Cisco AAA with TACACS+ and RADIUS: Complete Run Book for Authentication, Authorization, and Accounting on IOS/IOS-XE

Introduction

Authentication, Authorization, and Accounting (AAA) is the cornerstone of secure device management on Cisco IOS and IOS-XE platforms. Without AAA, every administrator shares the same enable password, there is no audit trail, and you have zero granularity over who can run which commands. This run book walks you through a full production deployment of AAA using TACACS+ as the primary protocol, RADIUS as an alternative, and local credentials as a resilient fallback.

We will cover the complete lifecycle: enabling the AAA model, defining server groups, building method lists for authentication, authorization, and accounting, hardening the configuration, and verifying every component. Every command is real, tested, and ready to paste.

---

1. TACACS+ vs RADIUS — When to Use Which

Before touching the CLI, understand the protocol differences so you choose correctly.

Feature	TACACS+	RADIUS
Transport	TCP 49	UDP 1812/1813
Encryption	Full packet body	Password only
AuthZ granularity	Per-command	Per-session (via attributes)
Best for	Device admin (CLI)	Network access (802.1X, VPN)

Recommendation: Use TACACS+ for all device administration (SSH, console, enable). Use RADIUS for 802.1X and VPN. This run book covers both.

---

2. Prerequisites and Lab Topology

• Cisco Catalyst or ISR running IOS 15.x or IOS-XE 16.x / 17.x
• TACACS+ server at 10.10.1.50 (e.g., Cisco ISE, FreeRADIUS with TACACS+ plugin, or tac_plus)
• RADIUS server at 10.10.1.51
• Management VLAN 100, subnet 10.10.1.0/24
• Switch hostname: sw-infrarunbook-01
• Router hostname: rtr-infrarunbook-01

! Ensure management reachability first
hostname sw-infrarunbook-01
interface Vlan100
 description INFRARUNBOOK-MGMT
 ip address 10.10.1.1 255.255.255.0
 no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.10.1.254

---

3. Enable the AAA Model

The single most important command. Once entered, the device uses AAA for all authentication decisions.

aaa new-model

Warning: Issuing

aaa new-model

immediately changes how VTY and console authentication works. Always have a console cable connected or a local user configured before enabling this command to avoid locking yourself out.

3.1 Create a Local Fallback User

This user is your safety net if all TACACS+/RADIUS servers are unreachable.

username infrarunbook-admin privilege 15 algorithm-type scrypt secret 0 R3allyStr0ng!Pass#2026

On older IOS that does not support

algorithm-type scrypt

:

username infrarunbook-admin privilege 15 secret 0 R3allyStr0ng!Pass#2026

---

4. Define TACACS+ Servers and Server Groups

4.1 New-Style Server Definition (IOS 15.x+ / IOS-XE)

tacacs server INFRARUNBOOK-TAC1
 address ipv4 10.10.1.50
 key 0 T@cPlu5K3y!Infra2026
 timeout 3
!
tacacs server INFRARUNBOOK-TAC2
 address ipv4 10.10.1.52
 key 0 T@cPlu5K3y!Infra2026
 timeout 3

4.2 Server Group

aaa group server tacacs+ INFRARUNBOOK-TACACS-GRP
 server name INFRARUNBOOK-TAC1
 server name INFRARUNBOOK-TAC2
 ip tacacs source-interface Vlan100

The

ip tacacs source-interface

ensures the device sources TACACS+ packets from the management IP, which is critical when the server's ACL filters by source.

---

5. Define RADIUS Servers and Server Groups

radius server INFRARUNBOOK-RAD1
 address ipv4 10.10.1.51 auth-port 1812 acct-port 1813
 key 0 R@d1usK3y!Infra2026
 timeout 3
 retransmit 2
!
aaa group server radius INFRARUNBOOK-RADIUS-GRP
 server name INFRARUNBOOK-RAD1
 ip radius source-interface Vlan100

---

6. Authentication Configuration

Authentication answers the question: "Who are you?"

6.1 Default Login Authentication (SSH/Telnet)

aaa authentication login default group INFRARUNBOOK-TACACS-GRP local

This tries TACACS+ first; if all servers are unreachable (not rejected — unreachable), it falls back to the local database. A rejected user does not fall through.

6.2 Console Authentication with Separate Method List

aaa authentication login CONSOLE-AUTH local
!
line console 0
 login authentication CONSOLE-AUTH

Console uses local-only so you are never locked out even if the TACACS+ key is wrong or the network is down.

