diff --git a/src/main/java/org/opencord/aaa/api/AaaAuthState.java b/src/main/java/org/opencord/aaa/api/AaaAuthState.java
new file mode 100644
index 0000000..ffb4efb
--- /dev/null
+++ b/src/main/java/org/opencord/aaa/api/AaaAuthState.java
@@ -0,0 +1,27 @@
+/*
+ * Copyright 2017-present Open Networking Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.opencord.aaa.api;
+
+/**
+ * Designates the different states an AAA authentication session may be in.
+ */
+public enum AaaAuthState {
+    IDLE,
+    STARTED,
+    PENDING,
+    AUTHORIZED,
+    UNAUTHORIZED
+}
diff --git a/src/main/java/org/opencord/aaa/api/AaaSession.java b/src/main/java/org/opencord/aaa/api/AaaSession.java
new file mode 100644
index 0000000..379419d
--- /dev/null
+++ b/src/main/java/org/opencord/aaa/api/AaaSession.java
@@ -0,0 +1,143 @@
+/*
+ * Copyright 2017-present Open Networking Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.opencord.aaa.api;
+
+import org.onlab.packet.MacAddress;
+import org.onlab.packet.VlanId;
+import org.onosproject.net.ConnectPoint;
+import org.onosproject.net.DeviceId;
+import org.onosproject.net.PortNumber;
+
+/**
+ * Represents an AAA authentication session.
+ */
+public final class AaaSession {
+    // This defines supplicant device and port
+    private final ConnectPoint supplicantConnectPoint;
+
+    // User name associated with this session
+    private final String username;
+
+    // MAC associated with this session
+    private final MacAddress supplicantMacAddress;
+
+    // TODO: Review why isn't vlanId of type VlanId ??
+    // VLAN from the EAP eth packet
+    private final short vlanId;
+
+    // VLAN from subscriber info : C-Tag
+    private final VlanId ctag;
+
+    // Current authentication state of this session
+    private final AaaAuthState state;
+
+    /**
+     * Constructs an immutable AAA session description.
+     *
+     * @param supplicantConnectPoint the supplicant connect point
+     * @param username               the associated user name
+     * @param supplicantMacAddress   the associated mac address
+     * @param vlanId                 the VLAN ID
+     * @param ctag                   the C-TAG VLAN ID
+     * @param state                  the current authentication state
+     */
+    public AaaSession(ConnectPoint supplicantConnectPoint, String username,
+                      MacAddress supplicantMacAddress, short vlanId, VlanId ctag,
+                      AaaAuthState state) {
+        this.supplicantConnectPoint = supplicantConnectPoint;
+        this.username = username;
+        this.supplicantMacAddress = supplicantMacAddress;
+        this.vlanId = vlanId;
+        this.ctag = ctag;
+        this.state = state;
+    }
+
+    /**
+     * The supplicant connect point.
+     *
+     * @return the connect point
+     */
+    public ConnectPoint getConnectPoint() {
+        return supplicantConnectPoint;
+    }
+
+    /**
+     * The device identifier of the supplicant connect point.
+     *
+     * @return the device identifier
+     */
+    public DeviceId deviceId() {
+        return supplicantConnectPoint.deviceId();
+    }
+
+    /**
+     * The port number of the supplicant connect point.
+     *
+     * @return the port number
+     */
+    public PortNumber portNumber() {
+        return supplicantConnectPoint.port();
+    }
+
+    /**
+     * The user name of the supplicant.
+     *
+     * @return the user name
+     */
+    public String username() {
+        return username;
+    }
+
+    /**
+     * The MAC address of the supplicant.
+     *
+     * @return the MAC address
+     */
+    public MacAddress macAddress() {
+        return supplicantMacAddress;
+    }
+
+    // TODO: Review this description of vlanId for correctness
+
+    /**
+     * The VLAN identifier for the supplicant connection.
+     *
+     * @return the VLAN ID
+     */
+    public short vlanId() {
+        return vlanId;
+    }
+
+    // TODO: Review - does this make sense in the general (other-than-VOLTHA) case?
+
+    /**
+     * The C-TAG associated with this supplicant's session.
+     *
+     * @return the C-TAG VLAN ID
+     */
+    public VlanId cTag() {
+        return ctag;
+    }
+
+    /**
+     * The current state of this session.
