem, reverse Telnet)
network – Account for IP/packet-level network usage

Method list name:

default – Applies to all relevant sessions unless overridden
Custom names can be used and applied per interface

Action types:

start-stop – Send accounting records at start and stop
stop-only – Only log when the session ends
none – Disable accounting for this category

💡 Example Configuration

radius-server host 192.0.2.10 key RadiusSecret

aaa new-model
aaa accounting connection default start-stop group radius

line vty 0 4
 	accounting exec default

PREVIOUSSNMPv3 cheat-sheet

NEXTSSH Key Authentication to Linux (Windows Guide)

AAA in Network Security

Origins and Purpose

How it Works

Configuration:

Authentication

🔍 Keyword-by-Keyword Breakdown

⚙️ Available Options

After aaa authentication:

For default:

After group:

Final methods (fallback options):

💡 Example Configuration

Authorization

🔍 Keyword-by-Keyword Breakdown

⚙️ Available Options

After aaa authorization:

After group:

Final methods:

💡 Example Configuration

🔍 Keyword-by-Keyword Breakdown

⚙️ Available Options

After aaa accounting:

Method list name:

Action types:

💡 Example Configuration

After `aaa authentication`:

For `default`:

After `group`:

After `aaa authorization`:

After `group`:

After `aaa accounting`: