Did You Know?

Hierarchical approvals let your manager know what people are trying to transfer

CONNEXITE
leafleafleafMan illustrationFlower illustration
Updated on May 4, 2026

Configuring AAA

Estimated reading: 4 minutes 2 views

Summary: Networking › Switching › Edge › Synapse

Overview of AAA

AAA is the abbreviation of Authentication Authorization and Accounting, which provides for authentication, authorization and accounting function into the configuration of the consistency framework. AAA provides the following services in a modular fashion:

  • Authentication: Verify whether the user can obtain access rights. Optionally use RADIUS protocol, TACACS+ protocol or Local (local) and so on. Identity authentication is a method of identifying a user's identity before allowing access to the network and network services.
  • Authorization: Which services are available to authorized users. AAA authorization is achieved by defining a series of attribute pairs, these attribute pairs describe the operations that the user is authorized to perform. These attribute pairs can be stored on a network device or remotely on a secure server.
  • Accounting: record the user's use of network resources. When AAA accounting is enabled, the network device starts to send user usage of network resources. Each accounting record is composed of attribute pairs and stored on a secure server. These records can be read and analyzed by special software, so as to realize accounting, statistics and tracking of users' use of network resources.

Using AAA has the following advantages:

  • Flexibility and controllability.
  • Scalability.
  • Standardized Certification.
  • Multiple backup systems.

AAA has the following relevant standards: RFC2865 Remote Authentication Dial In User Service (RADIUS). C. Rigney, S. Willens, A. Rubens, W. Simpson. June 2000. (Format: TXT, HTML). RFC2866 RADIUS Accounting. C. Rigney. June 2000. (Format: TXT, HTML). RFC8907 The Terminal Access Controller Access-Control System Plus (TACACS+) Protocol. T. Dahm, A. Ota, DC Medway Gash, D. Carrel, L. Grant. September 2020.

Configuring

  • Enabling/disabling AAA Function Globally
SWITCH( config)# aaa new-model
SWITCH( config)# no aaa new-model

Globally enable or disable the AAA function.

SWITCH( config)# aaa group server (radius) ( default| NAME )
SWITCH( config ) # aaa group server ( tacacs + ) ( default| NAME )
SWITCH( config)# no aaa group server ( radius|tacacs +) ( default| NAME )

Server group configuration. Optional. By default there is no server group configuration and no server method is used.

SWITCH(config-gs-rad )# server A.B.C.D (auth-port <1-65535> |) (acct-port <1-65535> |) (key STRING )
SWITCH(config-gs-tac)# server A.B.C.D (port <1-65535> |) (key STRING )
SWITCH(config-gs-rad)# no server A.B.C.D
SWITCH(config-gs-tac)# no server A.B.C.D

server group mode . Configure RADIUS, TACACS + server information, including basic IP address, port information, shared key Optional. Note: Due to implementation restrictions, the current radius accounting port number is always the authentication port number + 1, and the configuration is invalid.

SWITCH(config-gs-rad)# timeout <1-120>
SWITCH(config-gs-tac)# timeout <1-120>
SWITCH(config-gs-rad)# no timeout
SWITCH(config-gs-tac)# no timeout

server group mode . Configure the timeout period for servers in the group. Optional.

SWITCH(config-gs-tac)# service NAME
SWITCH(config-gs-tac)# no service

TACACS+ server group mode . Configure the service information in the group. Optional.

SWITCH(config)# aaa (authentication|authorization|accounting) (login|ssh|web|dot1x|command) default {group (radius|tacacs+|NAME)|local|none}
SWITCH(config)#no aaa (authentication|authorization|accounting) (login|ssh|web|dot1x|command) default

Global configuration mode. Configure AAA method information. Optional.Local authentication is used by default. Note1: The username (such as admin) that exists on the machine also needs to be provided during the none authentication, otherwise an error may occur. Note2: Web do not support accounting/authorization now.

Examples

SSH Login Authentication Using Tacacs+ Method ‏ • Requirements

  • See the description of the network diagram

‏ • Network diagram Figure 8 Typical networking diagram for SSH through tacacs+ server authentication and accounting Description: none ‏ • Typical configuration example Switch:

SWITCH(config)# aaa new-model
SWITCH(config)# aaa group server tacacs+ default
SWITCH(config-gs-tac) # server 2.2.2.106 key testkey123
SWITCH(config-gs-tac)# exit
SWITCH(config)# aaa authentication ssh default group tacacs+
SWITCH(config)# aaa accounting ssh default group tacacs+
SWITCH(config)# username test remote

Device IP configuration and ssh configuration refer to the corresponding chapters in the configuration documentation, which are omitted here.

Use the None Method to Perform Serial Port Login

‏ • Requirements

  • See the description of the network diagram

‏ • Network diagram Figure9 Typical network diagram of serial port using none authentication and accounting ‏ • Typical configuration example Refer to the network diagram

Display Information

  • None

Related articles

Share this Doc

Configuring AAA

Or copy link

Powered By EazyDocs