NetworkingCCNA

CCNA AAA: Authentication, Authorization & Accounting with TACACS+/RADIUS

AAA — Authentication, Authorization, and Accounting — is the security framework that controls who can access network devices, what they can do, and tracks what they did. The CCNA 200-301 exam tests the three components of AAA, the difference between TACACS+ and RADIUS, and how AAA integrates with 802.1X for network access control. This guide covers each component, the protocol differences, and how they appear in exam scenarios.

7 min

4 sections · 6 exam key points

5 practice questions

The three components of AAA

Authentication answers 'who are you?' — verifying identity through credentials (username/password, certificate, token). Before a user can access a network device or the network itself, they must prove their identity. Authentication can be local (usernames stored on the device itself) or centralized (credentials verified by a RADIUS or TACACS+ server).

Authorization answers 'what can you do?' — after authentication, authorization determines what resources and actions the authenticated user has access to. For network device access, this might mean a network admin can run `debug` commands while a read-only user can only run `show` commands. Authorization is applied per-session and sometimes per-command.

Accounting answers 'what did you do?' — recording user activity for audit, billing, and compliance. Accounting logs which user logged in, at what time, from where, what commands they ran, and when they logged out. These logs are invaluable during security incidents and for compliance audits.

Local vs centralized AAA

Local AAA stores usernames and passwords directly on the network device (`username admin privilege 15 secret cisco`). It's simple and works even if the network is down, but it doesn't scale — every device has its own user database, and changing a password requires updating every device individually.

Centralized AAA uses a dedicated AAA server (RADIUS or TACACS+) to validate credentials. All devices point to the same server; changing a password or disabling an account takes effect immediately across all devices. The trade-off: if the AAA server is unreachable and local fallback isn't configured, administrators may be locked out.

Best practice: configure centralized AAA with local fallback (`aaa authentication login default group tacacs+ local`). This ensures that if the TACACS+ server is unreachable, local credentials still work for emergency access.

802.1X port-based network access control

802.1X is the IEEE standard for port-based Network Access Control (NAC). It uses AAA to control which devices can connect to the network. Three roles: Supplicant (the end device wanting network access — runs the 802.1X client), Authenticator (the switch or AP — enforces access based on authentication result), Authentication Server (RADIUS server — verifies credentials).

The flow: a device plugs into a switch port. The switch puts the port in an unauthorized state, passing only EAPOL (Extensible Authentication Protocol over LAN) traffic. The device sends EAP credentials. The switch forwards them to the RADIUS server. The RADIUS server verifies credentials and sends Access-Accept or Access-Reject. On Accept, the switch moves the port to authorized state.

802.1X is commonly deployed with EAP-TLS (certificate-based, no passwords), PEAP (password tunneled in TLS), or EAP-FAST. For wireless networks, 802.1X is used in WPA2-Enterprise mode where each user authenticates with individual credentials rather than a shared passphrase.

TACACS+ and RADIUS for AAA

TACACS+ (TCP 49, full encryption, separates A/A/A) is the choice for network device administration. It allows per-command authorization: an administrator might be allowed to run `show` commands but not `debug` or `configure`. TACACS+ accounting logs every command typed, providing a complete audit trail.

RADIUS (UDP 1812/1813, password-only encryption, combines authentication and authorization) is the choice for network access control — 802.1X wired and wireless authentication, VPN authentication. RADIUS attributes (VSAs) can return VLAN assignments and ACLs to the switch, dynamically placing authenticated users in the correct VLAN.

A single network commonly uses both: TACACS+ for device management (who can SSH to the router) and RADIUS for network access (who can connect to Wi-Fi or the wired port).

AAA components

Component	Question answered	Example
Authentication	Who are you?	Username + password, certificate, token
Authorization	What can you do?	Read-only vs full admin; allowed VLAN; permit/deny commands
Accounting	What did you do?	Login/logout times, commands run, session duration

Key exam facts — CCNA

Authentication = identity verification. Authorization = permission. Accounting = audit trail
TACACS+: TCP 49, full encryption, separates A/A/A, per-command authorization — device admin
RADIUS: UDP 1812/1813, password encryption only, A+A combined — network access (802.1X)
802.1X roles: Supplicant (device), Authenticator (switch/AP), Authentication Server (RADIUS)
Local AAA fallback: `aaa authentication login default group tacacs+ local`
RADIUS can return VLAN assignment dynamically for authenticated 802.1X users

Common exam traps

Authentication and authorization are the same thing

Authentication verifies identity (who you are). Authorization determines permissions (what you can do). You can be authenticated but not authorized for specific resources.

