About Authentication, Authorization, and Accounting (AAA)

  • Authentication: identifies users, validates their credentials, and grants switch access.

  • Authorization: through policy enforcement, controls authenticated users command execution and switch interaction privileges.

  • Accounting: collects and manages user session activity logs for auditing and reporting purposes.

Local AAA on your Aruba switch provides:

  • Authentication using local password or SSH public key.

  • Authorization using role-based access control (RBAC).

  • Accounting of user activity on the switch using accounting logs.

Remote AAA provides the following for your Aruba switch:

  • Authentication using remote AAA servers with either TACACS+ or RADIUS.

  • Authorization using remote AAA servers with TACACS+ fine-grained command authorization. Local RBAC authorization is also possible for both RADIUS and TACACS+.

  • Transmission of locally collected accounting information to remote TACACS+ servers.


Accounting using remote RADIUS AAA servers is not supported.


TACACS+ (Terminal Access Controller Access-Control System Plus) and RADIUS (Remote Authentication Dial-In User Service) server software is readily available as either open source or from various vendors.


For switches that support multiple management modules such as the Aruba 8400, all AAA functionality discussed only applies to the active management module. See also AAA on switches with multiple management modules in the ArubaOS-CX High Availability Guide.