AAA, TACACS+, and RADIUS
AAA controls who can log in and what privilege they receive. netverdict models local users and external TACACS+/RADIUS-style services so management and security labs can reason about access outcomes.
Support level
Section titled “Support level”| Area | Level | Notes |
|---|---|---|
| Local users | Supported | Username, password/secret, privilege. |
| AAA method lists | Behaviour model | Login/enable authorization through configured methods. |
| TACACS+ | Behaviour model | External service outcome, not full wire protocol. |
| RADIUS | Behaviour model | External auth outcome, not full packet exchange. |
| Command authorization | Partial | Supported where executor paths expose it. |
Standards coverage
Section titled “Standards coverage”| Standard | Coverage | Notes |
|---|---|---|
| RADIUS RFC 2865 | Partial | Authentication concept only. |
| TACACS+ | Behaviour model | Cisco-style AAA service semantics. |
Feature matrix
Section titled “Feature matrix”| Feature | Status | Notes |
|---|---|---|
username | Supported | Local credential. |
aaa new-model | Supported | Enables AAA mode. |
| Login method list | Supported | Local/group fallback. |
| Enable authentication | Partial | Supported subset. |
| TACACS server | Behaviour model | Server config and result. |
| RADIUS server | Behaviour model | Server config and result. |
| Privilege level | Supported | Affects CLI authorization where modelled. |
Vendor command matrix
Section titled “Vendor command matrix”| Command | IOS-style | Junos-style | VyOS-style | Notes |
|---|---|---|---|---|
aaa new-model | Supported | n/a | n/a | AAA enable. |
username admin privilege 15 secret ... | Supported | Partial | Partial | Local user. |
aaa authentication login default group tacacs+ local | Supported | n/a | Partial | Method list. |
tacacs server TAC1 | Supported | n/a | Partial | TACACS service. |
radius server RAD1 | Supported | n/a | Partial | RADIUS service. |
show aaa servers | Supported | n/a | Partial | Server state. |
Behaviour notes
Section titled “Behaviour notes”AAA decisions are deterministic service outcomes, which makes login and authorization labs reproducible without running real TACACS+ or RADIUS daemons.
Examples
Section titled “Examples”Canonical example
configure terminalaaa new-modelusername admin privilege 15 secret labaaa authentication login default localline vty 0 4 login authentication defaultendVendor styles
IOS-style
aaa new-modelusername admin privilege 15 secret labaaa authentication login default group tacacs+ localtacacs server TAC1 address ipv4 192.0.2.20 key labJunos-style
set system login user admin class super-user authentication plain-text-passwordset system tacplus-server 192.0.2.20 secret labset system authentication-order tacplusVyOS-style
set system login user admin authentication plaintext-password labset system tacplus-server 192.0.2.20 secret labKnown limits
Section titled “Known limits”Real RADIUS/TACACS+ packet exchange, accounting records, downloadable ACLs, per-command authorization parity, and encryption details are not fully modelled.