Skip to content
AsterNOS
Ask AI

AAA

AAA View

Section titled “AAA View”

Table 1 AAA View

CommandPurpose
show aaaDisplay AAA configuration.

show aaa

Section titled “show aaa”

[Command] show aaa

[Purpose] Display AAA configuration.

[View] Privileged User View

[Use Cases]

sonic# show aaa
AAA accounting command local (default)
AAA authentication login local (default)
AAA authentication failthrough False (default)
AAA authorization command local (default)

AAA Config

Section titled “AAA Config”

Table 2 AAA Config

CommandPurpose
aaa authentication-mode failthrough {enable|disable|default}Configure authentication failthrough feature of AAA.
aaa authentication-mode login {tacacs+|local|tacacs+,local|local,tacacs+|radius,local|local,radius|radius|default}Set authentication mode of AAA.
aaa accounting-mode {tacacs+|local|tacacs+,local|local,tacacs+|default}Set accounting mode of AAA.

aaa authentication-mode failthrough {enable|disable|default}

Section titled “aaa authentication-mode failthrough {enable|disable|default}”

[Command] aaa authentication-mode failthrough {enable|disable|default}

[Purpose] Configure authentication failthrough feature of AAA.

[View] Global Configuration View

[Notes] This feature is disabled by default. When it is enabled, during multi-level authentication, if the first level of authentication fails, it will continue to the second level. Otherwise, it will end directly.

[Use Cases]

sonic# configure
sonic(config)# aaa authentication-mode failthrough enable

aaa authentication-mode login {tacacs+|local|tacacs+,local|local,tacacs+|radius,local|local,radius|radius|default}

Section titled “aaa authentication-mode login {tacacs+|local|tacacs+,local|local,tacacs+|radius,local|local,radius|radius|default}”

[Command] aaa authentication-mode login {tacacs+|local|tacacs+,local|local,tacacs+|radius,local|local,radius|radius|default}

[Purpose] Set authentication mode of AAA.

[View] Global Configuration View

[Notes] The default mode is local. The comma separated patterns indicate multi-level authentication.

[Use Cases]

sonic# configure
sonic(config)# aaa authentication-mode login tacacs+,local

aaa accounting-mode {tacacs+|local|tacacs+,local|local,tacacs+|default}

Section titled “aaa accounting-mode {tacacs+|local|tacacs+,local|local,tacacs+|default}”

[Command] aaa accounting-mode {tacacs+|local|tacacs+,local|local,tacacs+|default}

[Purpose] Set accounting mode of AAA.

[View] Global Configuration View

[Notes] The default mode is local. The comma separated patterns indicate multi-level accounting.

[Use Cases]

sonic# configure
sonic(config)# aaa accounting-mode tacacs+

RADIUS

Section titled “RADIUS”

RADIUS View

Section titled “RADIUS View”

Table 3 RADIUS View

CommandPurpose
show radiusDisplay RADIUS configuration.

show radius

Section titled “show radius”

[Command] show radius

[Purpose] Display RADIUS configuration.

[View] Privileged User View

[Use Cases]

sonic# show radius
RADIUS global auth_type pap (default)
RADIUS global retransmit 3 (default)
RADIUS global timeout 5 (default)
RADIUS global passkey <EMPTY_STRING> (default)

RADIUS Config

Section titled “RADIUS Config”

Table 4 RADIUS Config

CommandPurpose
radius server server-ip [priority priority|port port_number|use-mgmt-vrf] shared-secretConfigure a RADIUS server.
radius nasip ip addressConfigure nasip address.

radius server

Section titled “radius server”

[Command] radius server server-ip [priority priority|port port_number|use-mgmt-vrf] shared-secret

[Purpose] Configure a RADIUS server.

[Parameters]

ParameterDescription
server-ipRADIUS Server IP address.
port_numberSpecify the port number to be used, ranging from 1-65535, with a default value of 1812.

[View] Global Configuration View

[Notes] You will be prompted to enter the key after the command is entered. Run command no radius server server-ip to delete RADIUS server configuration.

[Use Cases]

sonic# configure
sonic(config)# radius server 10.250.0.244 shared-secret

radius nasip

Section titled “radius nasip”

[Command] radius nasip ip_address

[Purpose] Configure the NAS-IP address of the RADIUS.

