Cisco device configuration tutorials and networking fundamentals

Cisco configuration tutorials

HOME
INTRO
ABOUT
HOMEINTROABOUT
Archive

AAA Cisco Device Security - Example Configurations

«    2025 Jan 12    »

Table of Contents

Jump to section:

Top of page

What is AAA Authentication, Authorization, and Accounting?

Authentication, Authorization, and Accounting (AAA) is a framework used in computer networking for device management and access control. AAA relies on the RADIUS and TACACS protocols for centralized access control, and for accounting of network services and consumed resources. In other words, a network device can request AAA security features from a RADIUS or TACACS server.

AAA authentication with RADIUS Server and packet capture

The above packet capture shows that UDP over ports 1645 and 1812 is used for authentication. On the other hand, UDP ports 1646 and 1813 are used for AAA Accounting packets. Meanwhile, TACACS uses TCP port 49.

A number of authentication and authorization features can be configured without AAA, however AAA provides many more options, such as method lists, integration with RADIUS and TACACS, as well as integration of 802.1X port-based network access control (PNAC).

AAA enables a scalable security architecture and is also used to authenticate wireless devices, and it is used to keep track of clients that connect to the wireless network (with AAA Accounting). AAA can even be used to download an ACL or QoS profile for a specific client device from a RADIUS server (with AAA override feature). Additionally, AAA is used with FlexVPN.

How to test AAA configuration on Cisco device?

There is a method to test the AAA configuration on a local network device without using an end user or host device. The following two commands verify whether the username/password which is configured on the RADIUS server would be able to login on the local device R1.

R1#
R1#
R1#test aaa group radius ADMIN P4SSW0RD4 new-code
User successfully authenticated

USER ATTRIBUTES

Message-Authenticato 0   
R1#
R1#
R1#
R1#test aaa group radius ADMIN P4SSW0RD4 legacy  
Attempting authentication test to server-group radius using radius
User was successfully authenticated.

R1#
R1#

In other words, R1 is able to check whether the RADIUS server is reachable over the RADIUS protocol, and whether the username ADMIN with the password P4SSW0RD is added on the server. These are necessary if an administrator attempts to login remotely to R1.

However, in the larger context there are multiple authentication processes that take place. Within the AAA framework, the RADIUS server first needs to authenticate the RADIUS client which is R1. Only after the RADIUS server/client are authenticated, can the supplicant (end user device or administrator) authentication process move forward.

Meanwhile, if the RADIUS server is not reachable, an administrator may be locked out from R1. For this reason, local authentication is usually also configured on the RADIUS client (R1).

AAA authentication configuration explained

What is the difference between default and named method list?

Method lists can be used with authentication, authorization and accounting. A default method list will apply configured settings to all lines. However, if a named method list is configured and applied to a line, it will override the settings of the default method list.

This also means that a default method list does not need to be applied to any individual lines through configuration. However, a named method list needs to be applied to specific lines in order to take effect. These details are shown in the following example configurations, where Telnet authentication uses a local database.

R1>
R1>enable
R1#configure terminal  
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#
R1(config)#username ADMIN secret P4SSW0RD
R1(config)#
R1(config)#aaa new-model
R1(config)#aaa authentication login default local
R1(config)#
R1(config)#
R1(config)#line vty 0 4
R1(config-line)#transport input telnet
R1(config-line)#
R1(config-line)#exit
R1(config)#exit
R1#


###############################################################
##                                                           ##
##                                                           ##
##  Above (first example), a default method list is shown.   ##
##  Below (second example), a named method list is shown.    ##
##                                                           ##
##                                                           ##
###############################################################


R1>
R1>enable
R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#
R1(config)#username ADMIN secret P4SSW0RD
R1(config)#
R1(config)#aaa new-model
R1(config)#aaa authentication login EXAMPLE-METHOD local
R1(config)#
R1(config)#
R1(config)#line vty 0 4
R1(config-line)#login authentication EXAMPLE-METHOD
R1(config-line)#transport input telnet
R1(config-line)#
R1(config-line)#exit
R1(config)#exit
R1#

In the second example, the named method list is only applied to the VTY lines. As a result, the local authentication method will be requested for remote access Telnet sessions, but authentication will not be requested for access through the console port (line console).

