AAA Authentication on Cisco IOS

Hello David

You’re correct in saying that RADIUS combines authentication and authorization. When a user is authenticated, RADIUS does pass on the authorization parameters.

As for your question regarding RADIUS not being capable of accounting for Cisco CLI commands, it’s not exactly that RADIUS can’t do it, but rather that it’s not designed to do so. RADIUS was primarily designed to provide centralized Authentication, Authorization, and Accounting (AAA) management for users who connect and use a network service, but, and this is key, it’s not specifically designed to log every single command that a user types into a Cisco device.

However, you can configure Cisco devices to send accounting information to a RADIUS server. This includes start-stop records, system events like reloads or reboots, and network service events like PPP or ARAP. But, it doesn’t include command-level accounting, which is where TACACS+ comes in.

TACACS+ is another AAA protocol that does support command accounting. This means that TACACS+ can log every command entered by a user, providing a higher level of detail than RADIUS. This is why many organizations choose to use TACACS+ for device administration and RADIUS for network access.

I hope this has been helpful!