AAA Feature Template

Specify the authentication method and order and configure Radius, TACACs, or local authentication, including local user groups with different read/write permissions.

Diagram

Classes

edge_feature_templates (sdwan)

Name	Type	Constraint	Mandatory	Default Value
aaa_templates	List	[aaa_templates]	No

aaa_templates (sdwan.edge_feature_templates)

Name	Type	Constraint	Mandatory	Default Value
name	String	Regex: ^[^<>!&" ]{1,128}$	Yes
description	String		Yes
device_types	List	Choice[ASR-1001-HX, ASR-1001-X, ASR-1002-HX, ASR-1002-X, ASR-1006-X, C1101-4P, C1101-4PLTEP, C1101-4PLTEPW, C1109-2PLTEGB, C1109-2PLTEUS, C1109-2PLTEVZ, C1109-4PLTE2P, C1109-4PLTE2PW, C1111-4P, C1111-4PLTEEA, C1111-4PLTELA, C1111-4PW, C1111-8P, C1111-8PLTEEA, C1111-8PLTEEAW, C1111-8PLTELA, C1111-8PLTELAW, C1111-8PW, C1111X-8P, C1112-8P, C1112-8PLTEEA, C1112-8PLTEEAWE, C1112-8PWE, C1113-8P, C1113-8PLTEEA, C1113-8PLTEEAW, C1113-8PLTELA, C1113-8PLTELAWZ, C1113-8PLTEW, C1113-8PM, C1113-8PMLTEEA, C1113-8PMWE, C1113-8PW, C1116-4P, C1116-4PLTEEA, C1116-4PLTEEAWE, C1116-4PWE, C1117-4P, C1117-4PLTEEA, C1117-4PLTEEAW, C1117-4PLTELA, C1117-4PLTELAWZ, C1117-4PM, C1117-4PMLTEEA, C1117-4PMLTEEAWE, C1117-4PMWE, C1117-4PW, C1118-8P, C1121-4P, C1121-4PLTEP, C1121-8P, C1121-8PLTEP, C1121-8PLTEPW, C1121X-8P, C1121X-8PLTEP, C1121X-8PLTEPW, C1126-8PLTEP, C1126X-8PLTEP, C1127-8PLTEP, C1127-8PMLTEP, C1127X-8PLTEP, C1127X-8PMLTEP, C1128-8PLTEP, C1131-8PLTEPW, C1131-8PW, C1131X-8PLTEPW, C1131X-8PW, C1161-8P, C1161-8PLTEP, C1161X-8P, C1161X-8PLTEP, C8000V, C8200-1N-4T, C8200L-1N-4T, C8300-1N1S-4T2X, C8300-1N1S-6T, C8300-2N2S-4T2X, C8300-2N2S-6T, C8500-12X, C8500-12X4QC, C8500-20X6C, C8500L-8S4X, IR-1101, IR-1821, IR-1831, IR-1833, IR-1835, IR-8140H, IR-8140H-P, IR-8340, ISR-4221, ISR-4221X, ISR-4321, ISR-4331, ISR-4351, ISR-4431, ISR-4451-X, ISR-4461, ISR1100-4G-XE, ISR1100-4GLTEGB-XE, ISR1100-4GLTENA-XE, ISR1100-6G-XE, ISR1100X-4G-XE, ISR1100X-6G-XE]	No
accounting_rules	List	[accounting_rules]	No
authentication_and_authorization_order	List	String	Yes
authorization_config_commands	Boolean	true, false	No
authorization_config_commands_variable	String	Regex: ^[^"~$&+,]255$`	No
authorization_console	Boolean	true, false	No
authorization_console_variable	String	Regex: ^[^"~$&+,]255$`	No
authorization_rules	List	[authorization_rules]	No
dot1x_authentication	Boolean	true, false	No
dot1x_authentication_variable	String	Regex: ^[^"~$&+,]255$`	No
dot1x_accounting	Boolean	true, false	No
dot1x_accounting_variable	String	Regex: ^[^"~$&+,]255$`	No
radius_dynamic_author	Class	[radius_dynamic_author]	No
radius_server_groups	List	[radius_server_groups]	No
radius_trustsec	Class	[radius_trustsec]	No
tacacs_server_groups	List	[tacacs_server_groups]	No
users	List	[users]	Yes

accounting_rules (sdwan.edge_feature_templates.aaa_templates)

Name	Type	Constraint	Mandatory	Default Value
method	Choice	commands, exec, network, system	Yes
privilege_level	Choice	1, 15	No
start_stop	Boolean	true, false	No
start_stop_variable	String	Regex: ^[^"~$&+,]255$`	No
groups	List	String	Yes

authorization_rules (sdwan.edge_feature_templates.aaa_templates)

Name	Type	Constraint	Mandatory	Default Value
method	Choice	commands	Yes
privilege_level	Choice	1, 15	Yes
authenticated	Boolean	true, false	Yes
groups	List	String	Yes

radius_dynamic_author (sdwan.edge_feature_templates.aaa_templates)

Name	Type	Constraint	Mandatory	Default Value
domain_stripping	Choice	yes, no, right-to-left	No
domain_stripping_variable	String	Regex: ^[^"~$&+,]255$`	No
authentication_type	Choice	yes, all, session-key	No
authentication_type_variable	String	Regex: ^[^"~$&+,]255$`	No
port	Integer	min: 0, max: 65535	No
port_variable	String	Regex: ^[^"~$&+,]255$`	No
server_key	String		No
server_key_variable	String	Regex: ^[^"~$&+,]255$`	No
clients	List	[clients]	Yes

radius_server_groups (sdwan.edge_feature_templates.aaa_templates)

