Although AAA was designed to centralize access control, it still requires configuration on each
and every network device. Fortunately, after AAA is configured, there are few instances when
the administrator will need to alter its configuration—for example, when the encryption key is
changed. Aside from such minor alterations, all changes—including those for user accounts—
are invoked at the security server. This configuration process lets the router or access device
know about the type of security to be used, the location of the security server, and the passwords
or other information needed to facilitate communications.
In addition to these configuration commands, the administrator must establish
network-level connectivity between the access device and the security server.
This might require access list modification or route entries.
Table 32.3 outlines some of the AAA commands, including those for authentication and
accounting. The configurations that relate to these commands are shown later in this section.
Overview of AAA Commands and Configuration
Command Description
aaa new-model Enables AAA services on the router. new-model reflects changes from
the initial implementation, which is no longer supported. In the
absence of other AAA commands, the local database will be used for
username and password. If no database is present and no other AAA
method is specified, this command will lock out the router.
aaa authentication
login default tacacs+
enable
Configures TACACS+ to be the default method used for login-level
access. If TACACS+ is unavailable, use the local enable password.
aaa authentication
enable default
tacacs+ enable
Configures TACACS+ to be the default method used for enable-level
access. If TACACS+ is unavailable, use the local enable password.
aaa accounting exec
start-stop tacacs+
Configures the accounting process, logging the start and stop times
of each exec session access.
tacacs-server host
10.1.98.36
Specifies the IP address of the TACACS+ server. The singleconnection
parameter can be used to improve performance by
maintaining a single TCP session as opposed to starting a separate
session for each authentication.
tacacs-server key
tjelkprp
Specifies the encryption key to be used for communications between
the router and TACACS+ server.