AAA Settings

Version:

Location in GUI: Admin » AAA » Authentication » AAA

Diagram

Classes

aaa (apic.fabric_policies)

Name	Type	Constraint	Mandatory	Default Value
remote_user_login_policy	Choice	`assign-default-role`, `no-login`	No	`no-login`
default_fallback_check	Boolean	`true`, `false`	No	`false`
default_realm	Choice	`local`, `tacacs`, `ldap`, `radius`	No	`local`
default_login_domain	String	Regex: `^[a-zA-Z0-9_.:-]{1,64}$`	No
console_realm	Choice	`local`, `tacacs`, `ldap`, `radius`	No	`local`
console_login_domain	String	Regex: `^[a-zA-Z0-9_.:-]{1,64}$`	No
management_settings	Class	`[management_settings]`	No
security_domains	List	`[security_domains]`	No

management_settings (apic.fabric_policies.aaa)

Name	Type	Constraint	Mandatory	Default Value
password_strength_check	Boolean	`true`, `false`	No	`false`
password_strength_profile	Class	`[password_strength_profile]`	No
password_change_during_interval	Boolean	`true`, `false`	No	`true`
password_change_count	Integer	min: `0`, max: `10`	No	`2`
password_change_interval	Integer	min: `0`, max: `745`	No	`48`
password_no_change_interval	Integer	min: `0`, max: `745`	No	`24`
password_history_count	Integer	min: `0`, max: `15`	No	`5`
web_token_timeout	Integer	min: `300`, max: `9600`	No	`600`
web_token_max_validity	Integer	min: `4`, max: `24`	No	`24`
web_session_idle_timeout	Integer	min: `60`, max: `65525`	No	`1200`
include_refresh_session_records	Boolean	`true`, `false`	No	`true`
enable_login_block	Boolean	`true`, `false`	No	`false`
login_block_duration	Integer	min: `1`, max: `1440`	No	`60`
login_max_failed_attempts	Integer	min: `1`, max: `15`	No	`5`
login_max_failed_attempts_window	Integer	min: `1`, max: `720`	No	`5`

security_domains (apic.fabric_policies.aaa)

Name	Type	Constraint	Mandatory	Default Value
name	String	Regex: `^[a-zA-Z0-9_.:-]{1,64}$`	Yes
description	String	Regex: `^[a-zA-Z0-9\\!#$%()*,-./:;@ _{\|}~?&+]{1,128}$`	No
restricted_rbac_domain	Boolean	`true`, `false`	No	`false`

password_strength_profile (apic.fabric_policies.aaa.management_settings)

Name	Type	Constraint	Mandatory	Default Value
password_mininum_length	Integer	min: `8`, max: `64`	No	`8`
password_maximum_length	Integer	min: `8`, max: `64`	No	`64`
password_strength_test_type	Choice	`default`, `custom`	No	`default`
password_class_flags	List	Choice[`digits`, `lowercase`, `specialchars`, `uppercase`]	No

Examples

Example 1: In this example we set the default authentication method for GUI and console to radius with the login_domain created using both of our configured radius servers.

apic:
  fabric_policies:
    aaa:
      default_realm: radius
      default_login_domain: yourDomainRadius
      console_realm: radius
      console_login_domain: yourDomainRadius

Example 2: In this example we set the default authentication method for GUI and console to tacacs with the login_domain created using both of our configured tacacs servers.

apic:
  fabric_policies:
    aaa:
      default_realm: tacacs
      default_login_domain: yourDomainTacacs
      console_realm: tacacs
      console_login_domain: yourDomainTacacs

Example 3: In this example we set the default authentication method for GUI and console to local, where the local realm represents locally created users.

apic:
  fabric_policies:
    aaa:
      default_realm: local
      default_login_domain: local
      console_realm: local
      console_login_domain: local

Example 4: In this example below we have created a security domain called secDomain1 where restricted RBAC has been enabled. Also in the management_settings we enable strong password check for local passwords, where they need to be of minimum length 8 and maximum length of 64 and needs to consist of lower case and uppercase characters.

