{"id":169446,"date":"2026-06-22T11:52:56","date_gmt":"2026-06-22T08:52:56","guid":{"rendered":"https:\/\/computingforgeeks.com\/?p=169446"},"modified":"2026-06-22T11:52:56","modified_gmt":"2026-06-22T08:52:56","slug":"aaa-radius-tacacs-explained","status":"publish","type":"post","link":"https:\/\/computingforgeeks.com\/aaa-radius-tacacs-explained\/","title":{"rendered":"AAA Explained: RADIUS vs TACACS+ on Cisco"},"content":{"rendered":"

Local accounts on every device stop scaling the moment you have more than a handful of them. Add an engineer and you touch every router and switch; remove one and you hope you caught them all. AAA fixes that by moving identity off the devices and onto a central server, and the two protocols that carry it are RADIUS and TACACS+. Knowing what each A stands for and which protocol to reach for is the heart of this topic.<\/p>\n\n

This guide explains authentication, authorization, and accounting, compares RADIUS against TACACS+ point by point, and configures the AAA client side on a Cisco router with real output. It builds on the local passwords from device access control<\/a>, which become the fallback when the AAA server cannot be reached.<\/p>\n\n

Configured and captured on a Cisco IOS 15.2 router in June 2026; the AAA client config below is real, and the server addresses are examples.<\/em><\/p>\n\n

What AAA stands for<\/h2>\n\n

AAA is three separate questions about a user, answered in order. Authentication proves who you are, authorization decides what you may do, and accounting records what you did.<\/p>\n\n\n\n
The A<\/th>Question it answers<\/th>What it controls<\/th><\/tr><\/thead>\n
Authentication<\/td>Who are you?<\/td>Verifying identity with a username and password, a token, or a certificate<\/td><\/tr>\n
Authorization<\/td>What are you allowed to do?<\/td>Which commands, privilege level, or resources the identity may use<\/td><\/tr>\n
Accounting<\/td>What did you do?<\/td>Logging commands run, session length, and data sent, for audit or billing<\/td><\/tr>\n<\/tbody>\n<\/table>\n\n

The three are independent. A user can be authenticated (the login succeeds) but still be authorized for only a handful of commands, and every action they take can be accounted to their name in a log. Separating them is what lets you give a junior engineer read-only access while the logs still show exactly who did what.<\/p>\n\n

The AAA players: client, server, and the NAS<\/h2>\n\n

AAA has two roles. The AAA server<\/strong> holds the identities and makes the decisions. The network access server (NAS)<\/strong> is the device a user connects to, which forwards the request to the server and enforces the answer. On a Cisco network the NAS is the router or switch itself, acting as the AAA client.<\/p>\n\n\n

\"AAA<\/figure>\n\n\n

A user or admin never talks to the AAA server directly. They log in to the NAS, the NAS asks the server over RADIUS or TACACS+, and the server replies with a permit or deny. The routers and switches<\/a> are the clients in this exchange, never the decision makers, which is exactly why a central server scales: change a password once on the server and every device honors it.<\/p>\n\n

RADIUS vs TACACS+<\/h2>\n\n

Both protocols carry AAA between the NAS and the server, but they were built for different jobs, and the CCNA expects you to tell them apart.<\/p>\n\n\n\n
Property<\/th>RADIUS<\/th>TACACS+<\/th><\/tr><\/thead>\n
Standard<\/td>Open standard (RFC 2865)<\/td>Cisco proprietary<\/td><\/tr>\n
Transport and ports<\/td>UDP 1812 auth, 1813 accounting (older 1645\/1646)<\/td>TCP 49<\/td><\/tr>\n
Encryption<\/td>Only the password in the packet<\/td>The entire packet body<\/td><\/tr>\n
AAA functions<\/td>Combines authentication and authorization<\/td>Separates all three independently<\/td><\/tr>\n
Per-command authorization<\/td>Limited<\/td>Yes, command by command<\/td><\/tr>\n
Primary use<\/td>Network access: 802.1X, VPN, end users<\/td>Device administration<\/td><\/tr>\n
Multivendor<\/td>Broad support<\/td>Mostly Cisco<\/td><\/tr>\n<\/tbody>\n<\/table>\n\n

Two rows decide most exam questions. RADIUS encrypts only the password and runs over UDP, while TACACS+ encrypts the whole packet over TCP, so TACACS+ hides the commands and replies, not just the credentials. And because TACACS+ separates authorization, it can approve or deny each command a network admin types, which RADIUS was never designed to do well. That separation is why device administration leans on TACACS+ and network access leans on RADIUS.<\/p>\n\n

