AAA

此内容尚不支持你的语言。

Authentication, Authorization, and Accounting (AAA) is a framework for controlling access to network resources. It provides a way to manage user access and permissions, ensuring that only authorized users can access specific resources.

AsterNOS support Authentication, Authorization, and Accounting (AAA) for user management with following capabilities.

For Authentication, AsterNOS supports the following methods:

Local Authentication
RADIUS Authentication
TACACS+ Authentication

For Authorization, AsterNOS supports the following methods:

Local Authorization
TACACS+ Authorization
RADIUS Authorization

For Accounting, AsterNOS supports the following methods:

Local Accounting
TACACS+ Accounting
RADIUS Accounting

Modify AAA Configuration

The following example give a typical AAA configuration:

Use TACACS+ as primary authentication protocol, and local as secondary protocol.
Enable failthrough and fallback for authentication, which will allow local user database to be used if TACACS+ server is unreachable.
Enable debug for authentication, which will log detailed information about authentication attempts.
Use TACACS+ as authorization protocol, and enable auth-cmd, which strictly checks user permissions for executing commands via TACACS+ protocol.
Enable debug for authorization, which will log detailed information about authorization attempts.
use TACACS+ as accounting protocol, which will sending user activity logs to TACACS+ server.

Request example

<config><top>
  <aaa>
    <accounting>
        <protocol>tacacs+</protocol>
    </accounting>
    <authorization>
        <protocol>tacacs+</protocol>
        <auth-service>false</auth-service>
        <auth-cmd>true</auth-cmd>
        <debug>true</debug>
    </authorization>
    <authentication>
        <protocol>tacacs+</protocol>
        <protocol>local</protocol>
        <failthrough>true</failthrough>
        <fallback>true</fallback>
        <debug>true</debug>
    </authentication>
  </aaa>
</top></config>

Response example

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:c0494172-98ab-4056-b83c-8c0df58e3e92">
  <ok/>
</rpc-reply>

Get Current AAA Configurations

Request example to get current AAA configurations via get-config

<filter type="subtree">
    <top>
        <aaa/>
    </top>
</filter>"""

Response example

<data xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <top>
    <aaa xmlns="http://asterfusion.com/ns/yang/asternos-aaa">
      <accounting>
        <protocol>tacacs+</protocol>
      </accounting>
      <authentication>
        <protocol>tacacs+</protocol>
        <protocol>local</protocol>
        <failthrough>true</failthrough>
        <fallback>true</fallback>
        <debug>true</debug>
      </authentication>
      <authorization>
        <protocol>tacacs+</protocol>
        <auth-service>false</auth-service>
        <auth-cmd>true</auth-cmd>
        <debug>true</debug>
      </authorization>
    </aaa>
  </top>
</data>

Reset AAA Configurations

Request example to reset AAA configurations to factory default.

<config><top>
  <aaa operation="delete"/>
</top></config>

Response example

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:fcc97206-be43-444a-8a9c-1d69cc14992f">
  <ok/>
</rpc-reply>

Show AAA Status via rpc

Use show-aaa rpc to show current AAA status.

Request example to show current AAA configurations in CLI format via rpc show-aaa

<show-aaa/>

Response example

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:55a84d56-e32a-4713-87ae-674b4070812f">
  <data xmlns="http://asterfusion.com/ns/yang/asternos-aaa">
AAA authentication login ['tacacs+', 'local']
AAA authentication failthrough True
AAA authentication fallback True
AAA authentication debug True
AAA authorization command ['tacacs+']
AAA authorization auth_cmd True
AAA authorization debug True
AAA accounting command ['tacacs+']
  </data>
</rpc-reply>