Cisco CCNA Packet Tracer Ultimate labs: AAA Lab. Can you configure TACACS and RADIUS?

Packet Tracer file (PT Version 7.1):
Get the Packet Tracer course for only $10 by clicking here:
Get my ICND1 and ICND2 courses for $10 here: (you will get ICND2 as a free bonus when you buy the ICND1 course).

For lots more content, visit – learn about GNS3, CCNA, Packet Tracer, Python, Ansible and much, much more.

Two prominent security protocols used to control access into networks are Cisco TACACS+ and RADIUS. The RADIUS specification is described in RFC 2865, which obsoletes RFC 2138 Cisco is committed to supporting both protocols with the best of class offerings. It is not the intention of Cisco to compete with RADIUS or influence users to use TACACS+. You should choose the solution that best meets your needs. This document discusses the differences between TACACS+ and RADIUS, so that you can make an informed choice.

Cisco has supported the RADIUS protocol since Cisco IOS® Software Release 11.1 in February 1996. Cisco continues to enhance the RADIUS Client with new features and capabilities, supporting RADIUS as a standard.

Cisco seriously evaluated RADIUS as a security protocol before it developed TACACS+. Many features were included in the TACACS+ protocol to meet the needs of the growing security market. The protocol was designed to scale as networks grow, and to adapt to new security technology as the market matures. The underlying architecture of the TACACS+ protocol complements the independent authentication, authorization, and accounting (AAA) architecture.

RADIUS uses UDP while TACACS+ uses TCP. TCP offers several advantages over UDP. TCP offers a connection-oriented transport, while UDP offers best-effort delivery. RADIUS requires additional programmable variables such as re-transmit attempts and time-outs to compensate for best-effort transport, but it lacks the level of built-in support that a TCP transport offers:

TCP usage provides a separate acknowledgment that a request has been received, within (approximately) a network round-trip time (RTT), regardless of how loaded and slow the backend authentication mechanism (a TCP acknowledgment) might be.

TCP provides immediate indication of a crashed, or not running, server by a reset (RST). You can determine when a server crashes and returns to service if you use long-lived TCP connections. UDP cannot tell the difference between a server that is down, a slow server, and a non-existent server.

Using TCP keepalives, server crashes can be detected out-of-band with actual requests. Connections to multiple servers can be maintained simultaneously, and you only need to send messages to the ones that are known to be up and running.

TCP is more scalable and adapts to growing, as well as congested, networks.


In this lab, you need to configure both TACACS and radius authentication on router 1, router 2 and switch 1.

In this packet tracer topology, we have a TACACS and radius server which you need to configure for triple A authentication (AAA).

So on the AAA server, you need to enable the AAA service and you need to configure router 1, router 2 and switch 1 as clients on the AAA server.

In this lab, router 1 and switch 1 will use the TACACS protocol.
Router 2 will be configured to use radius.

So you need to add the three clients with their details as well as add a username for authentication. Use your own name as the username and a password of cisco

In the solution video, as an example, I’m simply going to use my name, David as the username. Make sure that you configure router 1 for AAA authentication for both login and enable using TACACS with the AAA server

This AAA server is configured with this IP address.
So that’s the IP address you need to configure router 1 with for authentication both login and enable authentication. So when you test this, you should be prompted for your username when you log in to the console as well as when you type enable, make sure that you use local authentication as a backup in case the AAA server is not available. Use a backup username of backup and a password of cisco

You then need to test that you can login using your own name.
So essentially on all three devices, you’re going to configure the AAA server and ensure that you can log in to these three servers using your username and password which is not configured on these devices but is configured on the TACACS and radius server.

So make sure that you can login to router 1.
Do something similar with router 2 but use radius as the authentication protocol. You’ll also configure switch 1 using TACACS and again make sure that you can login with your username and password….

  • David Bombal