AAA & Access Control

Authentication, Authorization, Accounting — enforced by RADIUS or TACACS+, with 802.1X at the edge.

	RADIUS	TACACS+
Transport	UDP 1812/1813	TCP 49
Encrypts	Password only	Entire payload
AAA	Combines authN + authZ	Separates A / A / A
Standard	Open (RFC 2865)	Cisco proprietary
Best for	Network access (802.1X)	Device admin (CLI)

// facts

AAA = Authentication (who) · Authorization (what) · Accounting (log)
802.1X: supplicant → authenticator (switch) → RADIUS server
EAP carries the authentication conversation
Port security violation modes: protect / restrict / shutdown
Zero Trust: never trust, always verify — per request

// 802.1X roles

Supplicant
client

EAPOL ▶

Authenticator
switch / AP

RADIUS ▶

Auth Server
RADIUS

The port stays in an unauthorized state (only EAPOL allowed) until the server returns Access-Accept.

// EAP methods

EAP-TLS	Certificates on both client & server — strongest
PEAP	Server cert + inner MSCHAPv2 (password)
EAP-TTLS	Server cert + tunneled legacy auth
EAP-FAST	Cisco PAC-based tunnel
LEAP	Cisco legacy — weak, avoid

// port-security modes

protect	Silently drop unknown-MAC frames
restrict	Drop + increment counter / SNMP trap
shutdown	Err-disable the port (default)

802.1x / radius · cisco ios

aaa new-model
radius-server host 10.0.0.100 key MyRadiusKey
aaa authentication dot1x default group radius
dot1x system-auth-control
!
interface Gi0/1
 switchport mode access
 dot1x port-control auto
 dot1x host-mode single-host
 dot1x guest-vlan 123
 dot1x auth-fail vlan 456

verify

show dot1x interface Gi0/1
show dot1x statistics
dot1x re-authenticate interface Gi0/1