6.3 Enable (Privilege Escalation) Authentication

aaa authentication enable default group INFRARUNBOOK-TACACS-GRP enable

6.4 VTY Line Configuration

line vty 0 15
 login authentication default
 transport input ssh
 exec-timeout 10 0

---

7. Authorization Configuration

Authorization answers: "What are you allowed to do?"

7.1 Exec Authorization (Shell Access)

aaa authorization exec default group INFRARUNBOOK-TACACS-GRP local if-authenticated

The

if-authenticated

keyword means: if the user already passed authentication and the TACACS+ server is down, allow exec access rather than denying it.

7.2 Command Authorization (Per-Command)

This is where TACACS+ truly shines. You can authorize every command at specific privilege levels.

aaa authorization commands 1 default group INFRARUNBOOK-TACACS-GRP local if-authenticated
aaa authorization commands 15 default group INFRARUNBOOK-TACACS-GRP local if-authenticated

On the TACACS+ server side (e.g., tac_plus or ISE), you define command sets. For example, a read-only group may be allowed

show *

but denied

configure terminal

.

7.3 Configuration Mode Authorization

aaa authorization config-commands

This enables authorization checks inside configuration mode, not just at the exec prompt.

7.4 Console Authorization (Optional but Recommended)

aaa authorization console

Without this, console sessions bypass authorization entirely.

---

8. Accounting Configuration

Accounting answers: "What did the user do?" This gives you a full audit trail.

8.1 Exec Accounting

aaa accounting exec default start-stop group INFRARUNBOOK-TACACS-GRP

8.2 Command Accounting

aaa accounting commands 1 default start-stop group INFRARUNBOOK-TACACS-GRP
aaa accounting commands 15 default start-stop group INFRARUNBOOK-TACACS-GRP

8.3 Connection Accounting

aaa accounting connection default start-stop group INFRARUNBOOK-TACACS-GRP

8.4 System Accounting (Reload/Config Events)

aaa accounting system default start-stop group INFRARUNBOOK-TACACS-GRP

---

9. Complete Combined Configuration

Here is the full AAA block you can paste into sw-infrarunbook-01:

! ===== AAA CONFIGURATION — sw-infrarunbook-01 =====
!
! Step 1: Local fallback user
username infrarunbook-admin privilege 15 algorithm-type scrypt secret 0 R3allyStr0ng!Pass#2026
!
! Step 2: Enable AAA
aaa new-model
!
! Step 3: TACACS+ servers
tacacs server INFRARUNBOOK-TAC1
 address ipv4 10.10.1.50
 key 0 T@cPlu5K3y!Infra2026
 timeout 3
!
tacacs server INFRARUNBOOK-TAC2
 address ipv4 10.10.1.52
 key 0 T@cPlu5K3y!Infra2026
 timeout 3
!
! Step 4: TACACS+ server group
aaa group server tacacs+ INFRARUNBOOK-TACACS-GRP
 server name INFRARUNBOOK-TAC1
 server name INFRARUNBOOK-TAC2
 ip tacacs source-interface Vlan100
!
! Step 5: RADIUS server (for 802.1X or VPN use)
radius server INFRARUNBOOK-RAD1
 address ipv4 10.10.1.51 auth-port 1812 acct-port 1813
 key 0 R@d1usK3y!Infra2026
 timeout 3
 retransmit 2
!
aaa group server radius INFRARUNBOOK-RADIUS-GRP
 server name INFRARUNBOOK-RAD1
 ip radius source-interface Vlan100
!
! Step 6: Authentication
aaa authentication login default group INFRARUNBOOK-TACACS-GRP local
aaa authentication login CONSOLE-AUTH local
aaa authentication enable default group INFRARUNBOOK-TACACS-GRP enable
!
! Step 7: Authorization
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group INFRARUNBOOK-TACACS-GRP local if-authenticated
aaa authorization commands 1 default group INFRARUNBOOK-TACACS-GRP local if-authenticated
aaa authorization commands 15 default group INFRARUNBOOK-TACACS-GRP local if-authenticated
!
! Step 8: Accounting
aaa accounting exec default start-stop group INFRARUNBOOK-TACACS-GRP
aaa accounting commands 1 default start-stop group INFRARUNBOOK-TACACS-GRP
aaa accounting commands 15 default start-stop group INFRARUNBOOK-TACACS-GRP
aaa accounting connection default start-stop group INFRARUNBOOK-TACACS-GRP
aaa accounting system default start-stop group INFRARUNBOOK-TACACS-GRP
!
! Step 9: Lines
line console 0
 login authentication CONSOLE-AUTH
 exec-timeout 5 0
!
line vty 0 15
 login authentication default
 transport input ssh
 exec-timeout 10 0
!

