Authentication, Authorization, and Accounting (AAA)

RADIUS and TACACS+ servers can be configured on Cisco IOS XE for centralized authentication and authorization. ## Old vs New Login Models #### Old Model - Uses **line-level** or **username-level** authentication and authorization. - Simple, but lacks flexibility. - No centralized control. #### New Model - Enables full **AAA (Authentication, Authorization, Accounting)** framework. - Allows custom **method lists**. - AAA method lists can be applied to different access technologies like: - Console, VTY, PPP, etc. ## Authentication Protocols #### TACACS+ - Cisco proprietary. - Used for **device admin access**. - Supports: - **Per-command authorization** - **Per-command accounting** - Encrypts **entire payload**. #### RADIUS - Open standard (RFC). - Used for **end-user authentication**, e.g., VPN. - Encrypts **only the password** field. - Does **not support** per-command authorization/accounting. > **Best Practice:** Always configure **local fallback** in case external servers are unreachable. ## Local Authentication with New-Model ```plaintext aaa new-model username admin password cisco aaa authentication login default local aaa authorization exec default local line vty 0 4 login authentication default ``` ## RADIUS Example ```plaintext aaa new-model radius server RAD-SERVER-1 address ipv4 192.100.3.51 auth-port 1645 acct-port 1646 key cisco1 radius server RAD-SERVER-2 address ipv4 192.100.3.52 auth-port 1645 acct-port 1646 key cisco2 aaa group server radius RAD-GROUP server name RAD-SERVER-1 server name RAD-SERVER-2 ip vrf forwarding Mgmt-vrf aaa authentication login RADIUS-LIST group RAD-GROUP local aaa authorization exec RADIUS-LIST group RAD-GROUP local line vty 0 4 login authentication RADIUS-LIST ``` ## TACACS Example ``` aaa new-model tacacs server TAC-SERVER-1 address ipv4 172.16.2.78 key cisco1 tacacs server TAC-SERVER-2 address ipv4 172.16.2.79 key cisco2 aaa group server tacacs TAC-GROUP server name TAC-SERVER-1 server name TAC-SERVER-2 ip vrf forwarding Mgmt-vrf aaa authentication login TACACS-LIST group TAC-GROUP local aaa authorization exec TACACS-LIST group TAC-GROUP local line vty 0 4 login authentication TACACS-LIST ``` ## Default AAA List ``` ... aaa authentication login default group TAC-GROUP local line vty 0 4 login authentication default ``` ## Login Cosmetics ``` Device> enable Device# configure terminal Device(config)# aaa new-model Device(config)# aaa authentication banner *Unauthorized Access Prohibited* Device(config)# aaa authentication login default group radius ``` This configuration displays the following login banner: ``` Unauthorized Access Prohibited Username: ``` The following example shows how to configure a failed-login banner that is displayed when a user tries to log in to the system and fails, (in this case, the phrase “Failed login. Try again”). The asterisk (*) is used as the delimiting character. RADIUS is specified as the default login authentication method. ``` Device> enable Device# configure terminal Device(config)# aaa new-model Device(config)# aaa authentication banner *Unauthorized Access Prohibited* Device(config)# aaa authentication fail-message *Failed login. Try again.* Device(config)# aaa authentication login default group radius ``` This configuration displays the following login and failed-login banner: ``` Unauthorized Access Prohibited Username: Password: Failed login. Try again. ```