apic:
  fabric_policies:
    aaa:
      security_domains:
        - name: secDomain1
          restricted_rbac_domain: true
      management_settings:
        password_strength_check: true
        password_strength_profile:
          password_mininum_length: 8
          password_maximum_length: 64
          password_strength_test_type: custom
          password_class_flags:
            - lowercase
            - uppercase

Example 5: In this example we defined the maximum lifetime of an authentication token to 24 hours using the web_token_max_validity setting. Where web_token_timeout defines a token will be marked invalid if not used after 600 seconds, where the web_session_idle_timeout defines to demand reauthentication after 1200 seconds for idle sessions on the web GUI.

apic:
  fabric_policies:
    aaa:
      management_settings:
        web_token_timeout: 600
        web_token_max_validity: 24
        web_session_idle_timeout: 1200

Location in GUI: Admin » AAA » Authentication » AAA

Diagram

Classes

aaa (apic.fabric_policies)

Name	Type	Constraint	Mandatory	Default Value
remote_user_login_policy	Choice	`assign-default-role`, `no-login`	No	`no-login`
default_fallback_check	Boolean	`true`, `false`	No	`false`
default_realm	Choice	`local`, `tacacs`, `ldap`, `radius`	No	`local`
default_login_domain	String	Regex: `^[a-zA-Z0-9_.:-]{1,64}$`	No
console_realm	Choice	`local`, `tacacs`, `ldap`, `radius`	No	`local`
console_login_domain	String	Regex: `^[a-zA-Z0-9_.:-]{1,64}$`	No
management_settings	Class	`[management_settings]`	No
security_domains	List	`[security_domains]`	No

management_settings (apic.fabric_policies.aaa)

Name	Type	Constraint	Mandatory	Default Value
password_strength_check	Boolean	`true`, `false`	No	`false`
password_strength_profile	Class	`[password_strength_profile]`	No
password_change_during_interval	Boolean	`true`, `false`	No	`true`
password_change_count	Integer	min: `0`, max: `10`	No	`2`
password_change_interval	Integer	min: `0`, max: `745`	No	`48`
password_no_change_interval	Integer	min: `0`, max: `745`	No	`24`
password_history_count	Integer	min: `0`, max: `15`	No	`5`
web_token_timeout	Integer	min: `300`, max: `9600`	No	`600`
web_token_max_validity	Integer	min: `4`, max: `24`	No	`24`
web_session_idle_timeout	Integer	min: `60`, max: `65525`	No	`1200`
include_refresh_session_records	Boolean	`true`, `false`	No	`true`
enable_login_block	Boolean	`true`, `false`	No	`false`
login_block_duration	Integer	min: `1`, max: `1440`	No	`60`
login_max_failed_attempts	Integer	min: `1`, max: `15`	No	`5`
login_max_failed_attempts_window	Integer	min: `1`, max: `720`	No	`5`

security_domains (apic.fabric_policies.aaa)

Name	Type	Constraint	Mandatory	Default Value
name	String	Regex: `^[a-zA-Z0-9_.:-]{1,64}$`	Yes
description	String	Regex: `^[a-zA-Z0-9\\!#$%()*,-./:;@ _{\|}~?&+]{1,128}$`	No
restricted_rbac_domain	Boolean	`true`, `false`	No	`false`

password_strength_profile (apic.fabric_policies.aaa.management_settings)

Name	Type	Constraint	Mandatory	Default Value
password_mininum_length	Integer	min: `8`, max: `64`	No	`8`
password_maximum_length	Integer	min: `8`, max: `64`	No	`64`
password_strength_test_type	Choice	`default`, `custom`	No	`default`
password_class_flags	List	Choice[`digits`, `lowercase`, `specialchars`, `uppercase`]	No