TACACS+ is better for 802.1X wireless authentication

RADIUS is the standard for 802.1X — it's what 802.1X was designed to work with. TACACS+ is optimized for device administration (CLI access) with per-command authorization.

Accounting is optional and only used for billing

Accounting is critical for security auditing and incident response — logs who ran which commands, from where, and when. It's mandatory in regulated environments (PCI-DSS, HIPAA) and invaluable for forensic investigation.

Practice questions — AAA Framework

These questions are representative of what you will see on CCNA exams. The correct answer and explanation are shown immediately below each question.

Q1.Which component of AAA tracks what commands a network administrator ran on a device?

A.Authentication

B.Authorization

C.Accounting

D.Access control

Explanation: Accounting records user activity — login/logout times, commands executed, session duration. This provides an audit trail for security incidents and compliance. Authentication verifies identity; authorization determines permissions.

Q2.In 802.1X network access control, which device validates the user's credentials against the authentication server?

A.Supplicant

B.Authenticator

C.Authentication Server

D.DHCP server

Explanation: The Authentication Server (typically a RADIUS server) validates the credentials. The Supplicant is the end device. The Authenticator (switch/AP) enforces access but forwards credentials to the Authentication Server for validation.

Q3.A network uses TACACS+ for device administration. An admin successfully logs in via SSH but cannot run configuration commands. Which AAA component is preventing the configuration access?

A.Authentication

B.Authorization

C.Accounting

D.802.1X

Explanation: The admin successfully authenticated (identity verified). The restriction on configuration commands is enforced by authorization — TACACS+ can authorize commands per user or group, allowing read-only access while blocking configuration commands.

Q4.Which protocol is recommended for authenticating wireless users connecting via WPA2-Enterprise (802.1X)?

A.TACACS+

B.RADIUS

C.Kerberos

D.LDAP directly

Explanation: RADIUS is the standard protocol for 802.1X authentication used in WPA2-Enterprise wireless deployments. The WLC or AP (authenticator) forwards EAP credentials to the RADIUS server for verification.

Q5.A Cisco router is configured with `aaa authentication login default group tacacs+ local`. What happens if the TACACS+ server is unreachable?

A.All login attempts fail

B.The router uses the local username database as a fallback

C.The router skips authentication entirely

D.The router switches to RADIUS automatically

Explanation: The `local` keyword at the end of the AAA authentication statement provides a fallback to the local username database if all TACACS+ servers are unreachable. This ensures emergency access when the AAA server is down.

Frequently asked questions — AAA Framework

What is the difference between authentication and authorization?

Authentication is identity verification — proving you are who you claim to be (username + password, certificate). Authorization is permission — determining what resources and actions the authenticated identity is allowed to access. You must be authenticated before authorization is applied.

Why use both TACACS+ and RADIUS in the same network?

TACACS+ is optimized for device administration (router/switch CLI access) with per-command authorization and full packet encryption. RADIUS is the standard for network access control (802.1X wired/wireless, VPN). Using both lets you apply each protocol where it's best suited rather than compromising on one.

What is 802.1X and how does it work?

802.1X is port-based Network Access Control. When a device connects to a switch port or wireless network, the port stays unauthorized until the device authenticates. The device (supplicant) sends credentials via EAP; the switch/AP (authenticator) forwards them to a RADIUS server (authentication server); on success the port becomes authorized and the device gets network access.

What is the AAA local fallback and why is it important?

AAA local fallback (`group tacacs+ local` in the method list) means if the TACACS+ or RADIUS server is unreachable, the device falls back to its local username database. Without this, if the AAA server goes down, no one can log in — you'd need console access to fix it. Local fallback ensures emergency access is always available.

What does RADIUS return to the switch in 802.1X to enable dynamic VLAN assignment?

The RADIUS Access-Accept response can include RADIUS attributes (specifically RFC 3580 attributes: Tunnel-Type = VLAN, Tunnel-Medium-Type = 802, Tunnel-Private-Group-ID = VLAN ID) that tell the switch which VLAN to assign the authenticated user. This enables dynamic VLAN assignment — different users get placed in different VLANs automatically based on their identity.

Practice this topic

CCNApractice questions

Test yourself on AAA Framework

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice test Start 7-Day Free Trial

No credit card · Cancel anytime