SSH authentication with default method list using local username

In the following example scenario, R1 enables SSH remote access with a local username authentication for all lines, using the AAA default method list. Note that only SSH remote access is permitted on th vty lines, not Telnet and not rlogin. It is important to create the enable password as well, because this will enable privileged EXEC mode commands and also global configuration mode on R1.

R1>
R1>enable
R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#
R1(config)#
R1(config)#ip domain-name EXAMPLE.COM
R1(config)#
R1(config)#
R1(config)#crypto key generate rsa general-keys modulus 2048
The name for the keys will be: R1.EXAMPLE.COM

% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 2 seconds)

R1(config)#
R1(config)#
R1(config)#ip ssh version 2
R1(config)#
R1(config)#
R1(config)#username ADMIN secret P4SSW0RD
R1(config)#enable secret P4SSW0RD
R1(config)#
R1(config)#
R1(config)#aaa new-model
R1(config)#aaa authentication login default local
R1(config)#
R1(config)#
R1(config)#line vty 0 4
R1(config-line)#transport input ssh
R1(config-line)#    
R1(config-line)#exit
R1(config)#exit
R1#

As a result, R2 can login to R1 using SSH with the local authentication method. Notice the privilege levels are verified at each stage of the login process. By default, there are two privilege levels used, level 1 for user EXEC mode, and level 15 for privileged EXEC mode (this includes global configuration commands).

R2>
R2>enable
R2#
R2#ssh -l ADMIN 10.0.0.1
Password: 


R1>
R1>    
R1>show privilege
Current privilege level is 1
R1>
R1>
R1>enable
Password: 
R1#    
R1#
R1#show privilege
Current privilege level is 15
R1#
R1#
R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#
R1(config)#do show privilege
Current privilege level is 15
R1(config)#
R1(config)#
R1(config)#do show users
    Line       User       Host(s)              Idle       Location
   0 con 0                idle                 00:00:59   
*578 vty 0     ADMIN      idle                 00:00:00 10.0.0.2

  Interface    User               Mode         Idle     Peer Address

R1(config)#
R1(config)#

SSH authentication with default method list using line password

In the following example scenario, SSH is configured on R1 with a AAA default method list which instructs all login authentication attempts to use the line password. A local username is configured without a password, because each line will have its own individual authentication password.

Additionally, in the VTY line configuration mode, the privilege level 15 command is added. As a result, the enable password is no longer requested for remote SSH sessions through the VTY lines, and instead the remote users are automatically logged in to privileged EXEC mode.

R1>
R1>enable
R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#
R1(config)#
R1(config)#ip domain-name EXAMPLE.COM
R1(config)#
R1(config)#
R1(config)#crypto key generate rsa general-keys modulus 2048
The name for the keys will be: R1.EXAMPLE.COM

% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 1 seconds)

R1(config)#
R1(config)#
R1(config)#ip ssh version 2
R1(config)#
R1(config)#
R1(config)#username ADMIN 
R1(config)#
R1(config)#
R1(config)#aaa new-model
R1(config)#aaa authentication login default line
R1(config)#
R1(config)#
R1(config)#line vty 0 4
R1(config-line)#transport input ssh
R1(config-line)#password P4SSW0RD1
R1(config-line)#privilege level 15
R1(config-line)#
R1(config-line)#exit
R1(config)#
R1(config)#
R1(config)#line console 0
R1(config-line)#password P4SSW0RD2
R1(config-line)#
R1(config-line)#exit
R1(config)#exit
R1#
R1#

SSH authentication with default method list using RADIUS servers

In the following example scenario, R1 has two RADIUS servers configured in separate server groups. AAA authentication is configured on R1 with a default method list, and including all RADIUS servers (in each server group). This means, R1 will poll the servers in order of configuration, until a server answers the RADIUS Access-Request to authenticate the Host.

