AAA is a foundational security framework used in networking to manage user access and enforce policies. It stands for:
Authentication – verifying a user’s identity.
Authorization – determining what resources a user is allowed to access.
Accounting – logging user activity for audit and billing purposes.
AAA emerged from the need to secure increasingly complex and distributed networks. In early systems, access control was limited to simple passwords. As organizations adopted remote access, VPNs, and multi-user devices, a scalable and flexible access control method became necessary. AAA was formalized by protocols like RADIUS and TACACS+, and became a standard in enterprise-grade network infrastructure.
AAA operates by decoupling access control from the device itself, enabling centralized control via an external server (such as a RADIUS or TACACS+ server). Here’s a high-level flow:
Authentication: When a user connects to a network device (via SSH, console, etc.), the device checks their credentials against an external source (e.g., RADIUS) or local database.
Authorization: Once authenticated, the server responds with a list of allowed privileges (e.g., can enter enable mode, execute certain commands).
Accounting: The device records the session details (login time, commands run, logout time) and sends them to the accounting server.
This approach allows network admins to centrally manage user permissions, enforce policy, and maintain logs for compliance and troubleshooting.
aaa new-model >> control is handled via AAA policies and external servers
radius-server host 192.0.2.1 key MySecretKey >> Define and point to ACS
aaa authentication login default group radius local >>
aaa authorization exec default group radius local
aaa accounting exec default start-stop group radius
aaa authentication login default group radius local
This command defines how users are authenticated when logging in (e.g., via console or VTY) using the default method list. It attempts to authenticate via RADIUS first, and if that fails, falls back to the local user database.
| Keyword | Meaning |
|---|---|
aaa |
Begins an AAA-related configuration line |
authentication |
Specifies the configuration is for authentication (who the user is) |
login |
Applies this method list to login events (e.g., console, VTY, SSH access) |
default |
Name of the method list; default applies to all lines unless overridden |
group radius |
First tries authentication via the configured RADIUS server(s) |
local |
If RADIUS fails or is unreachable, fallback to the local user database |
aaa authentication:login – For user login (VTY, console)enable – For enable mode accessdot1x – For 802.1X port authenticationppp – For PPP session authenticationarap – For AppleTalk Remote Access Protocoldefault:vpn-users, console-auth).default is a reserved keyword that applies to all interfaces unless a specific method list is applied.group:radius – Use RADIUS serverstacacs+ – Use TACACS+ serverslocal – Use local user database (username commands)line – Use password defined under line vty or line consolenone – No authentication (⚠️ not recommended)username admin privilege 15 secret StrongPass123
aaa new-model
radius-server host 192.0.2.10 key RadiusSecret
aaa authentication login default group radius local
line vty 0 4
login authentication default
aaa authorization exec default group radius local
This command controls what happens after a user successfully logs in. Specifically, it determines whether the user is allowed to enter EXEC mode (e.g., shell or CLI access), and where those permissions are verified.
| Keyword | Meaning |
|---|---|
aaa |
Begins an AAA-related configuration line |
authorization |
Specifies the configuration is for authorization (what you can do) |
exec |
Refers to EXEC mode (user shell/CLI access after login) |
default |
Method list name; default applies globally unless overridden |
group radius |
Try RADIUS server(s) first to authorize the user |
local |
Fallback to local authorization (local user database) if RADIUS fails |
aaa authorization:exec – Authorize access to EXEC modecommands <level> – Authorize individual commands (if supported)network – Authorize access to network servicesreverse-access – For reverse Telnet/SSH sessionsconfiguration – Authorize config commandsgroup:radius – Use RADIUS serverstacacs+ – Use TACACS+ serverslocal – Use local user roles/privilegesnone – Allow without any authorization checks (⚠️ not secure)username admin privilege 15 secret StrongPass123
aaa new-model
radius-server host 192.0.2.10 key RadiusSecret
aaa authorization exec default group radius local
line vty 0 4
authorization exec default
## Accounting
aaa accounting connection default start-stop group radius
This command enables accounting for network connection sessions — such as PPP, VPN, or reverse Telnet — and logs both the start and end of those sessions by sending data to a RADIUS server.
| Keyword | Meaning |
|---|---|
aaa |
Begins an AAA-related configuration line |
accounting |
Specifies this is for accounting (tracking and logging activity) |
connection |
Tracks network session connections (e.g., PPP, VPN, reverse Telnet) |
default |
Method list name; applies globally unless overridden |
start-stop |
Sends an accounting record when the session starts and ends |
group radius |
Sends accounting records to the configured RADIUS server group |
aaa accounting:exec – Account for CLI EXEC sessionscommands <level> – Account for command executionsconnection – Account for PPP or terminal sessions (e.g., modem, reverse Telnet)network – Account for IP/packet-level network usagedefault – Applies to all relevant sessions unless overriddenstart-stop – Send accounting records at start and stopstop-only – Only log when the session endsnone – Disable accounting for this categoryradius-server host 192.0.2.10 key RadiusSecret
aaa new-model
aaa accounting connection default start-stop group radius
line vty 0 4
accounting exec default