Skip to content
Network as Code

AAA

AAA (Authentication, Authorization, and Accounting) is a comprehensive security framework that provides centralized access control for network devices and resources. Authentication verifies user identity through credentials, certificates, or other methods; Authorization determines what resources authenticated users can access; and Accounting tracks user activities and resource usage for auditing and billing purposes. This framework integrates with external servers like RADIUS and TACACS+ to provide scalable, centralized security management across enterprise networks.

Diagram

Diagram

Classes

configuration (iosxe.devices)

NameTypeConstraintMandatoryDefault Value
aaaClass[aaa]No

aaa (iosxe.devices.configuration)

NameTypeConstraintMandatoryDefault Value
new_modelBooleantrue, falseNo
session_idChoicecommon, uniqueNo
radius_dynamic_authorBooleantrue, falseNo
radius_dynamic_author_clientsList[radius_dynamic_author_clients]No
radius_groupsList[radius_groups]No
tacacs_groupsList[tacacs_groups]No
accountingClass[accounting]No
authenticationClass[authentication]No
authorizationClass[authorization]No
radiusClass[radius]No
tacacs_serversList[tacacs_servers]No
usernamesList[usernames]No

radius_dynamic_author_clients (iosxe.devices.configuration.aaa)

NameTypeConstraintMandatoryDefault Value
ipIPYes
key_typeChoice0, 6, 7No
keyStringNo

radius_groups (iosxe.devices.configuration.aaa)

NameTypeConstraintMandatoryDefault Value
nameStringYes
server_namesListStringNo
source_interface_typeChoiceLoopback, Vlan, GigabitEthernet, TwoGigabitEthernet, FiveGigabitEthernet, TenGigabitEthernet, TwentyFiveGigabitEthernet, FortyGigabitEthernet, HundredGigabitEthernetNo
source_interface_idStringNo

tacacs_groups (iosxe.devices.configuration.aaa)

NameTypeConstraintMandatoryDefault Value
nameStringYes
server_namesListStringNo
source_interface_typeChoiceLoopback, Vlan, GigabitEthernet, TwoGigabitEthernet, FiveGigabitEthernet, TenGigabitEthernet, TwentyFiveGigabitEthernet, FortyGigabitEthernet, HundredGigabitEthernetNo
source_interface_idStringNo

accounting (iosxe.devices.configuration.aaa)

NameTypeConstraintMandatoryDefault Value
update_newinfo_periodicIntegerNo
system_guarantee_firstBooleantrue, falseNo
identitiesList[identities]No
identity_default_start_stop_groupsListStringNo
execsList[execs]No
networksList[networks]No

authentication (iosxe.devices.configuration.aaa)

NameTypeConstraintMandatoryDefault Value
loginsList[logins]No
dot1xsList[dot1xs]No
dot1x_defaultsListAny[String or Choice[local]]No

authorization (iosxe.devices.configuration.aaa)

NameTypeConstraintMandatoryDefault Value
execsList[execs]No
networksList[networks]No

radius (iosxe.devices.configuration.aaa)

NameTypeConstraintMandatoryDefault Value
attributesList[attributes]No
dead_criteria_timeIntegermin: 1, max: 120No
dead_criteria_triesIntegermin: 1, max: 100No
deadtimeIntegermin: 1, max: 1440No
serversList[servers]No

tacacs_servers (iosxe.devices.configuration.aaa)

NameTypeConstraintMandatoryDefault Value
nameStringYes
ipIPYes
timeoutIntegermin: 1, max: 1000No
keyStringNo
encryptionAny0, 6, 7No

usernames (iosxe.devices.configuration.aaa)

NameTypeConstraintMandatoryDefault Value
nameStringYes
privilegeIntegermin: 0, max: 15No
descriptionStringNo
password_encryptionChoice0, 6, 7No
passwordStringNo
secret_encryptionChoice0, 5, 8, 9No
secretStringNo

identities (iosxe.devices.configuration.aaa.accounting)

NameTypeConstraintMandatoryDefault Value
nameStringYes
start_stop_broadcastBooleantrue, falseNo
start_stop_group_broadcastBooleantrue, falseNo
start_stop_group_loggerBooleantrue, falseNo
start_stop_groupsListStringNo
identity_default_start_stop_groupsListStringNo

execs (iosxe.devices.configuration.aaa.accounting)

NameTypeConstraintMandatoryDefault Value
nameStringYes
start_stop_groupsListStringNo

networks (iosxe.devices.configuration.aaa.accounting)

NameTypeConstraintMandatoryDefault Value
nameStringYes
start_stop_groupsListStringNo

logins (iosxe.devices.configuration.aaa.authentication)

NameTypeConstraintMandatoryDefault Value
nameStringYes
methodsListAny[String or Choice[none, line, enable, local]]No

dot1xs (iosxe.devices.configuration.aaa.authentication)

NameTypeConstraintMandatoryDefault Value
nameStringYes
methodsListAny[String or Choice[local, cache, radius]]No

execs (iosxe.devices.configuration.aaa.authorization)

NameTypeConstraintMandatoryDefault Value
nameStringYes
methodsListAny[String or Choice[local, radius, tacacs, if_authenticated]]No

networks (iosxe.devices.configuration.aaa.authorization)

NameTypeConstraintMandatoryDefault Value
nameStringYes
methodsListAny[String or Choice[local]]No

attributes (iosxe.devices.configuration.aaa.radius)

NameTypeConstraintMandatoryDefault Value
numberIntegerYes
access_request_includeBooleantrue, falseNo
attribute_31_parametersList[attribute_31_parameters]No
send_attributesListStringNo

servers (iosxe.devices.configuration.aaa.radius)

NameTypeConstraintMandatoryDefault Value
nameStringYes
ipIPYes
authentication_portIntegermin: 0, max: 65534No
accounting_portIntegermin: 0, max: 65534No
timeoutIntegermin: 1, max: 1000No
retransmitIntegermin: 0, max: 100No
keyStringNo
automate_tester_usernameStringNo
automate_tester_ignore_acct_portBooleantrue, falseNo
automate_tester_probe_on_configBooleantrue, falseNo
pac_keyStringNo
pac_key_encryptionAny0, 6, 7No

attribute_31_parameters (iosxe.devices.configuration.aaa.radius.attributes)

NameTypeConstraintMandatoryDefault Value
calling_station_idChoicemac, sendNo
id_mac_formatChoiceietfNo
id_mac_lu_caseChoicelower-case, upper-caseNo
id_send_nas_port_detailBooleantrue, falseNo
id_send_mac_onlyBooleantrue, falseNo

By integrating TACACS+ and RADIUS servers, AAA centralizes and secures user authentication and policy enforcement across the network.

This enhances security, simplifies management, and enables detailed auditing of user actions.

AAA Parameters:

  • Authentication methods
  • Authorization methods
  • Accounting methods
  • Server group
  • TACACS+ server
  • RADIUS server
  • Shared key
  • Timeout
  • Retransmit
  • Auth port
  • Acct port
  • Dead criteria
  • Deadtime
  • Attribute settings
  • Username
  • PAC key

By default, AAA processes authentication, authorization, and accounting sequentially according to the configured method lists, starting with the first specified method and moving to the next if the previous one fails or is unavailable.

You can use these AAA parameters to define how your device authenticates users, authorizes their actions, and tracks their activity. Customize the methods, server settings, and timeouts to fit your network’s security and operational needs. Adjusting these parameters lets you tailor access control and monitoring for your environment.

Examples:

tacacs server test1
  • Defines a TACACS+ server for centralized authentication with specified address, key, and timeout
radius-server attribute 25 access-request include
  • Includes RADIUS attribute 25 in access-request messages
radius-server attribute 31 mac format ietf
  • Sets MAC address format in RADIUS attribute 31 to IETF standard
 radius-server dead-criteria time <time> tries <count>
  • Sets criteria for marking a RADIUS server as dead based on response time and retry attempts
radius-server deadtime <minutes>
  • Specifies how long to avoid retrying a dead RADIUS server.
radius server test1
  • Configures a RADIUS server with authentication and accounting ports, timeout, retransmit, automated testing, and PAC key options

Sample Configuration:

The following configuration describes how to set up AAA on an IOS-XE device. It lists how to authenticate and authorize users, includes configuration of RADIUS and TACACS+ servers, server groups, timeouts, and custom attributes for robust and secure access control.

tacacs server test1
 address ipv4 192.168.0.1
 key testkey
 timeout 5
tacacs server tacacs_10.10.15.13
 address ipv4 10.10.15.13
 key 123
 timeout 4
!
!
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf
radius-server dead-criteria time 1 tries 3
radius-server deadtime 10
!
radius server test1
 address ipv4 192.168.1.1 auth-port 220 acct-port 221
 timeout 5
 retransmit 3
 automate-tester username test_user ignore-acct-port probe-on
 pac key test_pac

Example YAML Code:

The following code sets up AAA on an IOS-XE device, specifying how users are authenticated and authorized, how RADIUS and TACACS+ servers are used, and how to handle server groups, timeouts, and custom attributes for robust and secure access control.

iosxe:
  devices:
    - name: Device1
      configuration:
        aaa:
          new_model: true
          authentication:
            logins:
              - name: default
                methods:
                  - local
          authorization:
            execs:
              - name: default
                methods:
                  - local
          radius:
            dead_criteria_time: 1
            dead_criteria_tries: 3
            deadtime: 10
            servers:
              - name: test1
                ip: 192.168.1.1
                timeout: 5
                key: testkey
                authentication_port: 220
                accounting_port: 221
                retransmit: 3
                automate_tester_probe_on_config: true
                automate_tester_ignore_acct_port: true
                automate_tester_username: test_user
                pac_key: test_pac
                pac_key_encryption: 0
            attributes:
              - number: 25
                access_request_include: true
          radius_groups:
            - name: testgroup1
              source_interface_type: GigabitEthernet
              source_interface_id: 1
          tacacs_servers:
            - name: test1
              ip: 192.168.0.1
              timeout: 5
              encryption: 0
              key: testkey