Toby Arnett
Jan 27, 2019

AAA Commands Explained

Enables AAA commands to be used.


aaa new-model

This displays the default banner message if no aaa auth banner is present. Uses the authentication groups that follow the default statement. Uses the listed servers for the tacacs profile. Ensures that the username is case-sensitive

aaa authentication login default group tacacs+ local-case

This will put the login user to the enable prompt if authenticated (enable default). Uses all the servers in listed in the tacacs profiles (group tacacs+). Attempts the enable password found in the tacacs to login to the enable prompt. (enable)

aaa authentication enable default group tacacs+ enable

Runs accounting on the exec shell session. Uses the authentication groups that follow the default statement. There is a start and stop notice provided to either the start or end of the process respectively. Uses the listed servers for the tacacs profile

aaa accounting exec default start-stop group tacacs+

Runs accounting on all privilege level 1 commands. Uses the authentication groups that follow the default statement. There is a start and stop notice provided to either the start or end of the process respectively. Uses the listed servers for the tacacs profile. 

aaa accounting commands 1 default stop-only group tacacs+

Runs accounting on all privilege level 15 commands. Uses the authentication groups that follow the default statement. There is a start and stop notice provided to either the start or end of the process respectively. Uses the listed servers for the tacacs profile. 

aaa accounting commands 15 default stop-only group tacacs+

This listed method is used only if all the previously defined methods fail. If at anytime in the above process a “deny” is sent then this process is not used. The exec trigger is specifying that the authorized user will have exec level privs. Uses the authentication groups that follow the default statement. Uses the listed servers for the tacacs profile. This is where the router or server will look for any locally defined users from the username commands.

aaa authorization exec default group tacacs+ local


0 comments