Examples

apic:
  fabric_policies:
    aaa:
      remote_user_login_policy: no-login
      default_fallback_check: true
      default_realm: local
      console_realm: tacacs
      console_login_domain: tacacs
      security_domains:
        - name: SEC1
          restricted_rbac_domain: true
      management_settings:
        password_strength_check: true
        password_strength_profile:
          password_mininum_length: 8
          password_maximum_length: 64
          password_strength_test_type: default
          password_class_flags:
            - digits
            - lowercase
            - uppercase
        password_change_during_interval: true
        password_change_count: 2
        password_change_interval: 48
        password_no_change_interval: 24
        password_history_count: 5
        web_token_timeout: 600
        web_token_max_validity: 24
        web_session_idle_timeout: 1200
        include_refresh_session_records: true
        enable_login_block: false
        login_block_duration: 60
        login_max_failed_attempts: 5
        login_max_failed_attempts_window: 5

Location in GUI: Admin » AAA » Authentication » AAA

Diagram

Classes

aaa (apic.fabric_policies)

Name	Type	Constraint	Mandatory	Default Value
remote_user_login_policy	Choice	`assign-default-role`, `no-login`	No	`no-login`
default_fallback_check	Boolean	`true`, `false`	No	`false`
default_realm	Choice	`local`, `tacacs`, `ldap`, `radius`	No	`local`
default_login_domain	String	Regex: `^[a-zA-Z0-9_.:-]{1,64}$`	No
console_realm	Choice	`local`, `tacacs`, `ldap`, `radius`	No	`local`
console_login_domain	String	Regex: `^[a-zA-Z0-9_.:-]{1,64}$`	No
management_settings	Class	`[management_settings]`	No
security_domains	List	`[security_domains]`	No

management_settings (apic.fabric_policies.aaa)

Name	Type	Constraint	Mandatory	Default Value
password_strength_check	Boolean	`true`, `false`	No	`false`
password_strength_profile	Class	`[password_strength_profile]`	No
password_change_during_interval	Boolean	`true`, `false`	No	`true`
password_change_count	Integer	min: `0`, max: `10`	No	`2`
password_change_interval	Integer	min: `0`, max: `745`	No	`48`
password_no_change_interval	Integer	min: `0`, max: `745`	No	`24`
password_history_count	Integer	min: `0`, max: `15`	No	`5`
web_token_timeout	Integer	min: `300`, max: `9600`	No	`600`
web_token_max_validity	Integer	min: `4`, max: `24`	No	`24`
web_session_idle_timeout	Integer	min: `600`, max: `65525`	No	`1200`
include_refresh_session_records	Boolean	`true`, `false`	No	`true`
enable_login_block	Boolean	`true`, `false`	No	`false`
login_block_duration	Integer	min: `1`, max: `1440`	No	`60`
login_max_failed_attempts	Integer	min: `1`, max: `15`	No	`5`
login_max_failed_attempts_window	Integer	min: `1`, max: `720`	No	`5`

security_domains (apic.fabric_policies.aaa)

Name	Type	Constraint	Mandatory	Default Value
name	String	Regex: `^[a-zA-Z0-9_.:-]{1,64}$`	Yes
description	String	Regex: `^[a-zA-Z0-9\\!#$%()*,-./:;@ _{\|}~?&+]{1,128}$`	No
restricted_rbac_domain	Boolean	`true`, `false`	No	`false`

password_strength_profile (apic.fabric_policies.aaa.management_settings)

Name	Type	Constraint	Mandatory	Default Value
password_mininum_length	Integer	min: `8`, max: `64`	No	`8`
password_maximum_length	Integer	min: `8`, max: `64`	No	`64`
password_strength_test_type	Choice	`default`, `custom`	No	`default`
password_class_flags	List	Choice[`digits`, `lowercase`, `specialchars`, `uppercase`]	No

Examples

apic:
  fabric_policies:
    aaa:
      remote_user_login_policy: no-login
      default_fallback_check: true
      default_realm: local
      console_realm: tacacs
      console_login_domain: tacacs
      security_domains:
        - name: SEC1
          restricted_rbac_domain: true
      management_settings:
        password_strength_check: true
        password_strength_profile:
          password_mininum_length: 8
          password_maximum_length: 64
          password_strength_test_type: default
          password_class_flags:
            - digits
            - lowercase
            - uppercase
        password_change_during_interval: true
        password_change_count: 2
        password_change_interval: 48
        password_no_change_interval: 24
        password_history_count: 5
        web_token_timeout: 600
        web_token_max_validity: 24
        web_session_idle_timeout: 1200
        include_refresh_session_records: true
        enable_login_block: false
        login_block_duration: 60
        login_max_failed_attempts: 5
        login_max_failed_attempts_window: 5