Privilege level 15 is configured under the VTY lines, so enable password is not needed. However, note that a local login method is not configured in this example. This means, if both RADIUS servers are unavailable, it will not be possible to authenticate and login to R1.

AAA server group configuration includes two RADIUS servers for authentication 
R1>
R1>enable
R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#
R1(config)#
R1(config)#ip domain-name EXAMPLE.COM
R1(config)#
R1(config)#
R1(config)#crypto key generate rsa general-keys modulus 2048
The name for the keys will be: R1.EXAMPLE.COM

% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 1 seconds)

R1(config)#
R1(config)#
R1(config)#ip ssh version 2
R1(config)#
R1(config)#
R1(config)#aaa new-model
R1(config)#
R1(config)#
R1(config)#radius server EXAMPLE-SERVER1
R1(config-radius-server)#address ipv4 192.168.0.148 auth-port 1812 acct-port 1813     
R1(config-radius-server)#key P4SSW0RD3
 WARNING: Command has been added to the configuration using a type 0 password. However, type 0 passwords will soon be deprecated. Migrate to a supported password type
R1(config-radius-server)#
R1(config-radius-server)#exit
R1(config)#
R1(config)#
R1(config)#radius server EXAMPLE-SERVER2
R1(config-radius-server)#address ipv4 192.168.0.147 auth-port 1812 acct-port 1813      
R1(config-radius-server)#key P4SSW0RD3
 WARNING: Command has been added to the configuration using a type 0 password. However, type 0 passwords will soon be deprecated. Migrate to a supported password type
R1(config-radius-server)#
R1(config-radius-server)#exit
R1(config)#
R1(config)#
R1(config)#aaa group server radius EXAMPLE-GROUP1
R1(config-sg-radius)#server name EXAMPLE-SERVER1
R1(config-sg-radius)#    
R1(config-sg-radius)#exit
R1(config)#
R1(config)#
R1(config)#aaa group server radius EXAMPLE-GROUP2
R1(config-sg-radius)#server name EXAMPLE-SERVER2
R1(config-sg-radius)#
R1(config-sg-radius)#exit
R1(config)#
R1(config)#
R1(config)#aaa authentication login default group radius
R1(config)#
R1(config)#
R1(config)#line vty 0 4
R1(config-line)#transport input ssh
R1(config-line)#privilege level 15
R1(config-line)#
R1(config-line)#exit
R1(config)#exit
R1#
R1#

SSH authentication with named method list using RADIUS server group

In the following example, R1 has a AAA named method list configured which uses a server group with two RADIUS servers attached. The named method list is called EXAMPLE-METHOD and it will be applied to authenticate SSH remote access requests on the VTY lines.

As in the previous example, the enable password is not needed, since users logging in through the VTY lines automatically get access to the privileged EXEC mode (privilege level 15). And similarly to the previous example, the two RADIUS servers will be polled in sequence of configuration until an authentication request is answered. If none of servers is available, login is not possible to R1.

R1>
R1>enable
R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#
R1(config)#
R1(config)#ip domain-name EXAMPLE.COM
R1(config)#
R1(config)#
R1(config)#crypto key generate rsa general-keys modulus 2048
The name for the keys will be: R1.EXAMPLE.COM

% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 1 seconds)

