AAA
Authentication, Authorization, and Accounting (AAA) is a framework for controlling access to network resources. It provides a way to manage user access and permissions, ensuring that only authorized users can access specific resources.
AsterNOS support Authentication, Authorization, and Accounting (AAA) for user management with following capabilities.
For Authentication, AsterNOS supports the following methods:
- Local Authentication
- RADIUS Authentication
- TACACS+ Authentication
For Authorization, AsterNOS supports the following methods:
- Local Authorization
- TACACS+ Authorization
- RADIUS Authorization
For Accounting, AsterNOS supports the following methods:
- Local Accounting
- TACACS+ Accounting
- RADIUS Accounting
Modify AAA Configuration
Section titled “Modify AAA Configuration”The following example give a typical AAA configuration:
- Use TACACS+ as primary authentication protocol, and local as secondary protocol.
- Enable failthrough and fallback for authentication, which will allow local user database to be used if TACACS+ server is unreachable.
- Enable debug for authentication, which will log detailed information about authentication attempts.
- Use TACACS+ as authorization protocol, and enable auth-cmd, which strictly checks user permissions for executing commands via TACACS+ protocol.
- Enable debug for authorization, which will log detailed information about authorization attempts.
- use TACACS+ as accounting protocol, which will sending user activity logs to TACACS+ server.
Request example
<config><top> <aaa> <accounting> <protocol>tacacs+</protocol> </accounting> <authorization> <protocol>tacacs+</protocol> <auth-service>false</auth-service> <auth-cmd>true</auth-cmd> <debug>true</debug> </authorization> <authentication> <protocol>tacacs+</protocol> <protocol>local</protocol> <failthrough>true</failthrough> <fallback>true</fallback> <debug>true</debug> </authentication> </aaa></top></config>Response example
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:c0494172-98ab-4056-b83c-8c0df58e3e92"> <ok/></rpc-reply>Get Current AAA Configurations
Section titled “Get Current AAA Configurations”Request example to get current AAA configurations via get-config
<filter type="subtree"> <top> <aaa/> </top></filter>"""Response example
<data xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <top> <aaa xmlns="http://asterfusion.com/ns/yang/asternos-aaa"> <accounting> <protocol>tacacs+</protocol> </accounting> <authentication> <protocol>tacacs+</protocol> <protocol>local</protocol> <failthrough>true</failthrough> <fallback>true</fallback> <debug>true</debug> </authentication> <authorization> <protocol>tacacs+</protocol> <auth-service>false</auth-service> <auth-cmd>true</auth-cmd> <debug>true</debug> </authorization> </aaa> </top></data>Reset AAA Configurations
Section titled “Reset AAA Configurations”Request example to reset AAA configurations to factory default.
<config><top> <aaa operation="delete"/></top></config>Response example
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:fcc97206-be43-444a-8a9c-1d69cc14992f"> <ok/></rpc-reply>Show AAA Status via rpc
Section titled “Show AAA Status via rpc”Use show-aaa rpc to show current AAA status.
Request example to show current AAA configurations in CLI format via rpc show-aaa
<show-aaa/>Response example
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:55a84d56-e32a-4713-87ae-674b4070812f"> <data xmlns="http://asterfusion.com/ns/yang/asternos-aaa">AAA authentication login ['tacacs+', 'local']AAA authentication failthrough TrueAAA authentication fallback TrueAAA authentication debug TrueAAA authorization command ['tacacs+']AAA authorization auth_cmd TrueAAA authorization debug TrueAAA accounting command ['tacacs+'] </data></rpc-reply>