About Authentication, Authorization, and Accounting (AAA)

  • Authentication: identifies users, validates their credentials, and grants switch access.

  • Authorization: controls authenticated users command execution and switch interaction privileges.

  • Accounting: collects and manages user session activity logs for auditing and reporting purposes.

Local AAA on your Aruba switch provides:

  • Authentication using local password or SSH public key.

  • Authorization using role-based access control (RBAC), and optionally, using user-defined local user groups with command authorization rules defined per group.

  • Accounting of user activity on the switch using accounting logs.

Remote AAA provides the following for your Aruba switch:

  • Authentication using remote AAA servers with either TACACS+ or RADIUS.

  • Authorization using remote AAA servers with TACACS+ fine-grained command authorization. Local RBAC or local rule-based authorization is also possible.

  • Transmission of locally collected accounting information to remote TACACS+ and RADIUS servers.


TACACS+ (Terminal Access Controller Access-Control System Plus) and RADIUS (Remote Authentication Dial-In User Service) server software is readily available as either open source or from various vendors.


For switches that support multiple management modules such as the Aruba 8400, all AAA functionality discussed only applies to the active management module. See also AAA on switches with multiple management modules in the High Availability Guide.