AAA Authentication and Authorization
AAA (Authentication, Authorization, and Accounting) is a fundamental security framework in CCNP Enterprise networks. Authentication verifies user identity through credentials like usernames and passwords, tokens, or certificates. It ensures only legitimate users access network resources. In CCNP EN… AAA (Authentication, Authorization, and Accounting) is a fundamental security framework in CCNP Enterprise networks. Authentication verifies user identity through credentials like usernames and passwords, tokens, or certificates. It ensures only legitimate users access network resources. In CCNP ENCOR, you'll work with protocols like RADIUS (Remote Authentication Dial-In User Service) and TACACS+ (Terminal Access Controller Access-Control System) for centralized authentication. Authorization determines what authenticated users can do after gaining access. It defines permissions and privileges for network resources, devices, and services. For example, a user might authenticate successfully but be authorized only to view configurations, not modify them. Authorization policies are typically enforced through access control lists (ACLs), role-based access control (RBAC), and attribute-based access control (ABAC). In CCNP Security context, TACACS+ offers better authorization granularity than RADIUS because it separates authentication, authorization, and accounting functions. RADIUS combines authentication and authorization but is more widely supported across network devices. Key differences: Authentication answers 'Who are you?', Authorization answers 'What can you do?', and Accounting tracks 'What did you do?'. CCNP candidates must understand implementing AAA on network devices like routers, switches, and access points using local databases or external servers. Practical implementation involves configuring AAA methods in priority order, using network policies to define user groups, and employing secure protocols. CCNP Enterprise requires knowledge of integrating AAA with identity management systems, implementing device administration authorization (DAA), and securing AAA server communications using encryption and certificates to prevent unauthorized access and maintain network integrity.
CCNP ENCOR: AAA Authentication and Authorization - Complete Guide
AAA Authentication and Authorization
Why AAA is Important
In modern networks, security is paramount. AAA (Authentication, Authorization, and Accounting) forms the foundation of network access control. Understanding AAA is critical for network administrators because:
- Access Control: AAA ensures only authorized users and devices can access network resources
- Security Compliance: Organizations must meet regulatory requirements (HIPAA, PCI-DSS, SOC 2) which rely on AAA implementations
- Audit Trail: AAA provides accountability by tracking who accessed what resources and when
- Risk Reduction: Proper AAA implementation significantly reduces the risk of unauthorized access and data breaches
- Network Integrity: Prevents unauthorized configuration changes that could compromise network stability
What is AAA?
AAA is a framework consisting of three distinct but complementary services:
1. Authentication (Who are you?)
Authentication verifies the identity of a user or device attempting to access network resources. It answers the question: Is this person really who they claim to be?
- Something you know: Passwords, PINs
- Something you have: Smart cards, hardware tokens, mobile devices
- Something you are: Biometrics (fingerprints, iris scans)
- Somewhere you are: Location-based authentication
2. Authorization (What are you allowed to do?)
Authorization determines what resources an authenticated user can access and what actions they can perform. It answers the question: Now that I know who you are, what are you permitted to do?
- Defines user privileges and permissions
- Controls command execution levels
- Restricts access to specific network resources
- Implements role-based access control (RBAC)
3. Accounting (What did you do?)
Accounting tracks and logs all user activities for auditing, billing, and compliance purposes. It answers the question: What actions did this user perform?
