The Cisco AAA command set and techniques are quite complex. I hope this turns out to be a simple but useful post to get an idea whats happening.
AAA stands for Authentication, Authorization and Accounting. What do these really mean? You can read the typical definition here but to me they are basically:
Authentication – A way for me to identify myself to a remote router. Typically using a username / password combination but it could also be certificates or RSA keys etc.
Authorization – This is a way for the router to check if I’m allowed to do something. For example run a show command or modify an ACL etc.
Accounting – This is a way for the router to track / log whats been done. You could track when I logged in, what command I performed and when I logged out.
These AAA functions are achieved by using a method list for each type for command. A “method list” is just a list of things to try in priority order. IE Try the first item on the list and if not available then proceed to the next item on the list. If you reach the end of the list then assume a fail and reject.
The basic configuration syntax is
1) enable AAA using aaa new-model global configuration command
2) setup your lists
- aaa authentication item1 item2 …..
- aaa authorization item1 item2 …..
- aaa accounting item1 item2 …..
3) setup any parameters you need for the items. For example if item1 is Radius, then setup the radius server and password
4) Tie one or more of these lists to an event (eg login -> authentication, running commands -> Authorization)
An example method list is:
aaa authentication login default group tacacs+ none
This command says the default login options is “tacacs+”. If the tacacs server isn’t available (ie cannot respond with a yes or no) then permit the login (ie none). The none keyword is like a “permit ip any any” in ACLs.