I'll admit to not having done a thorough verification. However, I'd still bet money that AAA/RBAC services are more frequently mentioned on Cisco certification blueprints than any other networking topic. From the CCNA to the Expert level, you'll find AAA, TACACS+, RADIUS, and RBAC listed on the exam topics.

Here is a handful of examples if you'd like to check it out yourself:

• 200-301 CCNA
  • 2.8 Describe AP and WLC management access connections (Telnet, SSH, HTTP, HTTPS, console, and TACACS+/RADIUS)
  • 5.8 Differentiate authentication, authorization, and accounting concepts
• 350-401 ENCOR
  • 5.1 Configure and verify device access control
• 300-410 ENARSI
  • 3.1 Troubleshoot device security using IOS AAA (TACACS+, RADIUS, local database)
• 300-430 ENWLSI
  • 8.1 Implement device access controls (including RADIUS and TACACS+)
• 350-701 SCOR
  • 2.7 Configure AAA for device and network access such as TACACS+ and RADIUS
• 300-715 SISE
  • 7.0 Network Access Device Administration
• 350-601 DCCOR
  • 5.xa Apply network|5.xb Troubleshooting network|compute|storage security -AAA and RBAC|storage security -AAA and RBAC|compute|storage security -AAA and RBAC
• 300-615 DCIT
  • 5.xb Troubleshooting network|compute|storage security -AAA and RBAC
• 350-501 SPCOR
  • 1.6b Describe management plane security -AAA and TACACS
• 300-540 SPCNI
  • 4.1e Implement infrastructure security -TACACS

OMG.That's 10 different certifications from Associate to Professional where these topics show up. You'll also find them on Expert-level exams, such as the Enterprise Infrastructure, Enterprise Wireless, Security, Service Provider, and Data Center labs. (If anyone out there can find another topic with as broad a coverage, please let me know in the comments. I'd love to know what I've overlooked so far.)

Visit the Cisco Learning Network to view the exam topics for all Cisco certification exams. View exam topics

Okay... it's definitely important... but what isAAA?

AAA is an important topic, but it's one that even long-time network engineers may not fully understand. So before we see it in action, how about a quick overview of what the "triple A's" mean?

In the "AAA in Action!" comic, Carl experiences the entire AAA process:

• The first "A" stands forAuthentication. We see this represented when Carl is prompted toverify his identitybefore he is allowed to make a change to the network.
• The second "A" stands forAuthorization.Even after the network verifies Carl's identity, he has tocheck whether he has the right(s) to make this change, based on which rights he has been granted on the network.
• And the third and final "A" stands for Accounting, which Carl sees in action whenthe network logs the changehe makes to the network.

TACACS comes into the picture to support the centralized management of users, roles, and logs (authentication, authorization, and accounting). While each network device could be locally configured to handle AAA, this doesn't scale well for enterprises. A better solution is for each network device to communicate with a central "server" for these actions. TACACS is a protocol that network devices and servers use to communicate and handle each of the "A's." A "TACACS Server" is a software application that supports the TACACS protocol.

Can we get to theExploration,already?!

Now that we understand the critical role that AAA plays in a network (and that it is an essential topic across many certifications), I'd like to show you how to study and prepare for it using my favorite network simulation/virtualization tool: Cisco Modeling Labs (CML). Because I'm all about sharing my exploration activities, I posted a couple of CML topology files on GitHub in the CML-community repository under Cisco DevNet.

You'll see that one CML topology includes just an IOL router, while another adds a Nexus 9000v switch to cover data center platforms as well. So, after you've read this blog post, definitely download the topologies and explore them yourself.

How to run a TACACS Server in Cisco Modeling Labs

Before you can configure TACACS on a switch or router, you must have a TACACS server available in the network. A common TACACS server for a production network is Cisco ISE, a full "identity services engine" for device administration, network access, wireless security, VPN access, and more.

Cisco ISE is an important product and topic for network engineers. In fact, we have a certification exam dedicated to it. And while you can add Cisco ISE to a CML node library using the node definition available at the CML-Community, running a full ISE server in the topology can feel overkill when the focus is just on configuring TACACS for device administration.

Thankfully, there are lightweight alternatives. My go-to option is the open-source "tac_plus" application that has been available for many years. Tac_plus is a basic Linux application that can be downloaded and installed on most Linux distributions. While active development of the project seems to have stalled, it works great and continues to be an excellent option for cases such as this.

If you look at the image of the CML topology, you'll see "aaa-server" on the left-hand side of the diagram. This is a standard Ubuntu node from the CML reference platforms, with a starting configuration setup to install tac_plus and configure it as a basic TACACS server. Feel free to go and check out the configuration in the topology file for full details, but here are the basics of what I did to build my TACACS server:

1. Install the requirements to download and install the tac_plus application from source code.
2. Create the "tac_plus.conf" configuration file to specify the TACACS secret key, users, and roles/privilege levels for both IOS and NX-OS platforms.
3. Create a "tac_plus.service" file to setup tac_plus as a service.
4. Download, extract, install, and start the tac_plus server.

With the installation and configuration of the aaa-server part of the base CML topology file, tac_plus will be running and ready to take requests as soon as the lab is started.

cisco@aaa-server:~$systemctl status tac_plus