CCNP ENCOR: AAA Authentication and Authorization - Complete Guide

AAA Authentication and Authorization

Why AAA is Important

In modern networks, security is paramount. AAA (Authentication, Authorization, and Accounting) forms the foundation of network access control. Understanding AAA is critical for network administrators because:

• Access Control: AAA ensures only authorized users and devices can access network resources
• Security Compliance: Organizations must meet regulatory requirements (HIPAA, PCI-DSS, SOC 2) which rely on AAA implementations
• Audit Trail: AAA provides accountability by tracking who accessed what resources and when
• Risk Reduction: Proper AAA implementation significantly reduces the risk of unauthorized access and data breaches
• Network Integrity: Prevents unauthorized configuration changes that could compromise network stability

What is AAA?

AAA is a framework consisting of three distinct but complementary services:

1. Authentication (Who are you?)

Authentication verifies the identity of a user or device attempting to access network resources. It answers the question: Is this person really who they claim to be?

• Something you know: Passwords, PINs
• Something you have: Smart cards, hardware tokens, mobile devices
• Something you are: Biometrics (fingerprints, iris scans)
• Somewhere you are: Location-based authentication

2. Authorization (What are you allowed to do?)

Authorization determines what resources an authenticated user can access and what actions they can perform. It answers the question: Now that I know who you are, what are you permitted to do?

• Defines user privileges and permissions
• Controls command execution levels
• Restricts access to specific network resources
• Implements role-based access control (RBAC)

3. Accounting (What did you do?)

Accounting tracks and logs all user activities for auditing, billing, and compliance purposes. It answers the question: What actions did this user perform?

• Session start and stop times
• Commands executed
• Data transferred
• Resource usage

How AAA Works

AAA Architecture Components

AAA Client (Network Device): The device requesting AAA services (switch, router, access point)

AAA Server: The centralized server that authenticates users and provides authorization policies. Common solutions include:

• RADIUS (Remote Authentication Dial-In User Service): Uses UDP port 1812 for authentication/authorization and 1813 for accounting
• TACACS+ (Terminal Access Controller Access-Control System Plus): Uses TCP port 49, more granular control, Cisco proprietary improvement
• LDAP (Lightweight Directory Access Protocol): Directory service authentication, commonly used with Active Directory
• Kerberos: Network authentication protocol using tickets instead of passwords

AAA Authentication Process Flow

Step 1: User initiates connection (SSH, telnet, or network access)

Step 2: Network device (AAA client) intercepts the connection request

Step 3: Device sends authentication credentials to AAA server

Step 4: AAA server verifies credentials against its database

Step 5: Server responds with Accept, Reject, or Challenge

Step 6: Device permits or denies access based on server response

AAA Authorization Process Flow

Step 1: After successful authentication, authorization is checked

Step 2: Device queries AAA server with user identity and requested action

Step 3: Server consults authorization policies and user role definitions

Step 4: Server returns list of permitted commands/resources

Step 5: Device enforces these restrictions for that user session

Key Differences: RADIUS vs TACACS+

AAA Configuration on Cisco Devices

Basic AAA Enable

aaa new-model - Enables AAA on the device

Define RADIUS Server

Configure RADIUS server IP, shared secret, and port:

radius server RADIUS_SERVER_NAME
address ipv4 192.168.1.100
key sharedsecret123

Define TACACS+ Server

Configure TACACS+ server with authentication and authorization:

tacacs server SERVER_NAME
address ipv4 192.168.1.101
key sharedsecret456

Configure Authentication Method List

aaa authentication login default group tacacs+ local

This line means: Authenticate SSH users using TACACS+, and if server is unavailable, fall back to local database.

Configure Authorization Method List

aaa authorization exec default group tacacs+ local

This controls what commands users can execute after authentication.

Enable Accounting

aaa accounting exec default start-stop group tacacs+

This logs all user session activities.

Authentication Methods

Local Authentication

Users stored in device local database:

username admin privilege 15 password 0 password123

Pros: No external dependencies, simple
Cons: Not scalable, passwords stored locally, difficult to audit

Server-Based Authentication

Uses RADIUS, TACACS+, LDAP, or Kerberos:

Pros: Centralized management, scalable, easier auditing
Cons: Network dependency, requires server infrastructure

Multi-Factor Authentication (MFA)

Combines multiple authentication methods for stronger security:

• Password + hardware token
• Password + SMS code
• Biometric + smart card

Authorization Methods

Command Authorization

Controls which commands specific users can execute. TACACS+ excels at this with per-command granularity.

Network Authorization

Controls access to network resources (VLAN assignment, QoS parameters, access lists).

Privilege Levels

Cisco IOS uses privilege levels 0-15:

• Level 0: Logout, disable, exit commands only
• Level 1: User EXEC (ping, traceroute, show commands)
• Level 15: Full administrative access (configure terminal, reload)

Common AAA Troubleshooting Scenarios

Authentication Failures

• Check AAA server connectivity (ping server IP)
• Verify shared secrets match exactly
• Confirm credentials in AAA database
• debug aaa authentication - Shows authentication attempts

Authorization Failures

• User authenticated but cannot execute commands
• Check authorization policies on AAA server
• Verify user role assignments
• debug aaa authorization - Shows authorization queries

Accounting Issues

• Session activities not being logged
• Check if accounting server is running
• debug aaa accounting - Displays accounting records

Best Practices

• Use TACACS+ for device administration: Superior command-level authorization
• Use RADIUS for network access: Better suited for dial-up and wireless
• Implement MFA: Significantly increases security
• Configure backup methods: Always have fallback authentication (local database)
• Use strong shared secrets: Minimum 16 characters, mix of uppercase, lowercase, numbers, symbols
• Enable accounting: Critical for compliance and auditing
• Regular audits: Review logs and access patterns
• Principle of least privilege: Grant minimum necessary permissions
• Centralized servers: Use redundant AAA servers for high availability
• Encrypt all traffic: Use SSH instead of Telnet, TLS for web access

Exam Tips: Answering Questions on AAA Authentication and Authorization

Understanding Question Types

Type 1: Scenario-Based Questions

These present a problem and ask you to identify the solution. Strategy:

• Read the question carefully twice
• Identify what is working and what isn't
• Determine which AAA component is involved (authentication, authorization, or accounting)
• Remember: Authentication happens first, then authorization
• If a user can log in but can't run commands, it's an authorization problem, not authentication

Example: "A user successfully logs into a router via SSH but cannot execute privileged commands. The local database works fine. What is the issue?"

Answer: Authorization is not configured. Even though authentication succeeded, authorization policies aren't set.

Type 2: Configuration Questions

Strategy:

• Remember the configuration order: authentication → authorization → accounting
• aaa new-model must come first
• Know the difference between method lists and protocol parameters
• TACACS+ uses port 49 (TCP), RADIUS uses 1812/1813 (UDP)
• Shared secrets are case-sensitive

Key config sequences to memorize:

aaa new-model
tacacs server NAME
address ipv4 IP
key SECRET
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa accounting exec default start-stop group tacacs+

Type 3: Protocol Comparison Questions

Strategy: Create a mental comparison matrix:

• RADIUS: UDP, good for wireless/ISP, password encryption only
• TACACS+: TCP, better for admin access, full payload encryption, command-level control
• LDAP: Directory service, works with Active Directory
• Kerberos: Ticket-based, stronger security, complex setup

If question asks about administrative device access with command-level granularity, answer TACACS+

If question asks about wireless or network access, answer RADIUS

Type 4: Troubleshooting Questions

Strategy: Follow this mental checklist:

1. Is AAA enabled? (aaa new-model)
2. Is the AAA server reachable? (connectivity)
3. Do shared secrets match?
4. Is the user in the AAA database?
5. Are method lists configured?
6. Is authentication working or authorization?
7. Check appropriate debug command

Common troubleshooting answers:

• "Shared secret mismatch" - Most common configuration error
• "AAA server unreachable" - Network connectivity issue
• "Method list not applied to line" - Config incomplete
• "User not in AAA database" - Server-side issue

Type 5: Security Implementation Questions

Strategy: Think about defense in depth:

• Authentication alone is insufficient (use MFA)
• Authorization limits damage if authentication is compromised
• Accounting provides evidence for compliance
• Fallback mechanisms provide high availability
• Encrypted channels prevent credential interception

Critical Concepts to Remember

• Authentication ≠ Authorization: Authentication proves identity; authorization grants permissions
• Fallback methods: Always configure local as fallback to group tacacs+ or group radius
• AAA new-model: Required before any AAA commands work
• Method lists: Applied to specific lines (console, vty, aux) or globally (default)
• TACACS+ advantages: TCP (reliable), full encryption, command authorization, separate authentication/authorization/accounting
• RADIUS advantages: Open standard, better for mass user authentication, lower server load

Common Exam Traps to Avoid

• Trap 1: Confusing authentication and authorization. Remember: Auth = identity, Authz = permissions
• Trap 2: Forgetting the fallback mechanism. Always have local as backup
• Trap 3: Mixing RADIUS and TACACS+ features. Know which protocol supports which feature
• Trap 4: Not reading line numbers. aaa authentication login default applies to vty lines (SSH/telnet), while aaa authentication enable applies to enable mode
• Trap 5: Assuming authorization works without explicit configuration. It must be explicitly configured
• Trap 6: Forgetting aaa new-model. Without it, all other AAA commands fail silently

Time Management Tips

• AAA questions typically take 1-2 minutes to answer
• If multiple AAA questions appear, allocate 5-10 minutes total
• Diagram the AAA flow if you're unsure (client → server → response)
• Check if question specifically mentions command-level control (TACACS+) or wireless access (RADIUS)

Last-Minute Review Before Exam

• Port numbers: RADIUS 1812/1813, TACACS+ 49
• Protocols: RADIUS (UDP), TACACS+ (TCP)
• Order: Authentication, then Authorization, then Accounting
• Enable command: aaa new-model
• Always include: local fallback
• Authentication question = who are you
• Authorization question = what can you do