[Parameters]

ParameterDescription
ip_addressNAS-IP address, supports IPv4 or IPv6, default address is 127.0.0.1.

[View] Global Configuration View

[Notes] Run no radius nasip to restore the nasip address of the radius to its default value

[Use Cases]

sonic# configure
sonic(config)# radius nasip 1.1.1.1

TACACS+

Section titled “TACACS+”

TACACS+ View

Section titled “TACACS+ View”

Table 5 TACACS+ View

CommandPurpose
show tacacsDisplay TACACS configuration.

show tacacs

Section titled “show tacacs”

[Command] show tacacs

[Purpose] Display TACACS configuration.

[View] Privileged User View

[Use Cases]

sonic# show tacacs
TACPLUS global auth_type pap (default)
TACPLUS global timeout 5 (default)
TACPLUS global passkey <EMPTY_STRING> (default)

Table 6 TACACS+ Config

CommandPurpose
tacacs-server authtype {chap|pap|mschap|login}Specify the authentication type of the TACACS server.
tacacs-server default {authtype|passkey|timeout}Restore to the default TACACS configuration.
tacacs-server passkeyConfigure the global key for TACACS.
tacacs-server cipher ciphertextConfigure the global key for TACACS with ciphertext.
tacacs-server timeout intervalConfigure the global timeout for TACACS.
tacacs-server server-ip [cipher ciphertext|timeout interval|key|auth-type type|port tcp_port|pri priority|use-mgmt-vrf]Configure a TACACS server.

tacacs-server authtype {chap|pap|mschap|login}

Section titled “tacacs-server authtype {chap|pap|mschap|login}”

[Command] tacacs-server authtype {chap|pap|mschap|login}

[Purpose] Specify the authentication type of the TACACS server.

[View] Global Configuration View

[Use Cases]

sonic# configure
sonic(config)# tacacs-server authtype chap

Section titled “”

[Command] tacacs-server default {authtype|passkey|timeout}

[Purpose] Restore to the default TACACS configuration.

[View] Global Configuration View

[Use Cases]

sonic# configure
sonic(config)# tacacs-server default authtype

tacacs-server passkey

Section titled “tacacs-server passkey”

[Command] tacacs-server passkey

[Purpose] Configure the global key for TACACS.

[View] Global Configuration View

[Use Cases]

sonic# configure
sonic(config)# tacacs-server passkey
Please enter passkey:
sonic(config)#

tacacs-server cipher

Section titled “tacacs-server cipher”

[Command] tacacs-server cipher ciphertext

[Purpose] Configure the global key for TACACS with ciphertext.

[Parameters]

ParameterDescription
ciphertextThe passkey of ciphertext.

[View] Global Configuration View

[Use Cases]

sonic# configure
sonic(config)# tacacs-server cipher U2FsdGVkX1/k50xAcc66gpXcarr94pu8i3HUSpUsK7U=

Section titled “”

[Command] tacacs-server timeout interval

[Purpose] Configure the global timeout for TACACS.

[Parameters]

ParameterDescription
intervalSpecify the interval in seconds. The range is from 0 to 60.

[View] Global Configuration View

[Use Cases]

sonic# configure
sonic(config)# tacacs-server timeout 60

tacacs-server

Section titled “tacacs-server”

[Command] tacacs-server server-ip [cipher ciphertext|timeout interval|key|auth-type type|port tcp_port|pri priority|use-mgmt-vrf]

[Purpose] Configure a TACACS server.

[Parameters]

ParameterDescription
server-ipTACACS Server IP address.
ciphertextThe passkey of ciphertext.
intervalSpecify the interval in seconds. The default is 5.
typeSpecify the authentication type. Optional chap, pap, mschap, login.
tcp_portSpecify the TCP port number, the default is 49.and the range is [1,65535].
prioritySpecify the priority, the default is 1.

[View] Global Configuration View

[Notes] Run command no tacacs-server A.B.C.D to delete the TACACS server.

[Use Cases]

sonic# configure
sonic(config)# tacacs-server 10.250.0.244 timeout 5 key auth-type chap port 2 pri 2 use-mgmt-vrf
Please enter passkey:
sonic(config)#