AAA Configuration
show aaa
Section titled “show aaa”[Command] show aaa
[Purpose] View the authentication, authorization and billing settings configured in the network node
[View] System view
[Use Cases]
sonic# show aaaAAA accounting debug FalseAAA accounting command local (default)AAA authentication debug FalseAAA authentication login tacacs+,localAAA authentication failthrough TrueAAA authentication fallback TrueAAA authorization debug FalseAAA authorization auth_cmd FalseAAA authorization command tacacs+,localAAA authorization auth_service Trueaaa accounting command {tacacs+|radius|local|default}
Section titled “aaa accounting command {tacacs+|radius|local|default}”[Command] aaa accounting command {tacacs+|radius|local|default}
[Purpose] Configure AAA Audit Method
[Parameter]
| Parameter | Description |
|---|---|
| tacacs+ | Command Auditing Using TACACS+ |
| radius | Command Auditing Using RADIUS |
| local | Local Audit |
| default | Reset to default values, local auditing |
[View] System configuration view
[Notes] After enabling TACACS+ or RADIUS auditing, commands executed by users at the command line will be logged on the TACACS+ server or RADIUS server.
[Use Cases]
sonic(config)# aaa accounting command local tacacs+aaa authentication debug enable
Section titled “aaa authentication debug enable”[Command] aaa authentication debug enable no aaa authentication debug enable
[Purpose] Enable user authentication debug information
[View] System configuration view
[Notes] When users enable authentication debug information, corresponding authentication details for each user will be logged to the /var/log/syslog file during the authentication process.
[Use Cases]
sonic(config)# aaa authentication debug enableaaa authentication failthrough {enable|default}
Section titled “aaa authentication failthrough {enable|default}”[Command] aaa authentication failthrough {enable|default} no aaa authentication failthrough enable
[Purpose] Enable fail-through
[View] System configuration view
[Notes] Configure this command when multiple TACACS+ servers are set up and TACACS+ authentication is enabled. This configuration allows authentication requests to proceed to the next server if the first server fails, continuing until a server responds or all configured servers have been polled. If this option is disabled and authentication fails on the first server, the authentication process stops and login to the device is denied. Configure this command when both TACACS+ authentication and local authentication are enabled. After TACACS+ server authentication fails, the device will then attempt authentication with the local server.
[Use Cases]
sonic(config)# aaa authentication failthrough enableaaa authentication fallback {enable|default}
Section titled “aaa authentication fallback {enable|default}”[Command] aaa authentication fallback {enable|default} no aaa authentication fallback enable
[Purpose] Enable fallback
[View] System configuration view
[Notes] Configure this command when multiple TACACS+ servers are set up and TACACS+ authentication is enabled. This enables sequential authentication attempts when certain TACACS+ servers become inaccessible. Without this feature enabled, authentication occurs only on the highest-priority TACACS+ server; if authentication fails, the device login process will not proceed normally.
[Use Cases]
sonic(config)# aaa authentication fallback enableaaa authentication login {tacacs+|radius|local|default}
Section titled “aaa authentication login {tacacs+|radius|local|default}”[Command] aaa authentication login {tacacs+|radius|local|default}
[Purpose] Configure aaa login authentication method
[Parameter]
| Parameter | Description |
|---|---|
| tacacs+ | Remote authentication based on tacacs + |
| radius | Authentication based on a RADIUS server |
| local | Using Local Authentication |
| default | Reset back to the default value to enable local authentication only |
[View] System configuration view
[Notes] In enterprise networks, to protect network security, user identities must be verified to ensure only authorized users can access network resources. This command allows administrators to select the authentication method for user logins based on specific scenarios, thereby enhancing network security and management efficiency.
[Use Cases]
sonic(config)# aaa authentication login tacacs+ localsonic(config)# aaa authentication login radius localaaa authorization debug enable
Section titled “aaa authorization debug enable”[Command] aaa authentication debug enable
[Purpose] Enable user authentication debug information
[View] System configuration view
[Notes] After enabling user authentication debug information, the user’s permission details will be printed in the device’s /var/log/syslog log upon successful authentication and login.
[Use Cases]
sonic(config)# aaa authorization debug enableaaa authorization command {tacacs+|radius|local|default}
Section titled “aaa authorization command {tacacs+|radius|local|default}”[Command] aaa authentication command {tacacs+|radius|local|default}
[Purpose] Configure AAA Command-Line Authentication Method
[Parameter]
| Parameter | Description |
|---|---|
| tacacs+ | Using tacacs + for command authentication |
| radius | Authentication via RADIUS server |
| local | Command Local Authentication |
| default | Reset back to default values, local forensics |
[View] System configuration view
[Notes] TACACS+, RADIUS, and Local are optional parameters that can be configured individually or in combination, but TACACS+ and RADIUS cannot be configured simultaneously.
After enabling TACACS+ or RADIUS authentication, the system will authenticate based on the user level configured for that user in TACACS or RADIUS. The system currently supports four distinct permission types:
- 0: Non-login user
- 1: Read-only user, only supports viewing with show commands
- 2-14: Regular user, possesses execution permissions for all commands except system commands (reboot/image-update/delete startup-config/)
- 15: System user, capable of executing all commands including system commands
[Use Cases]
sonic(config)# aaa authentication command tacacs+,localaaa authorization mode {service|cmd} enable
Section titled “aaa authorization mode {service|cmd} enable”[Command] aaa authorization mode {service|cmd} enable no aaa authorization mode {service|cmd} enable
[Purpose] Configure the AAA command authentication method
[Parameter]
| Parameter | Description |
|---|---|
| service | Grant permissions to the command line based on different service functions. |
| cmd | Authorize the command line based on the regular expression match results of the command line. |
[View] System configuration view
[Notes] When users employ TACACS+ or RADIUS authentication and require more granular authentication methods beyond user levels, server/cmd authentication can be configured:
- server: Authenticates based on the service associated with functional features. For example, a Level 2 user can only access the interface view for related operations but cannot configure other functions.
- cmd: Classifies based on command-line keywords. For example, authentication succeeds when commands containing show or ping are executed, while other commands fail authentication and are not permitted.
When multiple authentication methods coexist, they are matched sequentially in the order: user level -> service authentication -> command-line authentication. If authentication fails at any higher level, the process immediately terminates. If a user lacks sufficient permissions, authentication at lower levels is not attempted.
[Use Cases]
sonic(config)# aaa authorization mode service enable