From CCIE Study Wiki

AAA stands for Authentication, Authorization, and Accounting. AAA is a framework for controlling access to a systems resources.

Theory

Configuring AAA in IOS establishes what authentication methods (and in what order) are used to accept or reject a user.

You must enable AAA via the aaa new-model command and define the default set of authentication methods you are using for CLI access and enable-mode access.

AAA lets you define up to four authentication methods with a single command. The IOS will always use the method listed first; if it does not respond, it will move on to the next and so on. If a method refers to a set of more then one server, it will try all in order until a response is received. If there is no response for any method, authentication is rejected.

You can override the default AAA configuration on the console, vty, or aux lines by creating a custom authentication list via the aaa authentication login name command. To use the custom list, it must be called on the line configuration with the login authentication name command.

AAA authentication can also be used to secure PPP connections

Commands

• aaa new-model (global) - enables AAA
• aaa authentication [login|enable|ppp] default (global) - command to define the default methods for CLI or enable mode authentication
• aaa authentication [login|ppp] name (global) allows you to define an authentication list that can be used to override the default login security
• login authentication name (line) - establishes a custom authentication group to be used for a particular access line.
• ppp authentication {protocol 1 [protocol 2]} (global) - Use a named group of authentication methods instead of the default
• Authentication methods for login and enable modes:
  • group radius - use configured RADIUS servers
  • group tacacs - use configured TACACS servers
  • group name - use a defined group of servers
  • enable - use enable/enable secret password
  • line - use password that is in line config mode
  • local - use password defined by username command - username is NOT case sensitive
  • local-case - use password defined by username command, but the username IS case sensitive
  • none - user automatically authenticated
• aaa group server [tacacs|radius] name - configures a RADIUS or TACACS server group to be called by the aaa authentication command
• radius-server host (global)
• radius-server key (global)
• tacacs-server host (global)
• tacacs-server key (global)

Default Settings

• Nothing added here yet

Verification

• Nothing listed yet

Troubleshooting, Tips, and Tricks

• When you have autocommands configured on local passwords, they will not work after configuring the aaa new model command.

Online Resources

• Cisco Bible has an AAA configuration example.

• CCIE To Be describes how to create a parser view with AAA.

• Ivan at Cisco IOS Hints and Tricks shows a few gotchas with AAA commands, configures local authentication with AAA, and shows how to change the AAA username and password prompts.

• Router Freak has his list of AAA best practices.

Have something to contribute? See a mistake on this page? Have a hint or a link to share?
The CCIE Study Wiki is open to everyone to edit! All you need to do is to create an account to start contributing.
Please be sure to follow our posting guidelines when editing the wiki.

Maybe you have just have some thoughts or suggestions for this entry?
Use the Discussion link on the top or bottom menu to create or join the CCIE forum post on this topic.
You can also go straight to the CCIE Forums and start a new discussion in the forum of your choice.

If you'd rather just contact us with your thoughts, we'd love to hear what you have to say.