RADIUS and TACACS+ servers can be configured on Cisco IOS XE for centralized authentication and authorization. ## Old vs New Login Models #### Old Model - Uses **line-level** or **username-level** authentication and authorization. - Simple, but lacks flexibility. - No centralized control. #### New Model - Enables full **AAA (Authentication, Authorization, Accounting)** framework. - Allows custom **method lists**. - AAA method lists can be applied to different access technologies like: - Console, VTY, PPP, etc. ## Authentication Protocols #### TACACS+ - Cisco proprietary. - Used for device admin access. - Supports: - Per-command authorization - Per-command accounting - Encrypts entire payload. - **Uses port TCP 49** #### RADIUS - Open standard (RFC). - Used for end-user authentication, e.g., VPN. - Encrypts only the password field. - Does not support per-command authorization/accounting. - Uses the following ports: - Ciscos Implementation - **UDP 1645**: Authentication & Authorization - **UDP 1646**: Accounting - Industry Standard - **UDP 1812**: Authentication & Authorization - **UDP 1813**: Accounting > **Best Practice:** Always configure **local fallback** in case external servers are unreachable. ## Local Login with AAA ```plaintext aaa new-model username admin password cisco aaa authentication login default local aaa authentication exec default exec aaa authorization exec default local line vty 0 4 login authentication default ``` ## RADIUS Example ```plaintext aaa new-model radius server RAD-SERVER-1 address ipv4 192.100.3.51 auth-port 1645 acct-port 1646 key cisco1 radius server RAD-SERVER-2 address ipv4 192.100.3.52 auth-port 1645 acct-port 1646 key cisco2 aaa group server radius RAD-GROUP server name RAD-SERVER-1 server name RAD-SERVER-2 ip vrf forwarding Mgmt-vrf aaa authentication login RADIUS-LIST group RAD-GROUP local aaa authentication exec RADIUS-LIST group RAD-GROUP exec aaa authorization exec RADIUS-LIST group RAD-GROUP local line vty 0 4 login authentication RADIUS-LIST ``` > Note that the order in which the `server name <>` commands are issues to the group dictates the failover order. This being that, the first one added will have highest priority. In the running-config, the first one in the group, will be tried first. ## TACACS Example ``` aaa new-model tacacs server TAC-SERVER-1 address ipv4 172.16.2.78 key cisco1 tacacs server TAC-SERVER-2 address ipv4 172.16.2.79 key cisco2 aaa group server tacacs TAC-GROUP server name TAC-SERVER-1 server name TAC-SERVER-2 ip vrf forwarding Mgmt-vrf aaa authentication login TACACS-LIST group TAC-GROUP local aaa authorization exec TACACS-LIST group TAC-GROUP local line vty 0 4 login authentication TACACS-LIST ``` > Note that the order in which the `server name <>` commands are issues to the group dictates the failover order. This being that, the first one added will have highest priority. In the running-config, the first one in the group, will be tried first. ## Default AAA List The specified default method will be applied to all lines (cty, vty, aux, etc.) but notably does NOT apply to the console. ``` ... aaa authentication login default group TAC-GROUP local line vty 0 4 login authentication default ``` To apply a specific list to a line use the explicit config with: ``` ... line vty 0 4 login authentication TACACS-LIST ``` > If you want to have AAA apply to the console port, use the following command`aaa authorization console`. ## Command Auth & Accounting Enable this whole section by issuing: ``` aaa authorization config-commands ``` Setup command authorization with the following: ``` aaa authorization commands {priv} { default | list-name } ... if-authenticated aaa authorization commands 0 default group TAC-GROUP if-authenticated aaa authorization commands 1 default group TAC-GROUP if-authenticated aaa authorization commands 15 default group TAC-GROUP if-authenticated ``` > The command `if-authenticated` allows users to input commands even if a AAA server is offline. This is because with command authorization, if an AAA server cannot be reached, the user will not be able to enter any commands. This command allows them to enter commands even without a reachable AAA server. Setup command accounting with the following: ``` aaa accounting commands {priv} { default | list-name } ... aaa accounting commands 0 default group TAC-GROUP aaa accounting commands 1 default group TAC-GROUP aaa accounting commands 15 default group TAC-GROUP ``` ## Login Cosmetics ``` Device> enable Device# configure terminal Device(config)# aaa new-model Device(config)# aaa authentication banner *Unauthorized Access Prohibited* Device(config)# aaa authentication login default group radius ``` This configuration displays the following login banner: ``` Unauthorized Access Prohibited Username: ``` The following example shows how to configure a failed-login banner that is displayed when a user tries to log in to the system and fails, (in this case, the phrase “Failed login. Try again”). The asterisk (*) is used as the delimiting character. RADIUS is specified as the default login authentication method. ``` Device> enable Device# configure terminal Device(config)# aaa new-model Device(config)# aaa authentication banner *Unauthorized Access Prohibited* Device(config)# aaa authentication fail-message *Failed login. Try again.* Device(config)# aaa authentication login default group radius ``` This configuration displays the following login and failed-login banner: ``` Unauthorized Access Prohibited Username: Password: Failed login. Try again. ```