R1(config)#
R1(config)#
R1(config)#ip ssh version 2
R1(config)#
R1(config)#
R1(config)#aaa new-model
R1(config)#
R1(config)#
R1(config)#radius server EXAMPLE-SERVER1
R1(config-radius-server)#address ipv4 192.168.0.148 auth-port 1812 acct-port 1813    
R1(config-radius-server)#key P4SSW0RD3
 WARNING: Command has been added to the configuration using a type 0 password. However, type 0 passwords will soon be deprecated. Migrate to a supported password type
R1(config-radius-server)#
R1(config-radius-server)#exit
R1(config)#
R1(config)#
R1(config)#radius server EXAMPLE-SERVER2
R1(config-radius-server)#address ipv4 192.168.0.147 auth-port 1812 acct-port 1813       
R1(config-radius-server)#key P4SSW0RD3
 WARNING: Command has been added to the configuration using a type 0 password. However, type 0 passwords will soon be deprecated. Migrate to a supported password type
R1(config-radius-server)#  
R1(config-radius-server)#exit 
R1(config)#
R1(config)#
R1(config)#aaa group server radius EXAMPLE-GROUP
R1(config-sg-radius)#server name EXAMPLE-SERVER1
R1(config-sg-radius)#server name EXAMPLE-SERVER2
R1(config-sg-radius)#
R1(config-sg-radius)#exit
R1(config)#
R1(config)#
R1(config)#aaa authentication login EXAMPLE-METHOD group EXAMPLE-GROUP
R1(config)#
R1(config)#
R1(config)#line vty 0 4
R1(config-line)#login authentication EXAMPLE-METHOD
R1(config-line)#transport input ssh
R1(config-line)#privilege level 15
R1(config-line)#
R1(config-line)#exit
R1(config)#exit
R1#

SSH authentication with named method list using TACACS servers and fallback local login

In the following example, R1 has two TACACS servers configured for AAA authentication, but R1 also has a local login method as a fallback in case none of the servers are reachable. This turns out to be the case, since both servers are unavailable, R1 relies on the local login method (username/password and enable password) to grant remote access through SSH.

Note the command aaa authentication login EXAMPLE-METHOD group EXAMPLE-GROUP local is used to assign the two login methods on R1. First, the server group with the TACACS servers is attempted for authentication. If that fails, then the local login method is used.

R1>
R1>enable
R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#
R1(config)#
R1(config)#ip domain-name EXAMPLE.COM
R1(config)#
R1(config)#
R1(config)#crypto key generate rsa general-keys modulus 2048
The name for the keys will be: R1.EXAMPLE.COM

% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 0 seconds)

R1(config)#
R1(config)#
R1(config)#ip ssh version 2
R1(config)#
R1(config)#
R1(config)#username ADMIN secret P4SSW0RD1
R1(config)#enable secret P4SSW0RD2
R1(config)#
R1(config)#
R1(config)#aaa new-model
R1(config)#
R1(config)#
R1(config)#tacacs server EXAMPLE-SERVER1
R1(config-server-tacacs)#address ipv4 192.168.0.148
R1(config-server-tacacs)#key P4SSW0RD3
 WARNING: Command has been added to the configuration using a type 0 password. However, type 0 passwords will soon be deprecated. Migrate to a supported password type
R1(config-server-tacacs)#
R1(config-server-tacacs)#exit
R1(config)#
R1(config)#
R1(config)#tacacs server EXAMPLE-SERVER2
R1(config-server-tacacs)#address ipv4 192.168.0.147
R1(config-server-tacacs)#key P4SSW0RD3
 WARNING: Command has been added to the configuration using a type 0 password. However, type 0 passwords will soon be deprecated. Migrate to a supported password type
R1(config-server-tacacs)#
R1(config-server-tacacs)#exit
R1(config)#
R1(config)#
R1(config)#aaa group server tacacs+ EXAMPLE-GROUP
R1(config-sg-tacacs+)#server name EXAMPLE-SERVER1
R1(config-sg-tacacs+)#server name EXAMPLE-SERVER2
R1(config-sg-tacacs+)#
R1(config-sg-tacacs+)#exit
R1(config)#
R1(config)#
R1(config)#aaa authentication login EXAMPLE-METHOD group EXAMPLE-GROUP local
R1(config)#
R1(config)#
R1(config)#line vty 0 4
R1(config-line)#login authentication EXAMPLE-METHOD
R1(config-line)#transport input ssh
R1(config-line)#
R1(config-line)#exit
R1(config)#exit
R1#

User authorization - create admin with limited user EXEC mode commands in modified privilege level 0

In the following example, a user authorization policy is locally created on R1, and it does not rely on a AAA RADIUS or TACACS server. An administrator user account is configured with only limited troubleshooting options. The purpose of this account is to provide the minimum necessary tools for connectivity verification on R1.

Accordingly, the admin user is assigned to privilege level 0. By default, privilege level 0 permits only five commands. However, in this case some changes are made on R1.

  1. The enable command is removed from privilege level 0. This is accomplished by moving the enable command to privilege level 1. As a result, the logged in admin user will not be able to elevate their own privilege level, and will be unable to access privileged EXEC mode or global configuration mode. Essentially, this user is locked into the very limited access privilege level 0. 
    R1(config)#
R1(config)#privilege exec level 1 enable
R1(config)#
  2. A number of basic commands are added to privilege level 0. These include the ping and traceroute tools, and two types of show subcommands. Specifically, the show ip route and show ip interface commands will be available for this admin user. This is achieved by moving these commands into the privilege level 0. 
    R1(config)#
R1(config)#privilege exec level 0 ping
R1(config)#privilege exec level 0 traceroute
R1(config)#privilege exec level 0 show ip route
R1(config)#privilege exec level 0 show ip interface brief
R1(config)#
R1(config)#
R1(config)#exit
R1#
R1#show run | section ^privilege
privilege exec level 0 traceroute
privilege exec level 0 ping
privilege exec level 0 show ip route
privilege exec level 0 show ip interface brief
privilege exec level 0 show ip interface
privilege exec level 0 show ip
privilege exec level 0 show
R1#

In summary, three steps have been performed. First, an admin user is created with the privilege level 0. Second, the possibility to access a higher privilege level is denied from the user. Third, a limited set of troubleshooting tools is provided to this user. The full configuration is shown below, which requires enabling the AAA feature on R1.

R1>
R1>enable
R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#
R1(config)#
R1(config)#privilege exec level 1 enable
R1(config)#privilege exec level 0 ping
R1(config)#privilege exec level 0 traceroute
R1(config)#privilege exec level 0 show ip route
R1(config)#privilege exec level 0 show ip interface brief
R1(config)#
R1(config)#
R1(config)#username ADMIN privilege 0 secret P4SSW0RD
R1(config)#
R1(config)#
R1(config)#aaa new-model
R1(config)#
R1(config)#
R1(config)#line vty 0 4
R1(config-line)#transport input telnet
R1(config-line)#
R1(config-line)#exit
R1(config)#exit
R1#

When the administrator logs in from R2, the following options are available.

R2#
R2#telnet 10.0.0.1
Trying 10.0.0.1 ... Open

User Access Verification

Username: ADMIN
Password: 

R1>?
Exec commands:
  <1-99>      Session number to resume
  disable     Turn off privileged commands
  exit        Exit from the EXEC
  help        Description of the interactive help system
  logout      Exit from the EXEC
  ping        Send echo messages
  show        Show running system information
  traceroute  Trace route to destination

R1>
R1>show ?
  call  Show call
  ip    IP information
  xos   Cross-OS Library Information and Traces

R1>show ip ?
  interface  IP interface status and configuration
  route      IP routing table

AAA Authorization to create admin with broad scope of access but no global configuration mode (using parser view)

In the following example, AAA local authorization is configured on R1 together with a parser view. The parser view is attached to a local user. This means, the AAA authorization policy is locally configured on R1, and does not rely on a RADIUS or TACACS server. And, the authorization policy details which are configured in the parser view are attached to a specific user only (called ADMIN).

As a result, a Role-Based CLI is created for the ADMIN user account. When an administrator logs in with this account, they will be able to carry out particular tasks which are permitted by the parser view. Specifically, the ADMIN user has a modified privilege level 15 access with tools such as ping and traceroute available.

