AAA Feature Template
Specify the authentication method and order and configure Radius, TACACs, or local authentication, including local user groups with different read/write permissions.
Diagram
Classes
edge_feature_templates (sdwan)
Name | Type | Constraint | Mandatory | Default Value |
---|---|---|---|---|
aaa_templates | List | [aaa_templates] | No |
aaa_templates (sdwan.edge_feature_templates)
Name | Type | Constraint | Mandatory | Default Value |
---|---|---|---|---|
name | String | Regex: ^[^<>!&" ]{1,128}$ | Yes | |
description | String | Yes | ||
device_types | List | Choice[ASR-1001-HX , ASR-1001-X , ASR-1002-HX , ASR-1002-X , ASR-1006-X , C1101-4P , C1101-4PLTEP , C1101-4PLTEPW , C1109-2PLTEGB , C1109-2PLTEUS , C1109-2PLTEVZ , C1109-4PLTE2P , C1109-4PLTE2PW , C1111-4P , C1111-4PLTEEA , C1111-4PLTELA , C1111-4PW , C1111-8P , C1111-8PLTEEA , C1111-8PLTEEAW , C1111-8PLTELA , C1111-8PLTELAW , C1111-8PW , C1111X-8P , C1112-8P , C1112-8PLTEEA , C1112-8PLTEEAWE , C1112-8PWE , C1113-8P , C1113-8PLTEEA , C1113-8PLTEEAW , C1113-8PLTELA , C1113-8PLTELAWZ , C1113-8PLTEW , C1113-8PM , C1113-8PMLTEEA , C1113-8PMWE , C1113-8PW , C1116-4P , C1116-4PLTEEA , C1116-4PLTEEAWE , C1116-4PWE , C1117-4P , C1117-4PLTEEA , C1117-4PLTEEAW , C1117-4PLTELA , C1117-4PLTELAWZ , C1117-4PM , C1117-4PMLTEEA , C1117-4PMLTEEAWE , C1117-4PMWE , C1117-4PW , C1118-8P , C1121-4P , C1121-4PLTEP , C1121-8P , C1121-8PLTEP , C1121-8PLTEPW , C1121X-8P , C1121X-8PLTEP , C1121X-8PLTEPW , C1126-8PLTEP , C1126X-8PLTEP , C1127-8PLTEP , C1127-8PMLTEP , C1127X-8PLTEP , C1127X-8PMLTEP , C1128-8PLTEP , C1131-8PLTEPW , C1131-8PW , C1131X-8PLTEPW , C1131X-8PW , C1161-8P , C1161-8PLTEP , C1161X-8P , C1161X-8PLTEP , C8000V , C8200-1N-4T , C8200L-1N-4T , C8300-1N1S-4T2X , C8300-1N1S-6T , C8300-2N2S-4T2X , C8300-2N2S-6T , C8500-12X , C8500-12X4QC , C8500-20X6C , C8500L-8S4X , IR-1101 , IR-1821 , IR-1831 , IR-1833 , IR-1835 , IR-8140H , IR-8140H-P , IR-8340 , ISR-4221 , ISR-4221X , ISR-4321 , ISR-4331 , ISR-4351 , ISR-4431 , ISR-4451-X , ISR-4461 , ISR1100-4G-XE , ISR1100-4GLTEGB-XE , ISR1100-4GLTENA-XE , ISR1100-6G-XE , ISR1100X-4G-XE , ISR1100X-6G-XE ] | No | |
accounting_rules | List | [accounting_rules] | No | |
authentication_and_authorization_order | List | String | Yes | |
authorization_config_commands | Boolean | true , false | No | |
authorization_config_commands_variable | String | Regex: ^[^"~ $&+,]255$` | No | |
authorization_console | Boolean | true , false | No | |
authorization_console_variable | String | Regex: ^[^"~ $&+,]255$` | No | |
authorization_rules | List | [authorization_rules] | No | |
dot1x_authentication | Boolean | true , false | No | |
dot1x_authentication_variable | String | Regex: ^[^"~ $&+,]255$` | No | |
dot1x_accounting | Boolean | true , false | No | |
dot1x_accounting_variable | String | Regex: ^[^"~ $&+,]255$` | No | |
radius_dynamic_author | Class | [radius_dynamic_author] | No | |
radius_server_groups | List | [radius_server_groups] | No | |
radius_trustsec | Class | [radius_trustsec] | No | |
tacacs_server_groups | List | [tacacs_server_groups] | No | |
users | List | [users] | Yes |
accounting_rules (sdwan.edge_feature_templates.aaa_templates)