---

10. SSH Hardening (Complement to AAA)

AAA is only as secure as the transport. Ensure SSH v2 is enforced.

hostname sw-infrarunbook-01
ip domain-name solvethenetwork.com
!
crypto key generate rsa modulus 4096
!
ip ssh version 2
ip ssh time-out 60
ip ssh authentication-retries 3
ip ssh source-interface Vlan100
!
no ip http server
no ip http secure-server

---

11. Verification and Troubleshooting

11.1 Verify AAA Configuration

show aaa servers

This shows request/response counters for each server. Look for non-zero "requests" and matching "replies". High "timeouts" indicate network or server issues.

11.2 Test Authentication

test aaa group INFRARUNBOOK-TACACS-GRP infrarunbook-admin R3allyStr0ng!Pass#2026 legacy

Expected output:

Attempting authentication test to server-group INFRARUNBOOK-TACACS-GRP using tacacs+
User was successfully authenticated.

11.3 Test Authorization

test aaa group INFRARUNBOOK-TACACS-GRP infrarunbook-admin R3allyStr0ng!Pass#2026 legacy authorize shell

11.4 Debug Commands (Use with Caution)

debug aaa authentication
debug aaa authorization
debug aaa accounting
debug tacacs
debug radius

Always set a terminal monitor and limit debug time:

terminal monitor
! ... reproduce the issue ...
undebug all

11.5 Verify TACACS+ Reachability

ping 10.10.1.50 source Vlan100
show tacacs

11.6 Check Active Sessions

show users
show line

---

12. RADIUS-Based Authentication for 802.1X (Bonus)

If you also need 802.1X port authentication on sw-infrarunbook-01:

aaa authentication dot1x default group INFRARUNBOOK-RADIUS-GRP
aaa authorization network default group INFRARUNBOOK-RADIUS-GRP
aaa accounting dot1x default start-stop group INFRARUNBOOK-RADIUS-GRP
!
dot1x system-auth-control
!
interface GigabitEthernet1/0/10
 description INFRARUNBOOK-USER-PORT
 switchport mode access
 switchport access vlan 200
 authentication port-control auto
 dot1x pae authenticator
 spanning-tree portfast

---

13. Privilege Levels and Custom Role-Based Access

Cisco IOS supports privilege levels 0–15. Combine them with TACACS+ for fine-grained control.

13.1 Custom Privilege Level Example

privilege exec level 7 show running-config
privilege exec level 7 show interfaces
privilege exec level 7 show ip route
privilege exec level 7 show ip arp
!
username infrarunbook-readonly privilege 7 algorithm-type scrypt secret 0 R3adOnly!2026

On the TACACS+ server, set the user's privilege level attribute to 7 so they land in this restricted shell automatically.

13.2 IOS-XE Parser Views (Role-Based CLI)

aaa new-model
!
enable secret 0 V13wS3cret!2026
!
parser view INFRARUNBOOK-NOC
 secret 0 N0cV13w!2026
 commands exec include show
 commands exec include ping
 commands exec include traceroute
 commands exec exclude configure

Assign the parser view via TACACS+ using the

shell:cli-view-name=INFRARUNBOOK-NOC

attribute.

---

14. Security Hardening Checklist

• Encrypt all keys in the config:

  service password-encryption
  

• Use

  algorithm-type scrypt

  for local usernames (IOS-XE 16.x+).
• Disable unused lines:

  line aux 0
   no exec
   transport input none
  

• Restrict VTY access with ACL:

  ip access-list standard INFRARUNBOOK-VTY-ACL
   10 permit 10.10.1.0 0.0.0.255
   20 deny any log
  !
  line vty 0 15
   access-class INFRARUNBOOK-VTY-ACL in
  

• Set failed-attempt lockout:

  aaa local authentication attempts max-fail 5
  security authentication failure rate 3 log
  

• Login block-for (brute-force protection):

  login block-for 120 attempts 5 within 60
  login quiet-mode access-class INFRARUNBOOK-VTY-ACL
  login delay 2
  login on-failure log
  login on-success log
  

---

15. Common Pitfalls and How to Avoid Them

1. Locked out after

   aaa new-model

   : Always create a local user before issuing the command. Keep a console session open.
2. Key mismatch: The TACACS+/RADIUS shared secret on the device must exactly match the server — watch for trailing spaces.
3. Source interface not set: If you don't set

   ip tacacs source-interface

   , the device may source from an interface the server doesn't trust.
4. Fallback confusion: Local fallback only triggers when the server is unreachable (timeout). If the server rejects credentials, the user is denied — there is no fallback.
5. Missing

   aaa authorization console

   : Without this, console sessions bypass authorization, letting anyone run any command from the console.
6. Forgetting accounting: Authentication and authorization alone give you no audit trail. Always configure accounting.

