Home > AAA TACACS+ and RADIUS Tutorial


October 18th, 2018 Go to comments

Nowadays, security plays an important role in a company. Without any security solution implementation on our network, a user can simply “plug and play” into our network. The user may simple pick up a valid IP address or be assigned one automatically via DHCP. It is convenient, but not a good way if your network contains sensitive data. Worse, this user may have all the rights to your network so he can do dangerous things.

When your company grows bigger and bigger, there is a moment that you need to consider implementing security to your network. There are many ways to secure a network but AAA offers a complete solution. In this tutorial let’s find out about this security feature.

Before diving into AAA, let’s take an example of a user who wants to connect to our network.


This process uses a login and password on the access line. Although it is very easy to implement, but there are many disadvantages of using this method:
+ Insecure login method
+ Vulnerable to brute-force attacks
+ No accountability
+ Must be configured on each device manually
+ Store usernames & passwords locally on each device
+ Cannot limit which specific commands are not used

With AAA, now the process of a user connecting to our network is shown below:


Every action the users do must be submitted to the AAA server to determine if they are allowed or not. This process has many advantages:
+ Secure login (AAA server is not exposed to users and only some protocols are allowed to be sent initially)
+ Easy management at one or some centralized servers
+ Firewalls or other security devices can be placed before AAA servers to protect them
+ Can accept or reject specific commands
+ Every command typed by users can be logged for later analysis

+ Require powerful server (to handle all the traffic and requests)

AAA stands for Authentication, Authorization and Accounting.

+ Authentication: Specify who you are (usually via login username & password)
+ Authorization: Specify what actions you can do, what resource you can access
+ Accounting: Monitor what you do, how long you do it (can be used for billing and auditing)

An example of AAA is shown below:

+ Authentication: “I am a normal user. My username/password is user_tom/learnforever
+ Authorization: “user_tom can access LearnCCNA server via HTTP and FTP
+ Accounting: “user_tom accessed LearnCCNA server for 2 hours“. This user only uses “show” commands.

With AAA, users must authenticate before getting an IP address to access the network. Otherwise, they can only use specific protocols to continue authenticating

For authentication we can do via local database, 802.1x standard (which was developed to provide a method to authenticate devices attempting to access a switchport/LAN) or via remote AAA servers. There are two popular client/server AAA protocols to communicate between remote AAA servers and authenticating devices:

+ RADIUS (Remote Authentication Dial In User Service)
+ TACACS+ (Terminal Access Controller Access-Control System)

The comparison of two protocols is listed below:

Transportation &
UDP port 1812/1645 (Authentication)
1813/1646 (Accounting)
TCP port 49
Encryption only passwords entire payload of each packet (leaving only the TACACS+ header in cleartext)
Standards Open standard Cisco proprietary (but actually now it is an open standard defined by RFC1492)
Operation Authentication and authorization are combined in one function authentication, authorization and accounting are separated
Logging No command logging Full command logging (commands typed by users can be recorded on the servers)

+ RADIUS is very old protocol (created around the early 1990s) and it was originally designed for dial-in modem connections. In these old days, security is not a strong concern so RADIUS encrypts only the authentication information (passwords) along the traffic path.
+ TACACS+ is a newer version of TACAS and XTACAS. It is the answer of Cisco to RADIUS.
+ Both RADIUS and TACACS+ support Extensible Authentication Protocol (EAP), which is an authentication framework frequently used in wireless networks and point-to-point connections
+ Both TACACS+ and RADIUS can run on either Windows or Unix/Linux servers
+ TACACS+ separates the authentication, authorization, and accounting steps. This architecture allows for separate authentication solutions while still using TACACS+ for authorization and accounting.
+ Authentication and authorization are not separated in a RADIUS transaction. When the authentication request is sent to a AAA server, the AAA client expects to have the authorization result sent back in reply.
+ TACACS+ supports access-level authorization for commands. That means you can assign privilege levels when a user logins successfully.

In the next part we will learn how to configure AAA.

