AAA Feature Template
Specify the authentication method and order and configure Radius, TACACs, or local authentication, including local user groups with different read/write permissions.
Diagram
Classes
edge_feature_templates (sdwan)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| aaa_templates | List | [aaa_templates] | No |
aaa_templates (sdwan.edge_feature_templates)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Regex: ^[^<>!&" ]{1,128}$ | Yes | |
| description | String | Yes | ||
| device_types | List | Choice[ASR-1001-HX, ASR-1001-X, ASR-1002-HX, ASR-1002-X, ASR-1006-X, C1101-4P, C1101-4PLTEP, C1101-4PLTEPW, C1109-2PLTEGB, C1109-2PLTEUS, C1109-2PLTEVZ, C1109-4PLTE2P, C1109-4PLTE2PW, C1111-4P, C1111-4PLTEEA, C1111-4PLTELA, C1111-4PW, C1111-8P, C1111-8PLTEEA, C1111-8PLTEEAW, C1111-8PLTELA, C1111-8PLTELAW, C1111-8PW, C1111X-8P, C1112-8P, C1112-8PLTEEA, C1112-8PLTEEAWE, C1112-8PWE, C1113-8P, C1113-8PLTEEA, C1113-8PLTEEAW, C1113-8PLTELA, C1113-8PLTELAWZ, C1113-8PLTEW, C1113-8PM, C1113-8PMLTEEA, C1113-8PMWE, C1113-8PW, C1116-4P, C1116-4PLTEEA, C1116-4PLTEEAWE, C1116-4PWE, C1117-4P, C1117-4PLTEEA, C1117-4PLTEEAW, C1117-4PLTELA, C1117-4PLTELAWZ, C1117-4PM, C1117-4PMLTEEA, C1117-4PMLTEEAWE, C1117-4PMWE, C1117-4PW, C1118-8P, C1121-4P, C1121-4PLTEP, C1121-8P, C1121-8PLTEP, C1121-8PLTEPW, C1121X-8P, C1121X-8PLTEP, C1121X-8PLTEPW, C1126-8PLTEP, C1126X-8PLTEP, C1127-8PLTEP, C1127-8PMLTEP, C1127X-8PLTEP, C1127X-8PMLTEP, C1128-8PLTEP, C1131-8PLTEPW, C1131-8PW, C1131X-8PLTEPW, C1131X-8PW, C1161-8P, C1161-8PLTEP, C1161X-8P, C1161X-8PLTEP, C8000V, C8200-1N-4T, C8200L-1N-4T, C8300-1N1S-4T2X, C8300-1N1S-6T, C8300-2N2S-4T2X, C8300-2N2S-6T, C8500-12X, C8500-12X4QC, C8500-20X6C, C8500L-8S4X, IR-1101, IR-1821, IR-1831, IR-1833, IR-1835, IR-8140H, IR-8140H-P, IR-8340, ISR-4221, ISR-4221X, ISR-4321, ISR-4331, ISR-4351, ISR-4431, ISR-4451-X, ISR-4461, ISR1100-4G-XE, ISR1100-4GLTEGB-XE, ISR1100-4GLTENA-XE, ISR1100-6G-XE, ISR1100X-4G-XE, ISR1100X-6G-XE] | No | |
| accounting_rules | List | [accounting_rules] | No | |
| authentication_and_authorization_order | List | String | Yes | |
| authorization_config_commands | Boolean | true, false | No | |
| authorization_config_commands_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| authorization_console | Boolean | true, false | No | |
| authorization_console_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| authorization_rules | List | [authorization_rules] | No | |
| dot1x_authentication | Boolean | true, false | No | |
| dot1x_authentication_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| dot1x_accounting | Boolean | true, false | No | |
| dot1x_accounting_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| radius_dynamic_author | Class | [radius_dynamic_author] | No | |
| radius_server_groups | List | [radius_server_groups] | No | |
| radius_trustsec | Class | [radius_trustsec] | No | |
| tacacs_server_groups | List | [tacacs_server_groups] | No | |
| users | List | [users] | Yes |
accounting_rules (sdwan.edge_feature_templates.aaa_templates)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| method | Choice | commands, exec, network, system | Yes | |
| privilege_level | Choice | 1, 15 | No | |
| start_stop | Boolean | true, false | No | |
| start_stop_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| groups | List | String | Yes |
authorization_rules (sdwan.edge_feature_templates.aaa_templates)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| method | Choice | commands | Yes | |
| privilege_level | Choice | 1, 15 | Yes | |
| authenticated | Boolean | true, false | Yes | |
| groups | List | String | Yes |
radius_dynamic_author (sdwan.edge_feature_templates.aaa_templates)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| domain_stripping | Choice | yes, no, right-to-left | No | |
| domain_stripping_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| authentication_type | Choice | yes, all, session-key | No | |
| authentication_type_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| port | Integer | min: 0, max: 65535 | No | |
| port_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| server_key | String | No | ||
| server_key_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| clients | List | [clients] | Yes |
radius_server_groups (sdwan.edge_feature_templates.aaa_templates)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | min: 1, max: 32 | Yes | |
| servers | List | [servers] | Yes | |
| source_interface | String | No | ||
| source_interface_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| vpn_id | Integer | min: 0, max: 65530 | No |
