AAA

AAA (Authentication, Authorization, and Accounting) is a comprehensive security framework that provides centralized access control for network devices and resources. Authentication verifies user identity through credentials, certificates, or other methods; Authorization determines what resources authenticated users can access; and Accounting tracks user activities and resource usage for auditing and billing purposes. This framework integrates with external servers like RADIUS and TACACS+ to provide scalable, centralized security management across enterprise networks.

Diagram

Classes

configuration (iosxe.devices)

Name	Type	Constraint	Mandatory	Default Value
aaa	Class	`[aaa]`	No

aaa (iosxe.devices.configuration)

Name	Type	Constraint	Mandatory
new_model	Boolean	`true`, `false`	No
session_id	Choice	`common`, `unique`	No
local_authentication_type	Choice	`enable`, `local`	No
local_authorization	Boolean	`true`, `false`	No
local_authentication_max_fail_attempts	Integer	min: `1`, max: `65535`	No
radius_dynamic_author	Boolean	`true`, `false`	No
radius_dynamic_author_clients	List	`[radius_dynamic_author_clients]`	No
radius_groups	List	`[radius_groups]`	No
tacacs_groups	List	`[tacacs_groups]`	No
accounting	Class	`[accounting]`	No
authentication	Class	`[authentication]`	No
authorization	Class	`[authorization]`	No
radius	Class	`[radius]`	No
tacacs_servers	List	`[tacacs_servers]`	No
usernames	List	`[usernames]`	No

radius_dynamic_author_clients (iosxe.devices.configuration.aaa)

Name	Type	Constraint	Mandatory
ip	IP		Yes
key_type	Choice	`0`, `6`, `7`	No
key	String		No

radius_groups (iosxe.devices.configuration.aaa)

Name	Type	Constraint	Mandatory
name	String		Yes
server_names	List	String	No
source_interface_type	Choice	`Loopback`, `Vlan`, `GigabitEthernet`, `TwoGigabitEthernet`, `FiveGigabitEthernet`, `TenGigabitEthernet`, `TwentyFiveGigabitEthernet`, `FortyGigabitEthernet`, `HundredGigabitEthernet`	No
source_interface_id	String		No

tacacs_groups (iosxe.devices.configuration.aaa)

Name	Type	Constraint	Mandatory
name	String		Yes
vrf	String		No
server_names	List	String	No
source_interface_type	Choice	`Loopback`, `Vlan`, `GigabitEthernet`, `TwoGigabitEthernet`, `FiveGigabitEthernet`, `TenGigabitEthernet`, `TwentyFiveGigabitEthernet`, `FortyGigabitEthernet`, `HundredGigabitEthernet`	No
source_interface_id	String		No

accounting (iosxe.devices.configuration.aaa)

Name	Type	Constraint	Mandatory
update_newinfo_periodic	Integer		No
system_guarantee_first	Boolean	`true`, `false`	No
identities	List	`[identities]`	No
identity_default_start_stop_groups	List	String	No
commands	List	`[commands]`	No
connections	List	`[connections]`	No
execs	List	`[execs]`	No
networks	List	`[networks]`	No

authentication (iosxe.devices.configuration.aaa)

Name	Type	Constraint	Mandatory
logins	List	`[logins]`	No
dot1xs	List	`[dot1xs]`	No
dot1x_defaults	List	Any[String or Choice[`local`]]	No
enable_defaults	List	`[enable_defaults]`	No

authorization (iosxe.devices.configuration.aaa)

Name	Type	Constraint	Mandatory
commands	List	`[commands]`	No
config_commands	Boolean	`true`, `false`	No
config_lists	List	`[config_lists]`	No
execs	List	`[execs]`	No
networks	List	`[networks]`	No

radius (iosxe.devices.configuration.aaa)

Name	Type	Constraint	Mandatory
attributes	List	`[attributes]`	No
dead_criteria_time	Integer	min: `1`, max: `120`	No
dead_criteria_tries	Integer	min: `1`, max: `100`	No
deadtime	Integer	min: `1`, max: `1440`	No
servers	List	`[servers]`	No

tacacs_servers (iosxe.devices.configuration.aaa)

Name	Type	Constraint	Mandatory
name	String		Yes
ip	IP		Yes
timeout	Integer	min: `1`, max: `1000`	No
key	String		No
encryption	Any	`0`, `6`, `7`	No

usernames (iosxe.devices.configuration.aaa)

Name	Type	Constraint	Mandatory
name	String		Yes
privilege	Integer	min: `0`, max: `15`	No
description	String		No
password_encryption	Choice	`0`, `6`, `7`	No
password	String		No
secret_encryption	Choice	`0`, `5`, `8`, `9`	No
secret	String		No

identities (iosxe.devices.configuration.aaa.accounting)

Name	Type	Constraint	Mandatory
name	String		Yes
start_stop_broadcast	Boolean	`true`, `false`	No
start_stop_group_broadcast	Boolean	`true`, `false`	No
start_stop_group_logger	Boolean	`true`, `false`	No
start_stop_groups	List	String	No
identity_default_start_stop_groups	List	String	No

commands (iosxe.devices.configuration.aaa.accounting)

Name	Type	Constraint	Mandatory
level	Integer	min: `0`, max: `15`	Yes
list_name	String		Yes
action_type	Choice	`start-stop`, `stop-only`	No
broadcast	Boolean	`true`, `false`	No
group_broadcast	Boolean	`true`, `false`	No
group_logger	Boolean	`true`, `false`	No
groups	List	String	No

connections (iosxe.devices.configuration.aaa.accounting)

Name	Type	Constraint	Mandatory
name	String		Yes
default	Boolean	`true`, `false`	No
none	Boolean	`true`, `false`	No
start_stop_broadcast	Boolean	`true`, `false`	No
start_stop_group_logger	Boolean	`true`, `false`	No
start_stop_groups	List	String	No
stop_only_broadcast	Boolean	`true`, `false`	No
stop_only_group_logger	Boolean	`true`, `false`	No
stop_only_groups	List	String	No
wait_start_broadcast	Boolean	`true`, `false`	No
wait_start_group_logger	Boolean	`true`, `false`	No
wait_start_groups	List	String	No

execs (iosxe.devices.configuration.aaa.accounting)

Name	Type	Constraint	Mandatory
name	String		Yes
none	Boolean	`true`, `false`	No
start_stop_broadcast	Boolean	`true`, `false`	No
start_stop_group_logger	Boolean	`true`, `false`	No
start_stop_groups	List	String	No
stop_only_broadcast	Boolean	`true`, `false`	No
stop_only_group_logger	Boolean	`true`, `false`	No
stop_only_groups	List	String	No
wait_start_broadcast	Boolean	`true`, `false`	No
wait_start_group_logger	Boolean	`true`, `false`	No
wait_start_groups	List	String	No

networks (iosxe.devices.configuration.aaa.accounting)

Name	Type	Constraint	Mandatory	Default Value
name	String		Yes
start_stop_groups	List	String	No

logins (iosxe.devices.configuration.aaa.authentication)

Name	Type	Constraint	Mandatory	Default Value
name	String		Yes
methods	List	Any[String or Choice[`none`, `line`, `enable`, `local`]]	No

dot1xs (iosxe.devices.configuration.aaa.authentication)

Name	Type	Constraint	Mandatory	Default Value
name	String		Yes
methods	List	Any[String or Choice[`local`, `cache`, `radius`]]	No

enable_defaults (iosxe.devices.configuration.aaa.authentication)

Name	Type	Constraint	Mandatory	Default Value
method	Any	String or Choice[`enable`, `line`, `none`] or String[Regex: `^.[\$\%]\{.$`]	No
cache	Boolean	`true`, `false`	No

commands (iosxe.devices.configuration.aaa.authorization)

Name	Type	Constraint	Mandatory
level	Integer	min: `0`, max: `15`	Yes
list_name	String		Yes
methods	List	Any[String or Choice[`local`, `radius`, `tacacs`, `if_authenticated`, `none`]]	No

config_lists (iosxe.devices.configuration.aaa.authorization)

Name	Type	Constraint	Mandatory	Default Value
name	String		Yes
groups	List	`[groups]`	No

execs (iosxe.devices.configuration.aaa.authorization)

Name	Type	Constraint	Mandatory	Default Value
name	String		Yes
methods	List	Any[String or Choice[`local`, `radius`, `tacacs`, `if_authenticated`, `none`]]	No

networks (iosxe.devices.configuration.aaa.authorization)

Name	Type	Constraint	Mandatory	Default Value
name	String		Yes
methods	List	Any[String or Choice[`local`]]	No

attributes (iosxe.devices.configuration.aaa.radius)

Name	Type	Constraint	Mandatory
number	Integer		Yes
access_request_include	Boolean	`true`, `false`	No
attribute_31_parameters	List	`[attribute_31_parameters]`	No
send_attributes	List	String	No

servers (iosxe.devices.configuration.aaa.radius)