Additionally, the ADMIN user can view all show commands for troubleshooting. For example, they could verify the running configuration, or use the command show archive config differences to see configuration changes, they can view a NetFlow monitor output, and check current bandwidth utilization, or CPU utilization. Also, the ADMIN user can clear interface counters which can be useful during troubleshooting.

However, this ADMIN user cannot access global configuration mode. This is the main purpose of the authorization policy. Namely, the administrator has a very broad range of troubleshooting options, but does not have access to change the running configuration. 

R1>
R1>enable
R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#
R1(config)#
R1(config)#parser view EXAMPLE-VIEW
R1(config-view)#secret P4SSW0RD1
R1(config-view)#commands exec include all ping
R1(config-view)#commands exec include all traceroute
R1(config-view)#commands exec include all show
R1(config-view)#commands exec include all clear
R1(config-view)#commands exec exclude all enable
R1(config-view)#commands exec exclude all configure
R1(config-view)#    
R1(config-view)#exit
R1(config)#
R1(config)#
R1(config)#username ADMIN privilege 15 view EXAMPLE-VIEW secret P4SSW0RD2
R1(config)#
R1(config)#
R1(config)#aaa new-model
R1(config)#aaa authorization exec EXAMPLE-METHOD local
R1(config)#
R1(config)#
R1(config)#line vty 0 4
R1(config-line)#authorization exec EXAMPLE-METHOD
R1(config-line)#transport input telnet
R1(config-line)#
R1(config-line)#exit
R1(config)#exit
R1#
R1#

When logged in from R2, the following options are available for the ADMIN user.

R2#
R2#telnet 10.0.0.1
Trying 10.0.0.1 ... Open


User Access Verification

Username: ADMIN
Password: 

R1#
R1#?
Exec commands:
  <1-99>      Session number to resume
  clear       Reset functions
  do-exec     Mode-independent "do-exec" prefix support
  exit        Exit from the EXEC
  ping        Send echo messages
  show        Show running system information
  traceroute  Trace route to destination

R1#
R1#
R1#do-exec ?
  <1-99>      Session number to resume
  clear       Reset functions
  ping        Send echo messages
  show        Show running system information
  traceroute  Trace route to destination

R1#  
R1#
R1#show parser view
Current view is 'EXAMPLE-VIEW'

R1#
R1#
R1#show run | section parser 
R1#

As visible in the above outputs, when R2 logs in to R1 with the restricted ADMIN user account, they can verify that a parser view is being used, but they cannot see in the running configuration the details of the parser view.

Download section

Disclaimer: You download and use files from networkstudysite.com at your own risk.

Packet captures:

How to use these files:

Learn more in this short guide.

Explore 313 packet captures

You can find more information at the following external links:

By clicking on the links below, you are leaving the networkstudysite.com website.

Cisco - Configure Basic AAA on an Access Server

Cisco Learning - Introduction to AAA Implementation

Cisco - Role-Based CLI Access

RFC 2865 - Remote Authentication Dial In User Service (RADIUS)

RFC 8907 - The Terminal Access Controller Access-Control System Plus (TACACS+) Protocol

Disclaimer:

Use at your own risk: networkstudysite.com makes no representations as to accuracy, completeness, currentness, suitability, or validity of any information found on this website. Full disclaimer on the About page.

Privacy Policy:

networkstudysite.com does not install browser cookies to collect or store your data.

Thank you for your interest in this blog post!

Looking for something else? View infographics, explore the archives or read the recommended posts below:

- View infographics -
- Discover archives -

Recommended posts:

» SNMP Configuration on Router - Tutorial for SNMPv2, SNMPv3

» Control Plane Policing (CoPP) Described with Configuration

» Syslog Introduction and Configuration - Cisco Router
Sitemap
About
Disclaimer
Privacy Policy
Arrow pointing to the top