- Session start and stop times
- Commands executed
- Data transferred
- Resource usage
How AAA Works
AAA Architecture Components
AAA Client (Network Device): The device requesting AAA services (switch, router, access point)
AAA Server: The centralized server that authenticates users and provides authorization policies. Common solutions include:
- RADIUS (Remote Authentication Dial-In User Service): Uses UDP port 1812 for authentication/authorization and 1813 for accounting
- TACACS+ (Terminal Access Controller Access-Control System Plus): Uses TCP port 49, more granular control, Cisco proprietary improvement
- LDAP (Lightweight Directory Access Protocol): Directory service authentication, commonly used with Active Directory
- Kerberos: Network authentication protocol using tickets instead of passwords
AAA Authentication Process Flow
Step 1: User initiates connection (SSH, telnet, or network access)
Step 2: Network device (AAA client) intercepts the connection request
Step 3: Device sends authentication credentials to AAA server
Step 4: AAA server verifies credentials against its database
Step 5: Server responds with Accept, Reject, or Challenge
Step 6: Device permits or denies access based on server response
AAA Authorization Process Flow
Step 1: After successful authentication, authorization is checked
Step 2: Device queries AAA server with user identity and requested action
Step 3: Server consults authorization policies and user role definitions
Step 4: Server returns list of permitted commands/resources
Step 5: Device enforces these restrictions for that user session
Key Differences: RADIUS vs TACACS+
| Feature | RADIUS | TACACS+ |
|---|---|---|
| Protocol | UDP | TCP |
| Authentication & Accounting | Separate ports | Same port |
| Encryption | Password only | Entire payload |
| Authorization Granularity | Coarse (per-user) | Fine (command-level) |
| Vendor | Open standard | Cisco proprietary |
| Best for | ISP dial-up, wireless | Enterprise device administration |
AAA Configuration on Cisco Devices
Basic AAA Enable
aaa new-model - Enables AAA on the device
Define RADIUS Server
Configure RADIUS server IP, shared secret, and port:
radius server RADIUS_SERVER_NAME
address ipv4 192.168.1.100
key sharedsecret123
Define TACACS+ Server
Configure TACACS+ server with authentication and authorization:
tacacs server SERVER_NAME
address ipv4 192.168.1.101
key sharedsecret456
Configure Authentication Method List
aaa authentication login default group tacacs+ local
This line means: Authenticate SSH users using TACACS+, and if server is unavailable, fall back to local database.
Configure Authorization Method List
aaa authorization exec default group tacacs+ local
This controls what commands users can execute after authentication.
Enable Accounting
aaa accounting exec default start-stop group tacacs+
This logs all user session activities.
Authentication Methods
Local Authentication
Users stored in device local database:
username admin privilege 15 password 0 password123
Pros: No external dependencies, simple
Cons: Not scalable, passwords stored locally, difficult to audit
Server-Based Authentication
Uses RADIUS, TACACS+, LDAP, or Kerberos:
Pros: Centralized management, scalable, easier auditing
Cons: Network dependency, requires server infrastructure
Multi-Factor Authentication (MFA)
Combines multiple authentication methods for stronger security:
- Password + hardware token
- Password + SMS code
- Biometric + smart card
Authorization Methods
Command Authorization
Controls which commands specific users can execute. TACACS+ excels at this with per-command granularity.
Network Authorization
Controls access to network resources (VLAN assignment, QoS parameters, access lists).
Privilege Levels
Cisco IOS uses privilege levels 0-15:
- Level 0: Logout, disable, exit commands only
- Level 1: User EXEC (ping, traceroute, show commands)
- Level 15: Full administrative access (configure terminal, reload)
Common AAA Troubleshooting Scenarios
Authentication Failures
- Check AAA server connectivity (ping server IP)
- Verify shared secrets match exactly
- Confirm credentials in AAA database
- debug aaa authentication - Shows authentication attempts
Authorization Failures
- User authenticated but cannot execute commands
- Check authorization policies on AAA server
- Verify user role assignments
- debug aaa authorization - Shows authorization queries
Accounting Issues
- Session activities not being logged
- Check if accounting server is running
- debug aaa accounting - Displays accounting records
Best Practices
- Use TACACS+ for device administration: Superior command-level authorization
- Use RADIUS for network access: Better suited for dial-up and wireless
- Implement MFA: Significantly increases security
- Configure backup methods: Always have fallback authentication (local database)
- Use strong shared secrets: Minimum 16 characters, mix of uppercase, lowercase, numbers, symbols
- Enable accounting: Critical for compliance and auditing
- Regular audits: Review logs and access patterns
- Principle of least privilege: Grant minimum necessary permissions
- Centralized servers: Use redundant AAA servers for high availability
- Encrypt all traffic: Use SSH instead of Telnet, TLS for web access
Exam Tips: Answering Questions on AAA Authentication and Authorization
Understanding Question Types
Type 1: Scenario-Based Questions
These present a problem and ask you to identify the solution. Strategy:
- Read the question carefully twice
- Identify what is working and what isn't
- Determine which AAA component is involved (authentication, authorization, or accounting)
- Remember: Authentication happens first, then authorization
- If a user can log in but can't run commands, it's an authorization problem, not authentication
Example: "A user successfully logs into a router via SSH but cannot execute privileged commands. The local database works fine. What is the issue?"
Answer: Authorization is not configured. Even though authentication succeeded, authorization policies aren't set.
Type 2: Configuration Questions
Strategy:
- Remember the configuration order: authentication → authorization → accounting
- aaa new-model must come first
- Know the difference between method lists and protocol parameters
- TACACS+ uses port 49 (TCP), RADIUS uses 1812/1813 (UDP)
- Shared secrets are case-sensitive
Key config sequences to memorize:
aaa new-model
tacacs server NAME
address ipv4 IP
key SECRET
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
Type 3: Protocol Comparison Questions
Strategy: Create a mental comparison matrix:
- RADIUS: UDP, good for wireless/ISP, password encryption only
- TACACS+: TCP, better for admin access, full payload encryption, command-level control
- LDAP: Directory service, works with Active Directory
- Kerberos: Ticket-based, stronger security, complex setup
If question asks about administrative device access with command-level granularity, answer TACACS+
If question asks about wireless or network access, answer RADIUS
Type 4: Troubleshooting Questions
Strategy: Follow this mental checklist:
- Is AAA enabled? (aaa new-model)
- Is the AAA server reachable? (connectivity)
- Do shared secrets match?
- Is the user in the AAA database?
- Are method lists configured?
- Is authentication working or authorization?
- Check appropriate debug command
Common troubleshooting answers:
- "Shared secret mismatch" - Most common configuration error
- "AAA server unreachable" - Network connectivity issue
- "Method list not applied to line" - Config incomplete
- "User not in AAA database" - Server-side issue
Type 5: Security Implementation Questions
Strategy: Think about defense in depth:
- Authentication alone is insufficient (use MFA)
- Authorization limits damage if authentication is compromised
- Accounting provides evidence for compliance
- Fallback mechanisms provide high availability
- Encrypted channels prevent credential interception
Critical Concepts to Remember
- Authentication ≠ Authorization: Authentication proves identity; authorization grants permissions
- Fallback methods: Always configure local as fallback to group tacacs+ or group radius
- AAA new-model: Required before any AAA commands work
- Method lists: Applied to specific lines (console, vty, aux) or globally (default)
- TACACS+ advantages: TCP (reliable), full encryption, command authorization, separate authentication/authorization/accounting
- RADIUS advantages: Open standard, better for mass user authentication, lower server load
Common Exam Traps to Avoid
- Trap 1: Confusing authentication and authorization. Remember: Auth = identity, Authz = permissions
- Trap 2: Forgetting the fallback mechanism. Always have local as backup
- Trap 3: Mixing RADIUS and TACACS+ features. Know which protocol supports which feature
- Trap 4: Not reading line numbers. aaa authentication login default applies to vty lines (SSH/telnet), while aaa authentication enable applies to enable mode
- Trap 5: Assuming authorization works without explicit configuration. It must be explicitly configured
- Trap 6: Forgetting aaa new-model. Without it, all other AAA commands fail silently
Time Management Tips
- AAA questions typically take 1-2 minutes to answer
- If multiple AAA questions appear, allocate 5-10 minutes total
- Diagram the AAA flow if you're unsure (client → server → response)
- Check if question specifically mentions command-level control (TACACS+) or wireless access (RADIUS)
Last-Minute Review Before Exam
- Port numbers: RADIUS 1812/1813, TACACS+ 49
- Protocols: RADIUS (UDP), TACACS+ (TCP)
- Order: Authentication, then Authorization, then Accounting
- Enable command: aaa new-model
- Always include: local fallback
- Authentication question = who are you
- Authorization question = what can you do
🎓 Unlock Premium Access
CCNP Enterprise (ENCOR) + ALL Certifications
- 🎓 Access to ALL Certifications: Study for any certification on our platform with one subscription
- 2873 Superior-grade CCNP Enterprise (ENCOR) practice questions
- Unlimited practice tests across all certifications
- Detailed explanations for every question
- ENCOR 350-401: 5 full exams plus all other certification exams
- 100% Satisfaction Guaranteed: Full refund if unsatisfied
- Risk-Free: 7-day free trial with all premium features!