PLANNED
AAA Lab
TACACS+ authentication and authorization with local fallback, privilege levels, and command authorization - modeled after production ISE/TACACS+ deployment.
topology screenshot coming soon
replace with: lab-aaa.png
COVERAGE
Authentication
- aaa new-model
- TACACS+ as primary method
- Local as fallback
- Login and enable authentication
- SSH-only access (no telnet)
Authorization
- Command authorization per privilege level
- Exec authorization
- Network authorization
- ISE policy group mapping
- Fallback to local if TACACS down
Privilege Levels
- Level 1 - read-only show commands
- Level 5 - interface and basic config
- Level 15 - full access
- Custom command sets per level
- privilege exec level assignment
Accounting
- Exec session accounting
- Command accounting
- Start-stop vs stop-only
- Accounting to TACACS+ server
- Verify with show accounting
NOTES
Modeled after the production TACACS+ setup used at Pace University with Cisco ISE as the TACACS+ server. The lab simulates the same tiered access model - helpdesk gets read-only, network team gets operational access, senior engineers get full privilege 15. Local fallback ensures access is maintained if ISE is unreachable.