Summary: AAA (Authentication, Authorisation, Accounting) provides unified access control on IOS-XE devices using method lists and multiple backend sources.
AAA is a framework for managing user access and tracking usage:
Enable the AAA model globally:
aaa new-model
This command activates AAA functionality. Without it, traditional line-level login methods apply.
Method lists define the order and type of servers used for authentication and authorisation.
Applied to all interfaces and users unless a named method list is specified:
aaa authentication login default tacacs+ local
aaa authorization exec default tacacs+ local
aaa accounting exec default start-stop group tacacs+
Applied selectively to specific lines (e.g., VTY, console):
aaa authentication login MGMT_LOGIN tacacs+ local
aaa authorization exec MGMT_EXEC tacacs+ local
Apply a named list to a VTY line:
line vty 0 15
login authentication MGMT_LOGIN
authorization exec MGMT_EXEC
| Method | Description |
|---|---|
local |
Local username database on the device |
tacacs+ |
TACACS+ server — TCP, full body encrypted, per-command auth |
radius |
RADIUS server — UDP, password-only encrypted, network access |
enable |
Uses the enable password (legacy, not recommended) |
none |
No authentication — do not use on remote access lines |
Control what commands and actions users can perform:
aaa authorization exec default tacacs+ local
aaa authorization commands 15 default tacacs+ local
The commands <privilege-level> variant enables per-command authorisation at that privilege level.
Track user activities and commands:
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
Methods are tried left to right. The device falls back to the next method only if the current server is unreachable — not if authentication fails:
aaa authentication login default tacacs+ local
If TACACS+ is unreachable → fall back to local. If TACACS+ rejects the credentials → login denied (no fallback).
⚠️ Fallback Behaviour
Fallback only occurs on server unreachability, not on authentication failure. If TACACS+ is reachable and returns a reject, local is not tried. This is intentional — it prevents bypassing TACACS+ by triggering a fallback.
aaa new-model
! TACACS+ server definition
tacacs server ISE-PRIMARY
address ipv4 10.10.10.100
key S3cur3T4c4cs!
timeout 5
aaa group server tacacs+ ISE_SERVERS
server name ISE-PRIMARY
! Authentication
aaa authentication login default group ISE_SERVERS local
aaa authentication enable default group ISE_SERVERS enable
! Authorisation
aaa authorization exec default group ISE_SERVERS local
aaa authorization commands 15 default group ISE_SERVERS local if-authenticated
! Accounting
aaa accounting exec default start-stop group ISE_SERVERS
aaa accounting commands 15 default start-stop group ISE_SERVERS
! Apply to VTY
line vty 0 15
login authentication default
authorization exec default
transport input ssh
test aaa group ISE_SERVERS username password legacy
test aaa group tacacs+ username password