Connection your Cisco routers and switches to the AAA RADIUS server.
- AAA stands for Authentication, Authorization, and Accounting.
- RADIUS is a distributed client/server authentication system.
- TACACS+ is a protocol developed by Cisco for Terminal Access Control.
AAA uses RADIUS or TACACS+ to verify credentials on a server when a user is trying to log in.
On all network devices (routers, switches, access points, etc) issue the following commands:
enable configure terminal enable secret LOCAL_PASSWORD username admin privilege 15 secret ADMIN_PASSWORD
Note: you just created local credentials in case the RADIUS or TACACS+ is not reachable it will fall back to the local database.
For RADIUS
aaa new-model aaa authentication enable default group radius local aaa authentication login default group radius local aaa authorization exec default group radius local radius-server host 192.168.1.100 key PASSWORD
For TACACS+
aaa new-model aaa authentication enable default group tacacs+ local aaa authentication login default group tacacs+ local aaa authorization exec default group tacacs+ local tacacs-server host 192.168.1.100 key PASSWORD
Replace the IP 192.168.1.100 and the PASSWORD with the information of the RADIUS or TACACS+ server.
Test if the AAA is successfully authenticating through using the server:
do test aaa group radius REMOTE_USER REMOTE_PASSWORD new-code OR do test aaa group tacacs+ REMOTE_USER REMOTE_PASSWORD legacy
Note that REMOTE_USER REMOTE_PASSWORD has to be already created on the server.
Other useful commands:
show users do debug aaa authentication do debug radius do debug tacacs