AAA Settings
Location in GUI: Admin
» AAA
» Authentication
» AAA
Diagram
Section titled “Diagram”Classes
Section titled “Classes”aaa (apic.fabric_policies)
Section titled “aaa (apic.fabric_policies)”Name | Type | Constraint | Mandatory | Default Value |
---|---|---|---|---|
remote_user_login_policy | Choice | assign-default-role , no-login | No | no-login |
default_fallback_check | Boolean | true , false | No | false |
default_realm | Choice | local , tacacs , ldap , radius | No | local |
default_login_domain | String | Regex: ^[a-zA-Z0-9_.:-]{1,64}$ | No | |
console_realm | Choice | local , tacacs , ldap , radius | No | local |
console_login_domain | String | Regex: ^[a-zA-Z0-9_.:-]{1,64}$ | No | |
management_settings | Class | [management_settings] | No | |
security_domains | List | [security_domains] | No |
management_settings (apic.fabric_policies.aaa)
Section titled “management_settings (apic.fabric_policies.aaa)”Name | Type | Constraint | Mandatory | Default Value |
---|---|---|---|---|
password_strength_check | Boolean | true , false | No | false |
password_strength_profile | Class | [password_strength_profile] | No | |
password_change_during_interval | Boolean | true , false | No | true |
password_change_count | Integer | min: 0 , max: 10 | No | 2 |
password_change_interval | Integer | min: 0 , max: 745 | No | 48 |
password_no_change_interval | Integer | min: 0 , max: 745 | No | 24 |
password_history_count | Integer | min: 0 , max: 15 | No | 5 |
web_token_timeout | Integer | min: 300 , max: 9600 | No | 600 |
web_token_max_validity | Integer | min: 4 , max: 24 | No | 24 |
web_session_idle_timeout | Integer | min: 60 , max: 65525 | No | 1200 |
include_refresh_session_records | Boolean | true , false | No | true |
enable_login_block | Boolean | true , false | No | false |
login_block_duration | Integer | min: 1 , max: 1440 | No | 60 |
login_max_failed_attempts | Integer | min: 1 , max: 15 | No | 5 |
login_max_failed_attempts_window | Integer | min: 1 , max: 720 | No | 5 |
security_domains (apic.fabric_policies.aaa)
Section titled “security_domains (apic.fabric_policies.aaa)”Name | Type | Constraint | Mandatory | Default Value |
---|---|---|---|---|
name | String | Regex: ^[a-zA-Z0-9_.:-]{1,64}$ | Yes | |
description | String | Regex: ^[a-zA-Z0-9\\!#$%()*,-./:;@ _{|}~?&+]{1,128}$ | No | |
restricted_rbac_domain | Boolean | true , false | No | false |
password_strength_profile (apic.fabric_policies.aaa.management_settings)
Section titled “password_strength_profile (apic.fabric_policies.aaa.management_settings)”Name | Type | Constraint | Mandatory | Default Value |
---|---|---|---|---|
password_mininum_length | Integer | min: 8 , max: 64 | No | 8 |
password_maximum_length | Integer | min: 8 , max: 64 | No | 64 |
password_strength_test_type | Choice | default , custom | No | default |
password_class_flags | List | Choice[digits , lowercase , specialchars , uppercase ] | No |
Examples
Section titled “Examples”Example 1: In this example we set the default authentication method for GUI and console to radius with the login_domain
created using both of our configured radius servers.
apic: fabric_policies: aaa: default_realm: radius default_login_domain: yourDomainRadius console_realm: radius console_login_domain: yourDomainRadius
Example 2: In this example we set the default authentication method for GUI and console to tacacs with the login_domain
created using both of our configured tacacs servers.
apic: fabric_policies: aaa: default_realm: tacacs default_login_domain: yourDomainTacacs console_realm: tacacs console_login_domain: yourDomainTacacs
Example 3: In this example we set the default authentication method for GUI and console to local
, where the local realm represents locally created users.
apic: fabric_policies: aaa: default_realm: local default_login_domain: local console_realm: local console_login_domain: local
Example 4: In this example below we have created a security domain called secDomain1
where restricted RBAC has been enabled. Also in the management_settings we enable strong password check for local passwords, where they need to be of minimum length 8
and maximum length of 64
and needs to consist of lower case and uppercase characters.
apic: fabric_policies: aaa: security_domains: - name: secDomain1 restricted_rbac_domain: true management_settings: password_strength_check: true password_strength_profile: password_mininum_length: 8 password_maximum_length: 64 password_strength_test_type: custom password_class_flags: - lowercase - uppercase
Example 5: In this example we defined the maximum lifetime of an authentication token to 24
hours using the web_token_max_validity setting. Where web_token_timeout defines a token will be marked invalid if not used after 600
seconds, where the web_session_idle_timeout defines to demand reauthentication after 1200
seconds for idle sessions on the web GUI.
apic: fabric_policies: aaa: management_settings: web_token_timeout: 600 web_token_max_validity: 24 web_session_idle_timeout: 1200