Location in GUI: Admin » AAA » Authentication » AAA

Diagram

Classes

aaa (apic.fabric_policies)

Name	Type	Constraint	Mandatory	Default Value
remote_user_login_policy	Choice	`assign-default-role`, `no-login`	No	`no-login`
default_fallback_check	Boolean		No	`false`
default_realm	Choice	`local`, `tacacs`, `ldap`, `radius`	No	`local`
default_login_domain	String	Regex: `^[a-zA-Z0-9_.:-]{1,64}$`	No
console_realm	Choice	`local`, `tacacs`, `ldap`, `radius`	No	`local`
console_login_domain	String	Regex: `^[a-zA-Z0-9_.:-]{1,64}$`	No
management_settings	Class	`[management_settings]`	No
security_domains	List	`[security_domains]`	No

management_settings (apic.fabric_policies.aaa)

Name	Type	Constraint	Mandatory	Default Value
password_strength_check	Boolean	`true`, `false`	No	`false`
password_strength_profile	Class	`[password_strength_profile]`	No
password_change_during_interval	Boolean	`true`, `false`	No	`true`
password_change_count	Integer	min: `0`, max: `10`	No	`2`
password_change_interval	Integer	min: `0`, max: `745`	No	`48`
password_no_change_interval	Integer	min: `0`, max: `745`	No	`24`
password_history_count	Integer	min: `0`, max: `15`	No	`5`
web_token_timeout	Integer	min: `300`, max: `9600`	No	`600`
web_token_max_validity	Integer	min: `4`, max: `24`	No	`24`
web_session_idle_timeout	Integer	min: `600`, max: `65525`	No	`1200`
include_refresh_session_records	Boolean	`true`, `false`	No	`true`
enable_login_block	Boolean	`true`, `false`	No	`false`
login_block_duration	Integer	min: `1`, max: `1440`	No	`60`
login_max_failed_attempts	Integer	min: `1`, max: `15`	No	`5`
login_max_failed_attempts_window	Integer	min: `1`, max: `720`	No	`5`

security_domains (apic.fabric_policies.aaa)

Name	Type	Constraint	Mandatory	Default Value
name	String	Regex: `^[a-zA-Z0-9_.:-]{1,64}$`	Yes
description	String	Regex: `^[a-zA-Z0-9\\!#$%()*,-./:;@ _{\|}~?&+]{1,128}$`	No
restricted_rbac_domain	Boolean	`true`, `false`	No	`false`

password_strength_profile (apic.fabric_policies.aaa.management_settings)

Name	Type	Constraint	Mandatory	Default Value
password_mininum_length	Integer	min: `8`, max: `64`	No	`8`
password_maximum_length	Integer	min: `8`, max: `64`	No	`64`
password_strength_test_type	Choice	`default`, `custom`	No	`default`
password_class_flags	List	Choice[`digits`, `lowercase`, `specialchars`, `uppercase`]	No

Examples

apic:
  fabric_policies:
    aaa:
      remote_user_login_policy: no-login
      default_fallback_check: true
      default_realm: local
      console_realm: tacacs
      console_login_domain: tacacs
      security_domains:
        - name: SEC1
          restricted_rbac_domain: true
      management_settings:
        password_strength_check: true
        password_strength_profile:
          password_mininum_length: 8
          password_maximum_length: 64
          password_strength_test_type: default
          password_class_flags:
            - digits
            - lowercase
            - uppercase
        password_change_during_interval: true
        password_change_count: 2
        password_change_interval: 48
        password_no_change_interval: 24
        password_history_count: 5
        web_token_timeout: 600
        web_token_max_validity: 24
        web_session_idle_timeout: 1200
        include_refresh_session_records: true
        enable_login_block: false
        login_block_duration: 60
        login_max_failed_attempts: 5
        login_max_failed_attempts_window: 5