Programmable Internetworking & Communication Operating System Docs ... Click Spaces -> Space Directory to see docs for all releases ...
Page tree
Skip to end of metadata
Go to start of metadata

AAA (Authentication, Authorization and Accounting) is a management mechanism of network security and provides three security functions of authentication, authorization and accounting.

Authentication: Confirm the identity of remote users accessing the network to determine whether the visitor is a validated network user.

Authorization: Give different users with different permissions, restriction to services that users can use. For example, after the user successfully logs in to the server, the administrator can authorize the user to execute CLI commands.

Accounting: Record all operations of users using network services, including the type of service used, starting time, data traffic, etc. It is not only a means of billing, but also monitors network security.

PICOS supports TACACS+, RADIUS and local authentication method. TACACS+ (Terminal Access Controller Access Control System) is a security protocol that is an enhancement to the original TACACS protocol. The protocol is similar to the RADIUS protocol. It uses the client / server model to communicate with the NAS and the TACACS + server to achieve user’s AAA management.

TACACS+/RADIUS Authentication and Authorization Process

This section describes the TACACS+/RADIUS authentication and authorization of PICOS 2.11.7 and the later versions.


TACACS+/RADIUS server is reachable and TACACS+/RADIUS service is configured

TACACS+/RADIUS server is unreachable or TACACS+/RADIUS service is not configured

Console Login

Allow to login only if pass authentication form TACACS+ server.


After successful login, if the TACACS+ server goes down, the user will be logged out and asked to re-log in.

Generate a syslog and fallback to local authentication. Allow to login if pass local authentication.

After successful login, local authorization will be performed.

Network (INTERFACE/VLAN/MGMT Port/INBAND) Login

By default, generate a syslog and do nothing else.


User can configure to enable local authentication fallback function to fallback to local authentication and authorization in this case. For details about local authentication fallback function, see set system aaa local-auth-fallback disable.

Console Login:

  •   If the TACACS+/RADIUS server is reachable and the TACACS+/RADIUS service is configured, the system uses TACACS/RADIUS server for authentication. Access will be denied on failure. After successful login, if the TACACS+ server goes down, the user will be logged out and asked to re-log in.
  •   If the TACACS+/RADIUS server is unreachable or the TACACS+/RADIUS service is not available, the system generates a syslog and uses local user/passwd file for authentication. After successful login, local authorization will be performed.

 Network (INTERFACE/VLAN/MGMT Port/INBAND) Login:

  •   If the TACACS+/RADIUS server is reachable and the TACACS+/RADIUS service is configured, the system uses TACACS+/RADIUS server for authentication. Access will be denied on failure. After successful login, if the TACACS+ server goes down, the user will be logged out and asked to re-log in.
  •   If the TACACS+/RADIUS server is unreachable or the TACACS+/RADIUS service is not available, by default, the system generates a syslog and does nothing else. However, user can configure local authentication fallback function to perform local authentication and authorization. For details about local authentication fallback function, see set system aaa local-auth-fallback disable.




  • No labels