---

16. NX-OS Differences (Cisco Nexus Quick Reference)

If you manage Nexus switches alongside Catalysts, the commands differ slightly:

feature tacacs+
!
tacacs-server host 10.10.1.50 key T@cPlu5K3y!Infra2026
tacacs-server host 10.10.1.52 key T@cPlu5K3y!Infra2026
!
aaa group server tacacs+ INFRARUNBOOK-TACACS-GRP
 server 10.10.1.50
 server 10.10.1.52
 use-vrf management
 source-interface mgmt0
!
aaa authentication login default group INFRARUNBOOK-TACACS-GRP local
aaa authorization commands default group INFRARUNBOOK-TACACS-GRP local
aaa accounting default group INFRARUNBOOK-TACACS-GRP

---

17. Saving and Backing Up

copy running-config startup-config
!
! Optional: backup to TFTP
copy running-config tftp://10.10.1.60/sw-infrarunbook-01-aaa-backup.cfg

---

Frequently Asked Questions

Q1: What happens if I enable

aaa new-model

without a local user?

You will be locked out of all VTY and console sessions because the default authentication method becomes undefined (no method list). Always create a local privilege 15 user first and keep a console session active.

Q2: Does local fallback work when the TACACS+ server rejects my credentials?

No. Fallback to the next method in the list only occurs when the server is unreachable (timeout/no response). An explicit reject from the server is a definitive "no" — the device will not try local.

Q3: Can I use both TACACS+ and RADIUS on the same device?

Yes. You define separate server groups and reference them in different method lists. For example, use TACACS+ for login authentication and RADIUS for dot1x. They operate independently.

Q4: What is the difference between

if-authenticated

and

local

in authorization?

local

means check the local database for authorization attributes.

if-authenticated

means: if the user already passed authentication, grant authorization without further checks. Use

if-authenticated

as the last resort so that a TACACS+ outage doesn't lock out already-authenticated admins.

Q5: How do I restrict a NOC team to show commands only?

On the TACACS+ server, create a command set that permits

show .*

,

ping

,

traceroute

, and denies everything else. Enable

aaa authorization commands 1

and

aaa authorization commands 15

on the device. Every command typed is checked against the server before execution.

Q6: Why is my TACACS+ server showing no requests?

Check: (1)

ip tacacs source-interface

is set to a reachable interface, (2) firewall rules allow TCP 49 from the device to the server, (3) the shared key matches exactly, (4) run

debug tacacs

to see if packets are being sent.

Q7: Should I encrypt TACACS+ keys in the configuration?

Yes. Use

service password-encryption

for type 7 (weak obfuscation) at minimum. On IOS-XE 16.6+, use type 6 AES encryption with a master key:

key config-key password-encrypt

followed by

password encryption aes

.

Q8: How many TACACS+ servers can I define in a group?

IOS/IOS-XE supports up to 32 TACACS+ servers per group. The device tries them in the order listed. Two to three servers is standard for redundancy.

Q9: Can I use AAA accounting to log every command a user types?

Yes. Configure

aaa accounting commands 15 default start-stop group INFRARUNBOOK-TACACS-GRP

and

aaa accounting commands 1 default start-stop group INFRARUNBOOK-TACACS-GRP

. Every command at those privilege levels is sent to the TACACS+ server with timestamp, username, and the full command string.

Q10: How do I migrate from legacy TACACS+ configuration (tacacs-server host) to the new-style?

Step 1: Define the new server objects with

tacacs server NAME

. Step 2: Add them to a

aaa group server tacacs+

group. Step 3: Update your method lists to reference the named group. Step 4: Remove the old

tacacs-server host

lines. Test at each step — keep a console session open throughout.

---

Summary

A properly configured AAA framework with TACACS+ gives you centralized authentication, per-command authorization, and full audit logging for every device in your network. Combined with SSH hardening, VTY ACLs, and brute-force protection, your Cisco infrastructure becomes significantly more secure and auditable. Always test with

test aaa

commands before relying on the configuration in production, and never remove your local fallback user.