Name	Type	Constraint	Mandatory	Default Value
name	String	min: 1, max: 32	Yes
servers	List	[servers]	Yes
source_interface	String		No
source_interface_variable	String	Regex: ^[^"~$&+,]255$`	No
vpn_id	Integer	min: 0, max: 65530	No

radius_trustsec (sdwan.edge_feature_templates.aaa_templates)

Name	Type	Constraint	Mandatory	Default Value
cts_authorization_list	String		No
cts_authorization_list_variable	String	Regex: ^[^"~$&+,]255$`	No
server_group	String	min: 1, max: 32	No

tacacs_server_groups (sdwan.edge_feature_templates.aaa_templates)

Name	Type	Constraint	Mandatory	Default Value
name	String	min: 1, max: 32	Yes
vpn_id	Integer	min: 0, max: 65530	No
source_interface	String		No
source_interface_variable	String	Regex: ^[^"~$&+,]255$`	No
servers	List	[servers]	Yes

users (sdwan.edge_feature_templates.aaa_templates)

Name	Type	Constraint	Mandatory	Default Value
name	String	max: 64	Yes
optional	Boolean	true, false	No
password	String	starts_with: $6$	Yes
privilege_level	Choice	1, 15	No
privilege_level_variable	String	Regex: ^[^"~$&+,]255$`	No
secret	String	starts_with: $9$	Yes
ssh_rsa_keys	List	String	No

clients (sdwan.edge_feature_templates.aaa_templates.radius_dynamic_author)

Name	Type	Constraint	Mandatory	Default Value
ip	IP		No
ip_variable	String	Regex: ^[^"~$&+,]255$`	No
vpn_id	Integer	min: 0, max: 65530	No
vpn_id_variable	String	Regex: ^[^"~$&+,]255$`	No
server_key	String		No

servers (sdwan.edge_feature_templates.aaa_templates.radius_server_groups)

Name	Type	Constraint	Mandatory	Default Value
address	IP		Yes
authentication_port	Integer	min: 1, max: 65535	No
authentication_port_variable	String	Regex: ^[^"~$&+,]255$`	No
accounting_port	Integer	min: 1, max: 65535	No
accounting_port_variable	String	Regex: ^[^"~$&+,]255$`	No
timeout	Integer	min: 1, max: 1000	No
timeout_variable	String	Regex: ^[^"~$&+,]255$`	No
retransmit_count	Integer	min: 1, max: 100	No
retransmit_count_variable	String	Regex: ^[^"~$&+,]255$`	No
key_type	Choice	key, pac	No
key_type_variable	String	Regex: ^[^"~$&+,]255$`	No
key	String	starts_with: $CRYPT_CLUSTER$, min: 1, max: 128	Yes
secret_key	String	Regex: ^[0-9a-z]{1,150}$	Yes

servers (sdwan.edge_feature_templates.aaa_templates.tacacs_server_groups)

Name	Type	Constraint	Mandatory	Default Value
address	IP		Yes
port	Integer	min: 1, max: 65535	No
port_variable	String	Regex: ^[^"~$&+,]255$`	No
timeout	Integer	min: 1, max: 1000	No
timeout_variable	String	Regex: ^[^"~$&+,]255$`	No
key	String	starts_with: $CRYPT_CLUSTER$, min: 1, max: 128	Yes
secret_key	String	Regex: ^[0-9a-z]{1,150}$	Yes

Examples

sdwan:
  edge_feature_templates:
    aaa_templates:
      - name: FT-CEDGE-AAA-01
        description: TACACS, Local auth
        device_types:
          - C8000V
        authentication_and_authorization_order:
          - TACACS-GROUP1
          - local
        tacacs_server_groups:
          - name: TACACS-GROUP1
            vpn: 511
            source_interface_variable: tacacs_source_interface
            servers:
              - address: 10.1.1.1
                port: 49
                key: $CRYPT_CLUSTER$jq34CKAzT5KGdEjIpYarKg==$MZkY/AdOWzm/kiLHOsKHJg==
                secret_key: 070c285f4d06485744
              - address: 10.1.1.2
                key: $CRYPT_CLUSTER$jq34CKAzT5KGdEjIpYarKg==$MZkY/AdOWzm/kiLHOsKHJg==
                secret_key: 070c285f4d06485744
        users:
          - name: admin
            password: $6$Oz2ydqNXLLDIsPSG$LhogoactFVb9eJgqgv/O/Zb.FHg74drK4maijc.Q9q/KhyDcPfwrHx9Vy6G9hY7oKWbyas4XKms7f7Znl/ndF.
            privilege_level: 15
            secret: $9$dU74jedMCjuogb$tt5nj1PRM1sTfPVHdfng/skm5F5SVmZh8kdqskY4T9I
          - name: failsafe
            password: $6$v0UN8x4fkvZd0Lnj$hq13MC.W5ElstGlolO38fshGEYxSechW4K5zEdrJD1trSH30AaNKvL4VUlOtxersGmIDNefPwyrSqbJpCpXGJ.
            privilege_level: 15
            secret: $9$g1yhfB7cvGL5R8$8lUWXWGnaLHosXIcJ/eYr1C26nJyFNXkXHhDKILO4YQ
            optional: false
        authorization_rules:
          - method: commands
            privilege_level: 15
            groups:
              - TACACS-GROUP1
            authenticated: true