Comments (35) Comments
Comment pages
1 2 3 4228
  1. Anonymous
    October 15th, 2019

    ehab03291 at gmail.com

  2. ehab abdallah
    October 15th, 2019

    Please, can anyone send me 200-125 test dumps Please ehab03291 at gmail.com

  3. 9tut am greatful
    October 17th, 2019

    please share new update dumps for ccna rns 200-125 any one have please share with me on fredbons zero zero seven at gmail dot com

  4. irfan
    October 20th, 2019

    i have my ccna exam this 30th. any one please tell me which labs are coming during these days.
    share me on this iak4614(at)outlook(dot)com

  5. Anonymous
    October 20th, 2019

    If any one have latest Dumps for ccna 200-125 please share with me. I have exam on 30th on this month. iak4614(at)outlook(dot)com

  6. dmitry
    October 24th, 2019

    Pls send me dumps 200-125, my mail {email not allowed}

  7. ehab
    November 5th, 2019

    i’m taking the icnd1 exam soon, can anybody send me icnd1 dumps, that would be amazing, tamem2010ar @ gmail . com

  8. Nector
    November 13th, 2019

    Here is what you need dwz.win/qRc

  9. Anonymous
    November 19th, 2019

    pls am in dear need of recent dumps for CCNA 200-125 exams is in less than 1 week osuntobs (at) gmail

  10. Anonymous
    November 20th, 2019

    Please share the latest dumps for ccna 200-125 to {email not allowed}

  11. martial
    November 26th, 2019

    please help me share the lastest dump for ccna 200-125

  12. Anonymous
    December 3rd, 2019

    share please your latest dump for ccna 200-125, cbads @ hotmail . com

  13. Anonymous
    December 9th, 2019

    hi everyone, hopefully someone can help my exam, Please sned my latest dump of 200-125 exam at ehrgs30atgmaildotcom

  14. Anonymous
    December 11th, 2019

    I have my exam in a week and would like the latest dumps for the 200-125 to test my knowledge.
    cynthia.fritz123 at gmail dot com

  15. Mkzozo
    December 12th, 2019

    Passed my exam yesterday. sims ipv6 Ospf, access-list and a lot of drag and drop

  16. Tboy
    December 15th, 2019

    Please share your latest dumps with me tosinosu @ yahoo.com

  17. azul
    December 15th, 2019

    can anyone share the latest dumps with me. masmusta at hotmail dot com

  18. Thuraine
    December 22nd, 2019

    hi everyone, please help me share the latest dump for ccna 200-125 {email not allowed}

  19. Anonymous
    December 22nd, 2019

    hi everyone, please help me share the latest dump for ccna 200-125 thurain568 at gmail . com

  20. Pecchi
    December 25th, 2019

    Anyone may help me and share the latest dump for ccna at — pecchiacchio @ gmail . com

  21. Anonymous
    December 25th, 2019

    need latest ccna dump plz. masazmus at yahoo dot fr

  22. yashodha Pramudini
    December 29th, 2019

    please share latest dump with me too… {yashodharajagalgoda @ gmail .com }

  23. Umer
    January 1st, 2020

    if anyone have the latest ccna dumps please send me my mail is umerraheem6gmail.com

  24. fahad
    January 2nd, 2020

    if anyone have the latest CCNA dumps in VCE please send me my mail is {email not allowed}

  25. fahad
    January 2nd, 2020

    if anyone have the latest CCNA dumps in VCE please send me my mail is moxz757 @ gmail.com

  26. Wesly West
    January 4th, 2020

    Please share the latest dumps for ccna 200-125 to {email not allowed}.

  27. Wesly West
    January 4th, 2020

    Please share the latest dumps for ccna 200-125 to wesly.w3st at gmail.com

  28. SmartWave
    January 6th, 2020

    Please share the latest dumps for ccna 200-125 to {email not allowed}

  29. SmartWave
    January 6th, 2020

    Please share the latest dumps for ccna 200-125 to rebeccaowhigho @ gmail.com

  30. Gihan
    January 7th, 2020

    Please share the ccna latest dumps with me
    Rodgihan @ gmail.com

  31. Ilknur.N
    January 8th, 2020

    I sell ccna latest dump (jan2020) exam(vce file + software) price is 10$(not give free please dont write about it) write me ilknur(dot)nasirzadeh(at) gmail(dot) com

  32. b1zo
    January 10th, 2020

    Please share the latest dumps for ccna 200-125
    skupljamparezalondon @ gmail . com

  33. Anonymous
    January 16th, 2020

    Please share the last dumps for 200-105 ICND2 mail4melg @ gmail . Com

  34. Anonymous
    January 20th, 2020

    hi everyone, please help me share the latest dump for ccna 200-125 ogirimayahaya1 at gmail . com

  35. Anonymous
    January 21st, 2020

    Could anyone send me the latest dump for ccna 200-125, please? ayenyeinthuzar @ gmail dot com

Comment pages
1 2 3 4228
Add a Comment