Name | Type | Constraint | Mandatory | Default Value |
---|---|---|---|---|
method | Choice | commands , exec , network , system | Yes | |
privilege_level | Choice | 1 , 15 | No | |
start_stop | Boolean | true , false | No | |
start_stop_variable | String | Regex: ^[^"~ $&+,]255$` | No | |
groups | List | String | Yes |
authorization_rules (sdwan.edge_feature_templates.aaa_templates)
Name | Type | Constraint | Mandatory | Default Value |
---|---|---|---|---|
method | Choice | commands | Yes | |
privilege_level | Choice | 1 , 15 | Yes | |
authenticated | Boolean | true , false | Yes | |
groups | List | String | Yes |
radius_dynamic_author (sdwan.edge_feature_templates.aaa_templates)
Name | Type | Constraint | Mandatory | Default Value |
---|---|---|---|---|
domain_stripping | Choice | yes , no , right-to-left | No | |
domain_stripping_variable | String | Regex: ^[^"~ $&+,]255$` | No | |
authentication_type | Choice | yes , all , session-key | No | |
authentication_type_variable | String | Regex: ^[^"~ $&+,]255$` | No | |
port | Integer | min: 0 , max: 65535 | No | |
port_variable | String | Regex: ^[^"~ $&+,]255$` | No | |
server_key | String | No | ||
server_key_variable | String | Regex: ^[^"~ $&+,]255$` | No | |
clients | List | [clients] | Yes |
radius_server_groups (sdwan.edge_feature_templates.aaa_templates)
Name | Type | Constraint | Mandatory | Default Value |
---|---|---|---|---|
name | String | min: 1 , max: 32 | Yes | |
servers | List | [servers] | Yes | |
source_interface | String | No | ||
source_interface_variable | String | Regex: ^[^"~ $&+,]255$` | No | |
vpn_id | Integer | min: 0 , max: 65530 | No |
radius_trustsec (sdwan.edge_feature_templates.aaa_templates)
Name | Type | Constraint | Mandatory | Default Value |
---|---|---|---|---|
cts_authorization_list | String | No | ||
cts_authorization_list_variable | String | Regex: ^[^"~ $&+,]255$` | No | |
server_group | String | min: 1 , max: 32 | No |
tacacs_server_groups (sdwan.edge_feature_templates.aaa_templates)
Name | Type | Constraint | Mandatory | Default Value |
---|---|---|---|---|
name | String | min: 1 , max: 32 | Yes | |
vpn_id | Integer | min: 0 , max: 65530 | No | |
source_interface | String | No | ||
source_interface_variable | String | Regex: ^[^"~ $&+,]255$` | No | |
servers | List | [servers] | Yes |
users (sdwan.edge_feature_templates.aaa_templates)
Name | Type | Constraint | Mandatory | Default Value |
---|---|---|---|---|
name | String | max: 64 | Yes | |
optional | Boolean | true , false | No | |
password | String | starts_with: $6$ | Yes | |
privilege_level | Choice | 1 , 15 | No | |
privilege_level_variable | String | Regex: ^[^"~ $&+,]255$` | No | |
secret | String | starts_with: $9$ | Yes | |
ssh_rsa_keys | List | String | No |
clients (sdwan.edge_feature_templates.aaa_templates.radius_dynamic_author)
Name | Type | Constraint | Mandatory | Default Value |
---|---|---|---|---|
ip | IP | No | ||
ip_variable | String | Regex: ^[^"~ $&+,]255$` | No | |
vpn_id | Integer | min: 0 , max: 65530 | No | |
vpn_id_variable | String | Regex: ^[^"~ $&+,]255$` | No | |
server_key | String | No |
servers (sdwan.edge_feature_templates.aaa_templates.radius_server_groups)
