CCNA Lab 3: TACACS+ and RADIUS Authentication on Switches

Managing local passwords on 50 switches does not scale. AAA (Authentication, Authorization, Accounting) centralizes access control. TACACS+ and RADIUS are the two protocols used, and they serve different purposes.

TACACS+ vs RADIUS

Feature	TACACS+	RADIUS
Transport	TCP (port 49)	UDP (ports 1812/1813)
Encryption	Entire packet encrypted	Only password encrypted
Authorization	Yes — per-command	Limited
Accounting	Yes — detailed	Yes — basic
Best for	Device administration	Network access (802.1X, VPN)

Rule of thumb: TACACS+ for switch/router admin access, RADIUS for end-user network access.

Configuring TACACS+ (for Switch Administration)

1. Configure the AAA Server

tacacs-server host 192.168.1.100
 key MyTacacsKey123!

Or using the newer syntax:

aaa new-model
 
tacacs server TACACS-1
 address ipv4 192.168.1.100
 key MyTacacsKey123!
 
tacacs server TACACS-2
 address ipv4 192.168.1.101
 key MyTacacsKey123!

2. Define AAA Methods

aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
 
aaa authorization exec default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
 
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

Breakdown:

authentication login — who can log in
authentication enable — who can run enable
authorization exec — what shell access they get
authorization commands 15 — which privilege 15 commands they can run
accounting exec — log when sessions start/stop
accounting commands 15 — log every command executed

3. Fallback to Local

The local keyword at the end means: if the TACACS server is unreachable, fall back to local users. This prevents lockouts.

aaa authentication login default group tacacs+ local

4. Configure Console Access

line con 0
 login authentication default

Configuring RADIUS (for Network Access / 802.1X)

radius server RADIUS-1
 address ipv4 192.168.1.100 auth-port 1812 acct-port 1813
 key MyRadiusKey123!
 
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting network default start-stop group radius
 
dot1x system-auth-control

Creating the ACS Server (Linux with FreeRADIUS)

Install FreeRADIUS on a Linux server:

apt install freeradius freeradius-utils

Edit /etc/freeradius/3.0/clients.conf:

client 192.168.0.0/16 {
    secret = MyRadiusKey123!
    shortname = network-devices
}

Add users in /etc/freeradius/3.0/users:

admin    Cleartext-Password := "StrongPass"
         Service-Type = NAS-Prompt-User,
         Cisco-AVPair = "shell:priv-lvl=15"

netop    Cleartext-Password := "NetopPass"
         Service-Type = NAS-Prompt-User,
         Cisco-AVPair = "shell:priv-lvl=5"

Restart:

systemctl restart freeradius

Verification

test aaa group tacacs+ admin StrongPass! new-code
test aaa group radius admin StrongPass! new-code
 
show aaa servers
show tacacs
show radius statistics

AAA Debugging

debug aaa authentication
debug aaa authorization
debug tacacs
debug radius

Always disable debug when done — it floods the console:

undebug all

Common Pitfalls

Issue	Cause	Fix
Authentication fails	Wrong shared key	Confirm key matches on both sides
No fallback on server down	Missing `local` in method list	Add `local` after `group tacacs+`
Commands not logged	No accounting configured	Add `accounting commands 15`
Locked out	AAA misconfig	Reload via console or break into ROMMON

Break-In Procedure (When AAA Fails)

If AAA misconfiguration locks you out:

Connect via console
Reboot the switch
Press Ctrl+Break during boot to enter ROMMON
confreg 0x2142 (skip startup config)
reset
Copy startup-config running-config
Fix AAA config
config-register 0x2102
wr