AAA in Network Security
AAA is a foundational security framework used in networking to manage user access and enforce policies. It stands for:
Authentication – verifying a user’s identity.
Authorization – determining what resources a user is allowed to access.
Accounting – logging user activity for audit and billing purposes.
Origins and Purpose
AAA emerged from the need to secure increasingly complex and distributed networks. In early systems, access control was limited to simple passwords. As organizations adopted remote access, VPNs, and multi-user devices, a scalable and flexible access control method became necessary. AAA was formalized by protocols like RADIUS and TACACS+, and became a standard in enterprise-grade network infrastructure.
How it Works
AAA operates by decoupling access control from the device itself, enabling centralized control via an external server (such as a RADIUS or TACACS+ server). Here’s a high-level flow:
Authentication: When a user connects to a network device (via SSH, console, etc.), the device checks their credentials against an external source (e.g., RADIUS) or local database.
Authorization: Once authenticated, the server responds with a list of allowed privileges (e.g., can enter enable mode, execute certain commands).
Accounting: The device records the session details (login time, commands run, logout time) and sends them to the accounting server.
This approach allows network admins to centrally manage user permissions, enforce policy, and maintain logs for compliance and troubleshooting.
Configuration:
aaa new-model >> control is handled via AAA policies and external servers
radius-server host 192.0.2.1 key MySecretKey >> Define and point to ACS
aaa authentication login default group radius local >>
aaa authorization exec default group radius local
aaa accounting exec default start-stop group radius
Authentication
aaa authentication login default group radius local
This command defines how users are authenticated when logging in (e.g., via console or VTY) using the default
method list. It attempts to authenticate via RADIUS first, and if that fails, falls back to the local user database.
🔍 Keyword-by-Keyword Breakdown
Keyword | Meaning |
---|---|
aaa |
Begins an AAA-related configuration line |
authentication |
Specifies the configuration is for authentication (who the user is) |
login |
Applies this method list to login events (e.g., console, VTY, SSH access) |
default |
Name of the method list; default applies to all lines unless overridden |
group radius |
First tries authentication via the configured RADIUS server(s) |
local |
If RADIUS fails or is unreachable, fallback to the local user database |
⚙️ Available Options
After aaa authentication
:
login
– For user login (VTY, console)enable
– For enable mode accessdot1x
– For 802.1X port authenticationppp
– For PPP session authenticationarap
– For AppleTalk Remote Access Protocol
For default
:
- You can specify any custom method list name (e.g.,
vpn-users
,console-auth
). default
is a reserved keyword that applies to all interfaces unless a specific method list is applied.
After group
:
radius
– Use RADIUS serverstacacs+
– Use TACACS+ servers- Custom-defined server groups can also be used
Final methods (fallback options):
local
– Use local user database (username
commands)line
– Use password defined underline vty
orline console
none
– No authentication (⚠️ not recommended)
💡 Example Configuration
username admin privilege 15 secret StrongPass123
aaa new-model
radius-server host 192.0.2.10 key RadiusSecret
aaa authentication login default group radius local
line vty 0 4
login authentication default
Authorization
aaa authorization exec default group radius local
This command controls what happens after a user successfully logs in. Specifically, it determines whether the user is allowed to enter EXEC mode (e.g., shell or CLI access), and where those permissions are verified.
🔍 Keyword-by-Keyword Breakdown
Keyword | Meaning |
---|---|
aaa |
Begins an AAA-related configuration line |
authorization |
Specifies the configuration is for authorization (what you can do) |
exec |
Refers to EXEC mode (user shell/CLI access after login) |
default |
Method list name; default applies globally unless overridden |
group radius |
Try RADIUS server(s) first to authorize the user |
local |
Fallback to local authorization (local user database) if RADIUS fails |
⚙️ Available Options
After aaa authorization
:
exec
– Authorize access to EXEC modecommands <level>
– Authorize individual commands (if supported)network
– Authorize access to network servicesreverse-access
– For reverse Telnet/SSH sessionsconfiguration
– Authorize config commands- Note: Some options may not be supported on all platforms (e.g., Catalyst 2960).
After group
:
radius
– Use RADIUS serverstacacs+
– Use TACACS+ servers
Final methods:
local
– Use local user roles/privilegesnone
– Allow without any authorization checks (⚠️ not secure)
💡 Example Configuration
username admin privilege 15 secret StrongPass123
aaa new-model
radius-server host 192.0.2.10 key RadiusSecret
aaa authorization exec default group radius local
line vty 0 4
authorization exec default
## Accounting
aaa accounting connection default start-stop group radius
This command enables accounting for network connection sessions — such as PPP, VPN, or reverse Telnet — and logs both the start and end of those sessions by sending data to a RADIUS server.
🔍 Keyword-by-Keyword Breakdown
Keyword | Meaning |
---|---|
aaa |
Begins an AAA-related configuration line |
accounting |
Specifies this is for accounting (tracking and logging activity) |
connection |
Tracks network session connections (e.g., PPP, VPN, reverse Telnet) |
default |
Method list name; applies globally unless overridden |
start-stop |
Sends an accounting record when the session starts and ends |
group radius |
Sends accounting records to the configured RADIUS server group |
⚙️ Available Options
After aaa accounting
:
exec
– Account for CLI EXEC sessionscommands <level>
– Account for command executionsconnection
– Account for PPP or terminal sessions (e.g., modem, reverse Telnet)network
– Account for IP/packet-level network usage
Method list name:
default
– Applies to all relevant sessions unless overridden- Custom names can be used and applied per interface
Action types:
start-stop
– Send accounting records at start and stopstop-only
– Only log when the session endsnone
– Disable accounting for this category
💡 Example Configuration
radius-server host 192.0.2.10 key RadiusSecret
aaa new-model
aaa accounting connection default start-stop group radius
line vty 0 4
accounting exec default