Skip to content

AAA Settings

Location in GUI: Admin » AAA » Authentication » AAA

Diagram
NameTypeConstraintMandatoryDefault Value
remote_user_login_policyChoiceassign-default-role, no-loginNono-login
default_fallback_checkBooleantrue, falseNofalse
default_realmChoicelocal, tacacs, ldap, radiusNolocal
default_login_domainStringRegex: ^[a-zA-Z0-9_.:-]{1,64}$No
console_realmChoicelocal, tacacs, ldap, radiusNolocal
console_login_domainStringRegex: ^[a-zA-Z0-9_.:-]{1,64}$No
management_settingsClass[management_settings]No
security_domainsList[security_domains]No

management_settings (apic.fabric_policies.aaa)

Section titled “management_settings (apic.fabric_policies.aaa)”
NameTypeConstraintMandatoryDefault Value
password_strength_checkBooleantrue, falseNofalse
password_strength_profileClass[password_strength_profile]No
password_change_during_intervalBooleantrue, falseNotrue
password_change_countIntegermin: 0, max: 10No2
password_change_intervalIntegermin: 0, max: 745No48
password_no_change_intervalIntegermin: 0, max: 745No24
password_history_countIntegermin: 0, max: 15No5
web_token_timeoutIntegermin: 300, max: 9600No600
web_token_max_validityIntegermin: 4, max: 24No24
web_session_idle_timeoutIntegermin: 60, max: 65525No1200
include_refresh_session_recordsBooleantrue, falseNotrue
enable_login_blockBooleantrue, falseNofalse
login_block_durationIntegermin: 1, max: 1440No60
login_max_failed_attemptsIntegermin: 1, max: 15No5
login_max_failed_attempts_windowIntegermin: 1, max: 720No5

security_domains (apic.fabric_policies.aaa)

Section titled “security_domains (apic.fabric_policies.aaa)”
NameTypeConstraintMandatoryDefault Value
nameStringRegex: ^[a-zA-Z0-9_.:-]{1,64}$Yes
descriptionStringRegex: ^[a-zA-Z0-9\\!#$%()*,-./:;@ _{|}~?&+]{1,128}$No
restricted_rbac_domainBooleantrue, falseNofalse

password_strength_profile (apic.fabric_policies.aaa.management_settings)

Section titled “password_strength_profile (apic.fabric_policies.aaa.management_settings)”
NameTypeConstraintMandatoryDefault Value
password_mininum_lengthIntegermin: 8, max: 64No8
password_maximum_lengthIntegermin: 8, max: 64No64
password_strength_test_typeChoicedefault, customNodefault
password_class_flagsListChoice[digits, lowercase, specialchars, uppercase]No

Example 1: In this example we set the default authentication method for GUI and console to radius with the login_domain created using both of our configured radius servers.

apic:
fabric_policies:
aaa:
default_realm: radius
default_login_domain: yourDomainRadius
console_realm: radius
console_login_domain: yourDomainRadius

Example 2: In this example we set the default authentication method for GUI and console to tacacs with the login_domain created using both of our configured tacacs servers.

apic:
fabric_policies:
aaa:
default_realm: tacacs
default_login_domain: yourDomainTacacs
console_realm: tacacs
console_login_domain: yourDomainTacacs

Example 3: In this example we set the default authentication method for GUI and console to local, where the local realm represents locally created users.

apic:
fabric_policies:
aaa:
default_realm: local
default_login_domain: local
console_realm: local
console_login_domain: local

Example 4: In this example below we have created a security domain called secDomain1 where restricted RBAC has been enabled. Also in the management_settings we enable strong password check for local passwords, where they need to be of minimum length 8 and maximum length of 64 and needs to consist of lower case and uppercase characters.

apic:
fabric_policies:
aaa:
security_domains:
- name: secDomain1
restricted_rbac_domain: true
management_settings:
password_strength_check: true
password_strength_profile:
password_mininum_length: 8
password_maximum_length: 64
password_strength_test_type: custom
password_class_flags:
- lowercase
- uppercase

Example 5: In this example we defined the maximum lifetime of an authentication token to 24 hours using the web_token_max_validity setting. Where web_token_timeout defines a token will be marked invalid if not used after 600 seconds, where the web_session_idle_timeout defines to demand reauthentication after 1200 seconds for idle sessions on the web GUI.

apic:
fabric_policies:
aaa:
management_settings:
web_token_timeout: 600
web_token_max_validity: 24
web_session_idle_timeout: 1200