AAA Settings
Location in GUI: Admin » AAA » Authentication » AAA
Diagram
Section titled “Diagram”
Classes
Section titled “Classes”aaa (apic.fabric_policies)
Section titled “aaa (apic.fabric_policies)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| remote_user_login_policy | Choice | assign-default-role, no-login | No | no-login |
| default_fallback_check | Boolean | true, false | No | false |
| default_realm | Choice | local, tacacs, ldap, radius | No | local |
| default_login_domain | String | Regex: ^[a-zA-Z0-9_.:-]{1,64}$ | No | |
| console_realm | Choice | local, tacacs, ldap, radius | No | local |
| console_login_domain | String | Regex: ^[a-zA-Z0-9_.:-]{1,64}$ | No | |
| management_settings | Class | [management_settings] | No | |
| security_domains | List | [security_domains] | No |
management_settings (apic.fabric_policies.aaa)
Section titled “management_settings (apic.fabric_policies.aaa)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| password_strength_check | Boolean | true, false | No | false |
| password_strength_profile | Class | [password_strength_profile] | No | |
| password_change_during_interval | Boolean | true, false | No | true |
| password_change_count | Integer | min: 0, max: 10 | No | 2 |
| password_change_interval | Integer | min: 0, max: 745 | No | 48 |
| password_no_change_interval | Integer | min: 0, max: 745 | No | 24 |
| password_history_count | Integer | min: 0, max: 15 | No | 5 |
| web_token_timeout | Integer | min: 300, max: 9600 | No | 600 |
| web_token_max_validity | Integer | min: 4, max: 24 | No | 24 |
| web_session_idle_timeout | Integer | min: 60, max: 65525 | No | 1200 |
| include_refresh_session_records | Boolean | true, false | No | true |
| enable_login_block | Boolean | true, false | No | false |
| login_block_duration | Integer | min: 1, max: 1440 | No | 60 |
| login_max_failed_attempts | Integer | min: 1, max: 15 | No | 5 |
| login_max_failed_attempts_window | Integer | min: 1, max: 720 | No | 5 |
security_domains (apic.fabric_policies.aaa)
Section titled “security_domains (apic.fabric_policies.aaa)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Regex: ^[a-zA-Z0-9_.:-]{1,64}$ | Yes | |
| description | String | Regex: ^[a-zA-Z0-9\\!#$%()*,-./:;@ _{|}~?&+]{1,128}$ | No | |
| restricted_rbac_domain | Boolean | true, false | No | false |
password_strength_profile (apic.fabric_policies.aaa.management_settings)
Section titled “password_strength_profile (apic.fabric_policies.aaa.management_settings)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| password_mininum_length | Integer | min: 8, max: 64 | No | 8 |
| password_maximum_length | Integer | min: 8, max: 64 | No | 64 |
| password_strength_test_type | Choice | default, custom | No | default |
| password_class_flags | List | Choice[digits, lowercase, specialchars, uppercase] | No |
Examples
Section titled “Examples”Example 1: In this example we set the default authentication method for GUI and console to radius with the login_domain created using both of our configured radius servers.
apic: fabric_policies: aaa: default_realm: radius default_login_domain: yourDomainRadius console_realm: radius console_login_domain: yourDomainRadiusExample 2: In this example we set the default authentication method for GUI and console to tacacs with the login_domain created using both of our configured tacacs servers.
apic: fabric_policies: aaa: default_realm: tacacs default_login_domain: yourDomainTacacs console_realm: tacacs console_login_domain: yourDomainTacacsExample 3: In this example we set the default authentication method for GUI and console to local, where the local realm represents locally created users.
apic: fabric_policies: aaa: default_realm: local default_login_domain: local console_realm: local console_login_domain: localExample 4: In this example below we have created a security domain called secDomain1 where restricted RBAC has been enabled. Also in the management_settings we enable strong password check for local passwords, where they need to be of minimum length 8 and maximum length of 64 and needs to consist of lower case and uppercase characters.
apic: fabric_policies: aaa: security_domains: - name: secDomain1 restricted_rbac_domain: true management_settings: password_strength_check: true password_strength_profile: password_mininum_length: 8 password_maximum_length: 64 password_strength_test_type: custom password_class_flags: - lowercase - uppercaseExample 5: In this example we defined the maximum lifetime of an authentication token to 24 hours using the web_token_max_validity setting. Where web_token_timeout defines a token will be marked invalid if not used after 600 seconds, where the web_session_idle_timeout defines to demand reauthentication after 1200 seconds for idle sessions on the web GUI.
apic: fabric_policies: aaa: management_settings: web_token_timeout: 600 web_token_max_validity: 24 web_session_idle_timeout: 1200