Name | Type | Constraint | Mandatory | Default Value |
---|---|---|---|---|
address | IP | Yes | ||
authentication_port | Integer | min: 1 , max: 65535 | No | |
authentication_port_variable | String | Regex: ^[^"~ $&+,]255$` | No | |
accounting_port | Integer | min: 1 , max: 65535 | No | |
accounting_port_variable | String | Regex: ^[^"~ $&+,]255$` | No | |
timeout | Integer | min: 1 , max: 1000 | No | |
timeout_variable | String | Regex: ^[^"~ $&+,]255$` | No | |
retransmit_count | Integer | min: 1 , max: 100 | No | |
retransmit_count_variable | String | Regex: ^[^"~ $&+,]255$` | No | |
key_type | Choice | key , pac | No | |
key_type_variable | String | Regex: ^[^"~ $&+,]255$` | No | |
key | String | starts_with: $CRYPT_CLUSTER$ , min: 1 , max: 128 | Yes | |
secret_key | String | Regex: ^[0-9a-z]{1,150}$ | Yes |
servers (sdwan.edge_feature_templates.aaa_templates.tacacs_server_groups)
Name | Type | Constraint | Mandatory | Default Value |
---|---|---|---|---|
address | IP | Yes | ||
port | Integer | min: 1 , max: 65535 | No | |
port_variable | String | Regex: ^[^"~ $&+,]255$` | No | |
timeout | Integer | min: 1 , max: 1000 | No | |
timeout_variable | String | Regex: ^[^"~ $&+,]255$` | No | |
key | String | starts_with: $CRYPT_CLUSTER$ , min: 1 , max: 128 | Yes | |
secret_key | String | Regex: ^[0-9a-z]{1,150}$ | Yes |
Examples
Example-1: Centralized AAA Policy Enforcement for Secure SD-WAN Edge Access
A large enterprise with multiple branch offices connected via Cisco SD-WAN is looking to standardize and secure administrative access across all its edge routers. To achieve this, they deploy a centralized AAA (Authentication, Authorization, and Accounting) configuration template using Netascode. The AAA template enables consistent user authentication via TACACS+ server groups, sets up RADIUS for accounting, and defines authorization rules for command execution with privilege-level enforcement. A set of local fallback users with encrypted passwords and SSH keys is also configured for redundancy. This setup ensures secure, traceable, and policy-driven access to all network devices, enhancing operational efficiency and compliance.
sdwan: edge_feature_templates: aaa_templates: - name: FT-CEDGE-AAA-01 description: AAA Template for centralized admin access control authentication_and_authorization_order: - tacacs+ - local tacacs_server_groups: - name: TACACS-GRP-01 vpn_id: 0 servers: - address: 192.168.10.10 port: 49 key: $CRYPT_CLUSTER$ENCRYPTED_TACACS_KEY secret_key: tacacssecret - address: 192.168.10.11 port: 49 key: $CRYPT_CLUSTER$ENCRYPTED_TACACS_KEY2 secret_key: tacacssecret2 radius_server_groups: - name: RADIUS-GRP-01 vpn_id: 0 servers: - address: 192.168.20.20 authentication_port: 1812 accounting_port: 1813 key: $CRYPT_CLUSTER$ENCRYPTED_RADIUS_KEY secret_key: radiussecret accounting_rules: - method: exec start_stop: true groups: - RADIUS-GRP-01 authorization_rules: - method: commands privilege_level: 15 authenticated: true groups: - TACACS-GRP-01 users: - name: admin password: $6$ENCRYPTED_PASSWORD secret: $9$ENCRYPTED_SECRET privilege_level: 15 ssh_rsa_keys: - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD...