User Access and Authentication Configuration Guide

Introduction

AAA configuration provides a security management mechanism known as Authentication, Authorization, and Accounting. It encompasses three essential security functions:

Authentication: This process verifies the identity of remote users accessing the network and determines whether the access is granted to legitimate network users.
Authorization: It involves assigning varying permissions to different users, restricting the services they can use based on their roles and privileges.
Accounting: This involves recording all user operations during their network service usage, including service types, start times, data usage, etc. It is used for collecting and documenting user resource usage and can also facilitate billing based on time and data consumption. It also serves a monitoring purpose.

AAA employs a client/server architecture, where the client typically runs on network access servers (NAS) responsible for verifying user identities and managing their access. Servers centralize user information and execute authorization and accounting processes.

AAA Authentication Schemes

AAA categorizes users based on different access methods into the following types:

Login Users: These are the management users who log in to the device, such as users logging in via SSH or the console port.
Access Users: These are the users accessing the network using methods like 802.1x authentication or MAC authentication.

The device supports the following authentication methods:

Local Authentication: Local users are created on the device, and their information is stored locally. The device acts as an authentication server for these users.

When the AAA authentication method is configured as local users, SSH-login users are primarily authenticated using AAA. For users logging in via the console port, local authentication is given priority. The default method is local authentication.

AAA Authorization Schemes

For login users, the authorization server sends a user group ID to the device. The device supports four types of user groups, each corresponding to an ID and specific permissions:

0: Users can only access the klish interface and cannot perform any configuration or show operations.
1: Users can access the klish interface, execute show commands in system view, but cannot enter the config view for configuration.
2: Users can access the config view, allowing configuration and show commands at the system level. However, they cannot execute system-level operations like reboot or update.
15: Users possess the highest privilege level, granting them permission to perform all operations.

Access Users

For access users, the Radius server sends an ACL (Access Control List) number. The device must have the corresponding ACL rules configured in advance. After successful authentication, the device automatically binds the ACL rules to the designated access port based on the authentication result. It’s important to note that the authorization feature is only applicable to MAB (MAC Authentication Bypass) authentication method.

Local User Configuration Example

Network requirements

Create a local user, login as testera, password: aabb1122
Set the number of consecutive incorrect password entries for the local user to 5 and the lockout time to 5 minutes

Procedure

1.Create local user

sonic(config)# local-user name testera passwd aabb1122

2.Configure the security policy when continuously entering password measures

sonic(config)# local-user block-time 5
sonic(config)# local-user retry-count 5

Verify configuration

1.Login to the device using the local user and login successfully

2.Login to the device with the wrong password to view the information and lockout status of this user

sonic# show local-user brief
USER ONLINE BLOCKED LOGIN IP LOGIN TIME
admin yes no 192.168.0.109 2022-09-02 01:13
testera no yes 192.168.0.109 2022-09-02 01:10