AAA Feature
Specify the authentication method and order and configure Radius, TACACs, or local authentication, including local user groups with different read/write permissions.
Diagram
Classes
system_profiles (sdwan.feature_profiles)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| aaa | Class | [aaa] | No |
aaa (sdwan.feature_profiles.system_profiles)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Regex: ^[^&<>! "]{1,128}$ | No | |
| description | String | No | ||
| accounting_rules | List | [accounting_rules] | No | |
| auth_order | List | String[min: 1, max: 220] | No | |
| authorization_config_commands | Boolean | true, false | No | |
| authorization_config_commands_variable | String | Regex: ^[./\[\]a-zA-Z0-9_-]{1,64}$ | No | |
| authorization_console | Boolean | true, false | No | |
| authorization_console_variable | String | Regex: ^[./\[\]a-zA-Z0-9_-]{1,64}$ | No | |
| authorization_rules | List | [authorization_rules] | No | |
| dot1x_accounting | Boolean | true, false | No | |
| dot1x_accounting_variable | String | Regex: ^[./\[\]a-zA-Z0-9_-]{1,64}$ | No | |
| dot1x_authentication | Boolean | true, false | No | |
| dot1x_authentication_variable | String | Regex: ^[./\[\]a-zA-Z0-9_-]{1,64}$ | No | |
| radius_groups | List | [radius_groups] | No | |
| tacacs_groups | List | [tacacs_groups] | No | |
| users | List | [users] | Yes |
accounting_rules (sdwan.feature_profiles.system_profiles.aaa)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| groups | List | String[min: 1, max: 32] | Yes | |
| id | String | max: 32 | Yes | |
| level | Choice | 1, 15 | No | |
| method | Choice | commands, exec, network, system | Yes | |
| start_stop | Boolean | true, false | No | |
| start_stop_variable | String | Regex: ^[./\[\]a-zA-Z0-9_-]{1,64}$ | No |
authorization_rules (sdwan.feature_profiles.system_profiles.aaa)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| authenticated | Boolean | true, false | No | |
| groups | List | String[min: 1, max: 32] | Yes | |
| id | String | max: 32 | Yes | |
| level | Choice | 1, 15 | No | |
| method | Choice | commands | Yes |
radius_groups (sdwan.feature_profiles.system_profiles.aaa)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| servers | List | [servers] | Yes | |
| source_interface | String | max: 32 | No | |
| source_interface_variable | String | Regex: ^[./\[\]a-zA-Z0-9_-]{1,64}$ | No | |
| vpn | Integer | min: 0, max: 65530 | No |
tacacs_groups (sdwan.feature_profiles.system_profiles.aaa)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| servers | List | [servers] | Yes | |
| source_interface | String | max: 32 | No | |
| source_interface_variable | String | Regex: ^[./\[\]a-zA-Z0-9_-]{1,64}$ | No | |
| vpn | Integer | min: 0, max: 65530 | No |
users (sdwan.feature_profiles.system_profiles.aaa)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | min: 1, max: 64 | No | |
| name_variable | String | Regex: ^[./\[\]a-zA-Z0-9_-]{1,64}$ | No | |
| password | String | No | ||
| password_variable | String | Regex: ^[./\[\]a-zA-Z0-9_-]{1,64}$ | No | |
| privilege | Choice | 1, 15 | No | |
| privilege_variable | String | Regex: ^[./\[\]a-zA-Z0-9_-]{1,64}$ | No | |
| public_key_chains | List | String[Regex: ^AAAA[0-9A-Za-z+/]+[=]{0,3}$] | No |
servers (sdwan.feature_profiles.system_profiles.aaa.radius_groups)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| accounting_port | Integer | min: 1, max: 65534 | No | |
| accounting_port_variable | String | Regex: ^[./\[\]a-zA-Z0-9_-]{1,64}$ | No | |
| address | IP | Yes | ||
| authentication_port | Integer | min: 1, max: 65534 | No | |
| authentication_port_variable | String | Regex: ^[./\[\]a-zA-Z0-9_-]{1,64}$ | No | |
| key | String | min: 1 | Yes | |
| key_type | Choice | key, pac | No | |
| key_type_variable | String | Regex: ^[./\[\]a-zA-Z0-9_-]{1,64}$ | No | |
| retransmit | Integer | min: 1, max: 100 | No | |
| retransmit_variable | String | Regex: ^[./\[\]a-zA-Z0-9_-]{1,64}$ | No | |
| secret_key | String | min: 1, max: 150 | No | |
| secret_key_variable | String | Regex: ^[./\[\]a-zA-Z0-9_-]{1,64}$ | No | |
| timeout | Integer | min: 1, max: 1000 | No | |
| timeout_variable | String | Regex: ^[./\[\]a-zA-Z0-9_-]{1,64}$ | No |
servers (sdwan.feature_profiles.system_profiles.aaa.tacacs_groups)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| address | IP | Yes | ||
| key | String | min: 1 | Yes | |
| port | Integer | min: 1, max: 65535 | No | |
| port_variable | String | Regex: ^[./\[\]a-zA-Z0-9_-]{1,64}$ | No | |
| secret_key | String | min: 1, max: 150 | Yes | |
| timeout | Integer | min: 1, max: 1000 | No | |
| timeout_variable | String | Regex: ^[./\[\]a-zA-Z0-9_-]{1,64}$ | No |
Examples
sdwan:
feature_profiles:
system_profiles:
- name: system
aaa:
name: aaa
description: basic aaa
auth_order:
- tacacs-511
- local
tacacs_groups:
- vpn: 511
source_interface_variable: tacacs_source_interface
servers:
- address: 10.1.1.1
port: 49
key: $CRYPT_CLUSTER$jq34CKAzT5KGdEjIpYarKg==$MZkY/AdOWzm/kiLHOsKHJg==
secret_key: 070c285f4d06485744
- address: 10.1.1.2
key: $CRYPT_CLUSTER$jq34CKAzT5KGdEjIpYarKg==$MZkY/AdOWzm/kiLHOsKHJg==
secret_key: 070c285f4d06485744
users:
- name: admin
password: $6$Oz2ydqNXLLDIsPSG$LhogoactFVb9eJgqgv/O/Zb.FHg74drK4maijc.Q9q/KhyDcPfwrHx9Vy6G9hY7oKWbyas4XKms7f7Znl/ndF.
privilege: 15
- name: failsafe
password: $6$v0UN8x4fkvZd0Lnj$hq13MC.W5ElstGlolO38fshGEYxSechW4K5zEdrJD1trSH30AaNKvL4VUlOtxersGmIDNefPwyrSqbJpCpXGJ.
privilege: 15
authorization_rules:
- id: rule1
method: commands
level: 15
groups:
- tacacs-511
authenticated: true