AAA Configuration
Introduction
Section titled “Introduction”AAA configuration provides a security management mechanism known as Authentication, Authorization, and Accounting. It encompasses three essential security functions:
Authentication: This process verifies the identity of remote users accessing the network and determines whether the access is granted to legitimate network users.
Authorization: It involves assigning varying permissions to different users, restricting the services they can use based on their roles and privileges.
Accounting: This involves recording all user operations during their network service usage, including service types, start times, data usage, etc. It is used for collecting and documenting user resource usage and can also facilitate billing based on time and data consumption. It also serves a monitoring purpose.
AAA employs a client/server architecture, where the client typically runs on network access servers (NAS) responsible for verifying user identities and managing their access. Servers centralize user information and execute authorization and accounting processes.
AAA Authentication Schemes
Section titled “AAA Authentication Schemes”AAA categorizes users based on different access methods into the following types:
Login Users: These are the management users who log in to the device, such as users logging in via SSH or the console port.
Access Users: These are the users accessing the network using methods like 802.1x authentication or MAC authentication.
Login Users
Section titled “Login Users”The device supports the following authentication methods:
Tacacs Authentication: User information is configured on a Tacacs server, and the Tacacs server authenticates the users.
Local Authentication: Local users are created on the device, and their information is stored locally. The device acts as an authentication server for these users.
When the AAA authentication method is configured as Tacacs and local users, SSH-login users are primarily authenticated using AAA. For users logging in via the console port, local authentication is given priority. The default method is local authentication.
Access Users
Section titled “Access Users”The device supports the following authentication methods:
Radius Authentication: User information is configured on a Radius server, and the Radius server authenticates the users. Various authentication methods can be used, such as PAP, CHAP, EAP, and MAB.
No Authentication: By default, no authentication is performed.
AAA Authorization Schemes
Section titled “AAA Authorization Schemes”Login Users
Section titled “Login Users”For login users, the authorization server sends a user group ID to the device. The device supports four types of user groups, each corresponding to an ID and specific permissions:
0: Users can only access the klish interface and cannot perform any configuration or show operations.
1: Users can access the klish interface, execute show commands in system view, but cannot enter the config view for configuration.
2: Users can access the config view, allowing configuration and show commands at the system level. However, they cannot execute system-level operations like reboot or update.
15: Users possess the highest privilege level, granting them permission to perform all operations.
Access Users
Section titled “Access Users”For access users, the Radius server sends an ACL (Access Control List) number. The device must have the corresponding ACL rules configured in advance. After successful authentication, the device automatically binds the ACL rules to the designated access port based on the authentication result. It’s important to note that the authorization feature is only applicable to MAB (MAC Authentication Bypass) authentication method.
AAA Configuration
Section titled “AAA Configuration”| Configure Tasks | Instructions |
|---|---|
| Configure AAA authentication method for login users | Required |
| Configure AAA authorization method for login users | Required |
| Configure TACACS server | Required |
| Configure AAA server failover | Optional |
Configuring AAA Authentication Method for Login Users
Section titled “Configuring AAA Authentication Method for Login Users”User have the flexibility to configure either a singular authentication method or to employ both methods concurrently. In scenarios where both methods are configured simultaneously, the TACACS authorization will be the initial preference. However, if the TACACS server encounters an issue and the AAA server failover mechanism is enabled, the system will resort to utilizing local authorization.
| Operation | Command | Description |
|---|---|---|
| Enter the system configuration view | configure terminal | |
| Configure AAA authentication method for login users | aaa authentication login {tacacs+| local} |
Configuring AAA Authorization Method for Login Users
Section titled “Configuring AAA Authorization Method for Login Users”| Operation | Command | Description |
|---|---|---|
| Enter the system configuration view | configure terminal | |
| Configure AAA authorization method for login users | aaa authorization command {tacacs+|local} |
Configuring TACACS Server
Section titled “Configuring TACACS Server”| Operation | Command | Description |
|---|---|---|
| Enter the system configuration view | configure terminal | |
| Configure TACACS server | tacacs ip-address [key key_vaule**] [pri** priority**] [auth-type {chap|pap|mschap|login}] [mgmt-vrf] [port** number**]** |
Configuring AAA Server Failover
Section titled “Configuring AAA Server Failover”Enabling failover ensures that the failure of the TACACS server for authentication does not impact the authentication and authorization of local users.
| Operation | Command | Description |
|---|---|---|
| Enter the system configuration view | configure terminal | |
| Configure AAA server failover | aaa authentication failthrough enable |
TACACS Authentication Configuration Example
Section titled “TACACS Authentication Configuration Example”Network requirements
Use TACACS server to authenticate and authorize SSH users logging into the Device.
Users can execute all system commands after authentication.
TACACS server can manage devices through local users when escaping.
Procedure
# Configure user login using TACACS and local user method
sonic(config)# aaa authentication login tacacs+ local# Configure command line authorization for TACACS and local users
sonic(config)# aaa authorization command tacacs+ local# Configure the TACACS server IP address
sonic(config)# tacacs 150.0.0.3Verify configuration
- When the TACACS server connection is normal, logging in to the device using the local user fails.
- When the TACACS server is connected normally, use TACACS to log in to the device and log in normally, the TACACS user can use all command lines of the device normally.
- When the TACACS server is disconnected, use the local user to log in to the device, the login is successful and the local user can use all command lines of the device normally.
Local User Configuration Example
Section titled “Local User Configuration Example”Network requirements
Create a local user, login as testera, password: aabb1122
Set the number of consecutive incorrect password entries for the local user to 5 and the lockout time to 5 minutes
Procedure
- Create local user
sonic(config)# local-user name testera passwd aabb1122- Configure the security policy when continuously entering password measures
sonic(config)# local-user block-time 5sonic(config)# local-user retry-count 5Verify configuration
- Login to the device using the local user and login successfully
- Login to the device with the wrong password to view the information and lockout status of this user
sonic# show local-user briefUSER ONLINE BLOCKED LOGIN IP LOGIN TIMEadmin yes no 192.168.0.109 2022-09-02 01:13testera no yes 192.168.0.109 2022-09-02 01:10