Configure AAA on a Cisco router<\/h2>\n\n

Everything AAA starts with one command. aaa new-model<\/code> switches the device from the legacy line-password model to AAA method lists:<\/p>\n\n\n

configure terminal\naaa new-model<\/code><\/pre>\n\n\n
Next, define the servers. Modern IOS uses a named server block for each one, with the shared key the NAS and server must both agree on:<\/p>\n\n\n
radius server RAD1\n address ipv4 10.10.10.10 auth-port 1812 acct-port 1813\n key RadSecret123\n exit\ntacacs server TAC1\n address ipv4 10.10.10.20\n key TacSecret123\n exit<\/code><\/pre>\n\n\n
The key<\/code> is a shared secret, not a hash, and it appears in clear text in the config unless you turn on service password-encryption<\/code>, so treat it like any other credential. With the servers defined, point the method lists at them and keep local<\/code> as a fallback:<\/p>\n\n\n
aaa authentication login default group tacacs+ local\naaa authorization exec default group tacacs+ local\naaa accounting exec default start-stop group tacacs+<\/code><\/pre>\n\n\n
Each method list reads left to right. The login list tries the TACACS+ group first and falls back to the local database only if no server answers, which is the safety net that keeps you from being locked out. A server that is reachable but rejects your credentials does not fall through to local; the fallback fires only when the server is unreachable, not when it says no. Verify the AAA framework after configuring it:<\/p>\n\n\n
\"Cisco<\/figure>\n\n\n
The output confirms aaa new-model<\/code> is on and shows the three method lists, each using group tacacs+<\/code> with a local<\/code> fallback. The server definitions carry the ports that separate the two protocols on the wire:<\/p>\n\n\n
\"Cisco<\/figure>\n\n\n
The RADIUS server shows its auth and accounting ports, 1812 and 1813, while the TACACS+ server uses the single TCP port 49. Actually authenticating a user still needs a reachable RADIUS or TACACS+ server holding the accounts; the configuration above is the client side that every Cisco device needs before it can ask one.<\/p>\n\n
When to use RADIUS and when to use TACACS+<\/h2>\n\n
The choice follows the job. Reach for TACACS+ for device administration<\/strong>: logging engineers into routers, switches, and firewalls over SSH<\/a>, where per-command authorization and full-packet encryption matter, and where the audit trail of who typed what is the point. Reach for RADIUS for network access<\/strong>: authenticating end users and devices onto the network through 802.1X on wired and wireless<\/a>, VPN logins, and any multivendor environment, because RADIUS is an open standard that nearly everything speaks. Many networks run both, TACACS+ for the admins and RADIUS for the users, against the same identity store.<\/p>\n\n
Practice AAA, RADIUS, and TACACS+<\/h2>\n\n
Run the questions to lock in the three A’s, the RADIUS-versus-TACACS+ differences, and the configuration commands, then use the flashcards for quick recall.<\/p>\n\n
Loading quiz...<\/div><\/div>\n\n\n
Flip through the deck until the ports and differences are automatic, or grab the Anki pack to review them anywhere:<\/p>\n\n
Loading flashcards...<\/div><\/div>\n\n\n
The AAA mistake that locks out everyone<\/h2>\n\n
The most common AAA failure is configuring aaa authentication login default group tacacs+<\/code> with no local<\/code> fallback, then watching every login fail the moment the server is unreachable, including yours. Always end the method list with local<\/code> (or enable<\/code>) so a server outage degrades to local accounts instead of a total lockout, and keep a console session open while you test, exactly as with base device configuration<\/a>. The other classic trip-up is a shared key that does not match on both ends: the server silently rejects the request and the NAS reports an authentication failure that looks like a wrong password. With AAA centralizing identity, the CCNA 200-301 study roadmap<\/a> shows where the rest of the Security Fundamentals topics fit.<\/p>\n","protected":false},"excerpt":{"rendered":"
AAA explained and compared: authentication, authorization, accounting, and RADIUS vs TACACS+ ports, transport, and encryption, with Cisco AAA configuration.<\/p>\n","protected":false},"author":3,"featured_media":169445,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[299,55],"tags":[524,525],"cfg_series":[39888],"class_list":["post-169446","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-how-to","category-networking","tag-ccna","tag-cisco","cfg_series-ccna-200-301"],"_links":{"self":[{"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/posts\/169446","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/comments?post=169446"}],"version-history":[{"count":1,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/posts\/169446\/revisions"}],"predecessor-version":[{"id":169447,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/posts\/169446\/revisions\/169447"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/media\/169445"}],"wp:attachment":[{"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/media?parent=169446"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/categories?post=169446"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/tags?post=169446"},{"taxonomy":"cfg_series","embeddable":true,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/cfg_series?post=169446"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}