+     *
+     * @return the session state
+     */
+    public AaaAuthState state() {
+        return state;
+    }
+}
diff --git a/src/main/java/org/opencord/aaa/cli/AaaResetDeviceCommand.java b/src/main/java/org/opencord/aaa/cli/AaaResetDeviceCommand.java
new file mode 100644
index 0000000..337e3dc
--- /dev/null
+++ b/src/main/java/org/opencord/aaa/cli/AaaResetDeviceCommand.java
@@ -0,0 +1,45 @@
+/*
+ * Copyright 2017-present Open Networking Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0.
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.opencord.aaa.cli;
+
+import org.apache.karaf.shell.commands.Argument;
+import org.apache.karaf.shell.commands.Command;
+import org.onosproject.cli.AbstractShellCommand;
+import org.opencord.aaa.api.AaaService;
+
+@Command(scope = "onos", name = "aaa-reset-device",
+        description = "Resets authentication sessions for a given device")
+public class AaaResetDeviceCommand extends AbstractShellCommand {
+    @Argument(index = 0, name = "mac",
+            description = "MAC of device to reset authentication sessions",
+            required = true, multiValued = true)
+    private String[] macs = null;
+
+    @Override
+    protected void execute() {
+        AaaService aaaService = get(AaaService.class);
+
+        // FIXME: access needs to be through AaaService - Proposal...
+//        aaaService.resetAuthenticationSessionsByDeviceMac(macs);
+
+        // We shouldn't have visibility to StateMachine.
+        /*
+        for (String mac : macs) {
+            StateMachine.deleteByMac(MacAddress.valueOf(mac));
+        }
+        */
+    }
+}
diff --git a/src/main/java/org/opencord/aaa/cli/AaaShowUsersCommand.java b/src/main/java/org/opencord/aaa/cli/AaaShowUsersCommand.java
new file mode 100644
index 0000000..276c316
--- /dev/null
+++ b/src/main/java/org/opencord/aaa/cli/AaaShowUsersCommand.java
@@ -0,0 +1,67 @@
+/*
+ * Copyright 2017-present Open Networking Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.opencord.aaa.cli;
+
+import org.apache.karaf.shell.commands.Command;
+import org.onosproject.cli.AbstractShellCommand;
+import org.onosproject.net.AnnotationKeys;
+import org.onosproject.net.ConnectPoint;
+import org.onosproject.net.Port;
+import org.onosproject.net.device.DeviceService;
+import org.opencord.aaa.api.AaaService;
+import org.opencord.aaa.api.AaaSession;
+import org.opencord.sadis.SubscriberAndDeviceInformation;
+import org.opencord.sadis.SubscriberAndDeviceInformationService;
+
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * Shows the users in the aaa.
+ */
+@Command(scope = "onos", name = "aaa-users",
+        description = "Displays the users with current AAA sessions")
+public class AaaShowUsersCommand extends AbstractShellCommand {
+
+    private static final String UNKNOWN = "UNKNOWN";
+
+    @Override
+    protected void execute() {
+        DeviceService devService = get(DeviceService.class);
+        SubscriberAndDeviceInformationService subsService =
+                get(SubscriberAndDeviceInformationService.class);
+        AaaService aaaService = get(AaaService.class);
+
+// TODO: add currentSessions() to AaaService API
+//        List<AaaSession> sessionList = aaaService.currentSessions();
+        List<AaaSession> sessionList = new ArrayList<>();
+
+        for (AaaSession s : sessionList) {
+            String subsId = getSubscriberId(devService, subsService, s.getConnectPoint());
+            print("UserName=%s,CurrentState=%s,DeviceId=%s,MAC=%s,PortNumber=%s,SubscriberId=%s",
+                  s.username(), s.state(), s.deviceId(), s.macAddress(), s.portNumber(), subsId);
+        }
+    }
+
+    private String getSubscriberId(DeviceService devService,
+                                   SubscriberAndDeviceInformationService sadis,
+                                   ConnectPoint cp) {
+        Port p = devService.getPort(cp);
+        String nasPortId = p.annotations().value(AnnotationKeys.PORT_NAME);
+        SubscriberAndDeviceInformation subscriber = sadis.get(nasPortId);
+        return (subscriber == null) ? UNKNOWN : subscriber.nasPortId();
+    }
+}