In the Matrix, nobody gets in or out without going through the operator. Tank sits at that console controlling every phone line, every exit, every connection. When Neo needs access to a building, Tank gets him in. When Morpheus needs an exit, Tank finds it. There's no "I'll just slip through the back door on my own." The operator is the single authoritative system that knows who's plugged in, where they're going, and what they're doing, and that centralized control is exactly what makes the resistance function.
Your network needs the same model.
What Is Centralized AAA?
AAA stands for Authentication, Authorization, and Auditing, and the "centralized" part is the whole point. Every network device in your environment (switches, routers, firewalls, wireless access points) needs to authenticate users and administrators through a single, authoritative system, not through local accounts stored on the device itself.
The two most common protocols for this are RADIUS and TACACS+. Either one gives you a single place to define who can log in, what they're allowed to do, and a consistent log of everything that happens.
Why It Matters
Local accounts on network devices are a security disaster waiting to happen, and in many environments, it already has.
Think about what local accounts mean in practice: every switch has its own "admin" account with a password that was set during deployment and never changed. When an admin leaves, that credential doesn't get removed, because there's no central system tracking it. When a device gets replaced, the old credentials often carry over. When you need to audit who logged into a core router last Tuesday, you're staring at a fragmented mess of device-level logs, if logs exist at all.
Centralized AAA eliminates all of that. One system to manage. One policy to enforce. One audit trail to review.
This is a CIS Control 12 safeguard, Network Infrastructure Management, and it's rated IG2+3, meaning it's a priority for organizations with moderate to mature security programs. If you're managing more than a handful of network devices, this one applies to you.
What Good Looks Like
When you've implemented centralized AAA properly, here's what changes:
- Every admin login to every network device is authenticated against a central directory (Active Directory, LDAP, or a dedicated AAA server)
- Role-based access means your junior network tech can view configs but can't push changes, without you having to configure that on 50 individual devices
- When someone leaves, you remove them in one place and they lose access everywhere
- All authentication events, successful logins, failed attempts, privilege escalations, flow into your SIEM in a consistent, parseable format
- You can answer "who logged into the core firewall at 2 am last Friday" in under 30 seconds
That last one matters a lot during an incident response.
How to Get There: Implementation Steps
- Inventory your network devices. Before you can centralize anything, you need to know what you have, switches, routers, firewalls, wireless controllers, VPN concentrators. All of it.
- Deploy a RADIUS or TACACS+ server. If you're in a Microsoft-heavy environment, Network Policy Server (NPS) is built in and can act as your RADIUS server. Cisco ISE, Aruba ClearPass, and FreeRADIUS are all solid options depending on your stack. TACACS+ (commonly via Cisco ISE or open-source TACACS+ servers) is often preferred for network device management because it provides more granular command authorization.
- Integrate your network devices. Configure each device to authenticate admin access against your AAA server instead of local accounts. Most enterprise-grade switches, routers, and firewalls support RADIUS or TACACS+ natively, this is a configuration change, not a rip-and-replace.
- Disable or lock down local accounts. Don't delete the emergency/break-glass account entirely, you'll need it if AAA is unavailable, but lock it down, store the credential in a PAM vault or sealed envelope, and make sure it's not the default path for everyday access.
- Feed AAA logs to your SIEM. Authentication events without centralized logging are only half the benefit. Make sure your AAA server is shipping events to wherever you do log analysis and alerting.
- Review AAA coverage quarterly. New devices get added. Old ones don't always get integrated. Build a quarterly check into your operations cadence to confirm every network device is authenticating against the central AAA infrastructure, not a local account someone set up during a late-night maintenance window.
Final Thoughts
Tank didn't just control access for convenience; he controlled it because that's what kept the resistance alive. If individual operators were freelancing their own authentication, the whole operation would fall apart. Your network is no different. Local accounts on individual devices are unauthorized phone booths that bypass the operator entirely. Centralize your AAA, and you're the one running the console, not hoping nobody found a back door you forgot about.
Want the free CIS resources on this control? The CIS Controls v8 documentation is available at cisecurity.org. DM me if you want to talk through what centralized AAA looks like for your environment.
Official CIS Control and Safeguard Text
CIS Control 12: Network Infrastructure Management
CIS Safeguard 12.5: Centralize network AAA.
Shameless Marketing Information
Gotham offers network access control and identity management solutions to help organizations centralize AAA across their entire infrastructure, from the data center to the edge.