Name	Type	Constraint	Mandatory
name	String		Yes
ip	IP		Yes
authentication_port	Integer	min: `0`, max: `65534`	No
accounting_port	Integer	min: `0`, max: `65534`	No
timeout	Integer	min: `1`, max: `1000`	No
retransmit	Integer	min: `0`, max: `100`	No
key	String		No
automate_tester_username	String		No
automate_tester_ignore_acct_port	Boolean	`true`, `false`	No
automate_tester_probe_on_config	Boolean	`true`, `false`	No
pac_key	String		No
pac_key_encryption	Any	`0`, `6`, `7`	No

groups (iosxe.devices.configuration.aaa.authorization.config_lists)

Name	Type	Constraint	Mandatory	Default Value
cache	Boolean	`true`, `false`	No
method	Any	String or Choice[`radius`, `tacacs`] or String[Regex: `^.[\$\%]\{.$`]	No

attribute_31_parameters (iosxe.devices.configuration.aaa.radius.attributes)

Name	Type	Constraint	Mandatory
calling_station_id	Choice	`mac`, `send`	No
id_mac_format	Choice	`ietf`	No
id_mac_lu_case	Choice	`lower-case`, `upper-case`	No
id_send_nas_port_detail	Boolean	`true`, `false`	No
id_send_mac_only	Boolean	`true`, `false`	No

By integrating TACACS+ and RADIUS servers, AAA centralizes and secures user authentication and policy enforcement across the network.

This enhances security, simplifies management, and enables detailed auditing of user actions.

AAA Parameters:

Authentication methods
Authorization methods
Accounting methods
Server group
TACACS+ server
RADIUS server
Shared key
Timeout
Retransmit
Auth port
Acct port
Dead criteria
Deadtime
Attribute settings
Username
PAC key

By default, AAA processes authentication, authorization, and accounting sequentially according to the configured method lists, starting with the first specified method and moving to the next if the previous one fails or is unavailable.

You can use these AAA parameters to define how your device authenticates users, authorizes their actions, and tracks their activity. Customize the methods, server settings, and timeouts to fit your network’s security and operational needs. Adjusting these parameters lets you tailor access control and monitoring for your environment.

Examples:

tacacs server test1

Defines a TACACS+ server for centralized authentication with specified address, key, and timeout

radius-server attribute 25 access-request include

Includes RADIUS attribute 25 in access-request messages

radius-server attribute 31 mac format ietf

Sets MAC address format in RADIUS attribute 31 to IETF standard

 radius-server dead-criteria time <time> tries <count>

Sets criteria for marking a RADIUS server as dead based on response time and retry attempts

radius-server deadtime <minutes>

Specifies how long to avoid retrying a dead RADIUS server.

radius server test1

Configures a RADIUS server with authentication and accounting ports, timeout, retransmit, automated testing, and PAC key options

Sample Configuration:

The following configuration describes how to set up AAA on an IOS-XE device. It lists how to authenticate and authorize users, includes configuration of RADIUS and TACACS+ servers, server groups, timeouts, and custom attributes for robust and secure access control.

tacacs server test1
 address ipv4 192.168.0.1
 key testkey
 timeout 5
tacacs server tacacs_10.10.15.13
 address ipv4 10.10.15.13
 key 123
 timeout 4
!
!
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf
radius-server dead-criteria time 1 tries 3
radius-server deadtime 10
!
radius server test1
 address ipv4 192.168.1.1 auth-port 220 acct-port 221
 timeout 5
 retransmit 3
 automate-tester username test_user ignore-acct-port probe-on
 pac key test_pac

Example YAML Code:

The following code sets up AAA on an IOS-XE device, specifying how users are authenticated and authorized, how RADIUS and TACACS+ servers are used, and how to handle server groups, timeouts, and custom attributes for robust and secure access control.

iosxe:
  devices:
    - name: Device1
      configuration:
        aaa:
          new_model: true
          authentication:
            logins:
              - name: default
                methods:
                  - local
          authorization:
            execs:
              - name: default
                methods:
                  - local
          radius:
            dead_criteria_time: 1
            dead_criteria_tries: 3
            deadtime: 10
            servers:
              - name: test1
                ip: 192.168.1.1
                timeout: 5
                key: testkey
                authentication_port: 220
                accounting_port: 221
                retransmit: 3
                automate_tester_probe_on_config: true
                automate_tester_ignore_acct_port: true
                automate_tester_username: test_user
                pac_key: test_pac
                pac_key_encryption: 0
            attributes:
              - number: 25
                access_request_include: true
          radius_groups:
            - name: testgroup1
              source_interface_type: GigabitEthernet
              source_interface_id: 1
          tacacs_servers:
            - name: test1
              ip: 192.168.0.1
              timeout: 5
              encryption: 0
              key: testkey