radius_trustsec (sdwan.edge_feature_templates.aaa_templates)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| cts_authorization_list | String | No | ||
| cts_authorization_list_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| server_group | String | min: 1, max: 32 | No |
tacacs_server_groups (sdwan.edge_feature_templates.aaa_templates)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | min: 1, max: 32 | Yes | |
| vpn_id | Integer | min: 0, max: 65530 | No | |
| source_interface | String | No | ||
| source_interface_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| servers | List | [servers] | Yes |
users (sdwan.edge_feature_templates.aaa_templates)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | max: 64 | Yes | |
| optional | Boolean | true, false | No | |
| password | String | starts_with: $6$ | Yes | |
| privilege_level | Choice | 1, 15 | No | |
| privilege_level_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| secret | String | starts_with: $9$ | Yes | |
| ssh_rsa_keys | List | String | No |
clients (sdwan.edge_feature_templates.aaa_templates.radius_dynamic_author)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| ip | IP | No | ||
| ip_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| vpn_id | Integer | min: 0, max: 65530 | No | |
| vpn_id_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| server_key | String | No |
servers (sdwan.edge_feature_templates.aaa_templates.radius_server_groups)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| address | IP | Yes | ||
| authentication_port | Integer | min: 1, max: 65535 | No | |
| authentication_port_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| accounting_port | Integer | min: 1, max: 65535 | No | |
| accounting_port_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| timeout | Integer | min: 1, max: 1000 | No | |
| timeout_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| retransmit_count | Integer | min: 1, max: 100 | No | |
| retransmit_count_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| key_type | Choice | key, pac | No | |
| key_type_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| key | String | starts_with: $CRYPT_CLUSTER$, min: 1, max: 128 | Yes | |
| secret_key | String | Regex: ^[0-9a-z]{1,150}$ | Yes |
servers (sdwan.edge_feature_templates.aaa_templates.tacacs_server_groups)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| address | IP | Yes | ||
| port | Integer | min: 1, max: 65535 | No | |
| port_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| timeout | Integer | min: 1, max: 1000 | No | |
| timeout_variable | String | Regex: ^[^"~$&+,]255$` | No | |
| key | String | starts_with: $CRYPT_CLUSTER$, min: 1, max: 128 | Yes | |
| secret_key | String | Regex: ^[0-9a-z]{1,150}$ | Yes |
Examples
Example-1: Centralized AAA Policy Enforcement for Secure SD-WAN Edge Access
A large enterprise with multiple branch offices connected via Cisco SD-WAN is looking to standardize and secure administrative access across all its edge routers. To achieve this, they deploy a centralized AAA (Authentication, Authorization, and Accounting) configuration template using Netascode. The AAA template enables consistent user authentication via TACACS+ server groups, sets up RADIUS for accounting, and defines authorization rules for command execution with privilege-level enforcement. A set of local fallback users with encrypted passwords and SSH keys is also configured for redundancy. This setup ensures secure, traceable, and policy-driven access to all network devices, enhancing operational efficiency and compliance.
sdwan: edge_feature_templates: aaa_templates: - name: FT-CEDGE-AAA-01 description: AAA Template for centralized admin access control authentication_and_authorization_order: - tacacs+ - local tacacs_server_groups: - name: TACACS-GRP-01 vpn_id: 0 servers: - address: 192.168.10.10 port: 49 key: $CRYPT_CLUSTER$ENCRYPTED_TACACS_KEY secret_key: tacacssecret - address: 192.168.10.11 port: 49 key: $CRYPT_CLUSTER$ENCRYPTED_TACACS_KEY2 secret_key: tacacssecret2 radius_server_groups: - name: RADIUS-GRP-01 vpn_id: 0 servers: - address: 192.168.20.20 authentication_port: 1812 accounting_port: 1813 key: $CRYPT_CLUSTER$ENCRYPTED_RADIUS_KEY secret_key: radiussecret accounting_rules: - method: exec start_stop: true groups: - RADIUS-GRP-01 authorization_rules: - method: commands privilege_level: 15 authenticated: true groups: - TACACS-GRP-01 users: - name: admin password: $6$ENCRYPTED_PASSWORD secret: $9$ENCRYPTED_SECRET privilege_level: 15 ssh_rsa_keys: - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD...