Skip to content

AAA Feature Template

Specify the authentication method and order and configure Radius, TACACs, or local authentication, including local user groups with different read/write permissions.

Diagram

Diagram

Classes

edge_feature_templates (sdwan)

NameTypeConstraintMandatoryDefault Value
aaa_templatesList[aaa_templates]No

aaa_templates (sdwan.edge_feature_templates)

NameTypeConstraintMandatoryDefault Value
nameStringRegex: ^[^<>!&" ]{1,128}$Yes
descriptionStringYes
device_typesListChoice[ASR-1001-HX, ASR-1001-X, ASR-1002-HX, ASR-1002-X, ASR-1006-X, C1101-4P, C1101-4PLTEP, C1101-4PLTEPW, C1109-2PLTEGB, C1109-2PLTEUS, C1109-2PLTEVZ, C1109-4PLTE2P, C1109-4PLTE2PW, C1111-4P, C1111-4PLTEEA, C1111-4PLTELA, C1111-4PW, C1111-8P, C1111-8PLTEEA, C1111-8PLTEEAW, C1111-8PLTELA, C1111-8PLTELAW, C1111-8PW, C1111X-8P, C1112-8P, C1112-8PLTEEA, C1112-8PLTEEAWE, C1112-8PWE, C1113-8P, C1113-8PLTEEA, C1113-8PLTEEAW, C1113-8PLTELA, C1113-8PLTELAWZ, C1113-8PLTEW, C1113-8PM, C1113-8PMLTEEA, C1113-8PMWE, C1113-8PW, C1116-4P, C1116-4PLTEEA, C1116-4PLTEEAWE, C1116-4PWE, C1117-4P, C1117-4PLTEEA, C1117-4PLTEEAW, C1117-4PLTELA, C1117-4PLTELAWZ, C1117-4PM, C1117-4PMLTEEA, C1117-4PMLTEEAWE, C1117-4PMWE, C1117-4PW, C1118-8P, C1121-4P, C1121-4PLTEP, C1121-8P, C1121-8PLTEP, C1121-8PLTEPW, C1121X-8P, C1121X-8PLTEP, C1121X-8PLTEPW, C1126-8PLTEP, C1126X-8PLTEP, C1127-8PLTEP, C1127-8PMLTEP, C1127X-8PLTEP, C1127X-8PMLTEP, C1128-8PLTEP, C1131-8PLTEPW, C1131-8PW, C1131X-8PLTEPW, C1131X-8PW, C1161-8P, C1161-8PLTEP, C1161X-8P, C1161X-8PLTEP, C8000V, C8200-1N-4T, C8200L-1N-4T, C8300-1N1S-4T2X, C8300-1N1S-6T, C8300-2N2S-4T2X, C8300-2N2S-6T, C8500-12X, C8500-12X4QC, C8500-20X6C, C8500L-8S4X, IR-1101, IR-1821, IR-1831, IR-1833, IR-1835, IR-8140H, IR-8140H-P, IR-8340, ISR-4221, ISR-4221X, ISR-4321, ISR-4331, ISR-4351, ISR-4431, ISR-4451-X, ISR-4461, ISR1100-4G-XE, ISR1100-4GLTEGB-XE, ISR1100-4GLTENA-XE, ISR1100-6G-XE, ISR1100X-4G-XE, ISR1100X-6G-XE]No
accounting_rulesList[accounting_rules]No
authentication_and_authorization_orderListStringYes
authorization_config_commandsBooleantrue, falseNo
authorization_config_commands_variableStringRegex: ^[^"~$&+,]255$`No
authorization_consoleBooleantrue, falseNo
authorization_console_variableStringRegex: ^[^"~$&+,]255$`No
authorization_rulesList[authorization_rules]No
dot1x_authenticationBooleantrue, falseNo
dot1x_authentication_variableStringRegex: ^[^"~$&+,]255$`No
dot1x_accountingBooleantrue, falseNo
dot1x_accounting_variableStringRegex: ^[^"~$&+,]255$`No
radius_dynamic_authorClass[radius_dynamic_author]No
radius_server_groupsList[radius_server_groups]No
radius_trustsecClass[radius_trustsec]No
tacacs_server_groupsList[tacacs_server_groups]No
usersList[users]Yes

accounting_rules (sdwan.edge_feature_templates.aaa_templates)

NameTypeConstraintMandatoryDefault Value
methodChoicecommands, exec, network, systemYes
privilege_levelChoice1, 15No
start_stopBooleantrue, falseNo
start_stop_variableStringRegex: ^[^"~$&+,]255$`No
groupsListStringYes

authorization_rules (sdwan.edge_feature_templates.aaa_templates)

NameTypeConstraintMandatoryDefault Value
methodChoicecommandsYes
privilege_levelChoice1, 15Yes
authenticatedBooleantrue, falseYes
groupsListStringYes

radius_dynamic_author (sdwan.edge_feature_templates.aaa_templates)

NameTypeConstraintMandatoryDefault Value
domain_strippingChoiceyes, no, right-to-leftNo
domain_stripping_variableStringRegex: ^[^"~$&+,]255$`No
authentication_typeChoiceyes, all, session-keyNo
authentication_type_variableStringRegex: ^[^"~$&+,]255$`No
portIntegermin: 0, max: 65535No
port_variableStringRegex: ^[^"~$&+,]255$`No
server_keyStringNo
server_key_variableStringRegex: ^[^"~$&+,]255$`No
clientsList[clients]Yes

radius_server_groups (sdwan.edge_feature_templates.aaa_templates)

NameTypeConstraintMandatoryDefault Value
nameStringmin: 1, max: 32Yes
serversList[servers]Yes
source_interfaceStringNo
source_interface_variableStringRegex: ^[^"~$&+,]255$`No
vpn_idIntegermin: 0, max: 65530No

radius_trustsec (sdwan.edge_feature_templates.aaa_templates)

NameTypeConstraintMandatoryDefault Value
cts_authorization_listStringNo
cts_authorization_list_variableStringRegex: ^[^"~$&+,]255$`No
server_groupStringmin: 1, max: 32No

tacacs_server_groups (sdwan.edge_feature_templates.aaa_templates)

NameTypeConstraintMandatoryDefault Value
nameStringmin: 1, max: 32Yes
vpn_idIntegermin: 0, max: 65530No
source_interfaceStringNo
source_interface_variableStringRegex: ^[^"~$&+,]255$`No
serversList[servers]Yes

users (sdwan.edge_feature_templates.aaa_templates)

NameTypeConstraintMandatoryDefault Value
nameStringmax: 64Yes
optionalBooleantrue, falseNo
passwordStringstarts_with: $6$Yes
privilege_levelChoice1, 15No
privilege_level_variableStringRegex: ^[^"~$&+,]255$`No
secretStringstarts_with: $9$Yes
ssh_rsa_keysListStringNo

clients (sdwan.edge_feature_templates.aaa_templates.radius_dynamic_author)

NameTypeConstraintMandatoryDefault Value
ipIPNo
ip_variableStringRegex: ^[^"~$&+,]255$`No
vpn_idIntegermin: 0, max: 65530No
vpn_id_variableStringRegex: ^[^"~$&+,]255$`No
server_keyStringNo

servers (sdwan.edge_feature_templates.aaa_templates.radius_server_groups)

NameTypeConstraintMandatoryDefault Value
addressIPYes
authentication_portIntegermin: 1, max: 65535No
authentication_port_variableStringRegex: ^[^"~$&+,]255$`No
accounting_portIntegermin: 1, max: 65535No
accounting_port_variableStringRegex: ^[^"~$&+,]255$`No
timeoutIntegermin: 1, max: 1000No
timeout_variableStringRegex: ^[^"~$&+,]255$`No
retransmit_countIntegermin: 1, max: 100No
retransmit_count_variableStringRegex: ^[^"~$&+,]255$`No
key_typeChoicekey, pacNo
key_type_variableStringRegex: ^[^"~$&+,]255$`No
keyStringstarts_with: $CRYPT_CLUSTER$, min: 1, max: 128Yes
secret_keyStringRegex: ^[0-9a-z]{1,150}$Yes

servers (sdwan.edge_feature_templates.aaa_templates.tacacs_server_groups)

NameTypeConstraintMandatoryDefault Value
addressIPYes
portIntegermin: 1, max: 65535No
port_variableStringRegex: ^[^"~$&+,]255$`No
timeoutIntegermin: 1, max: 1000No
timeout_variableStringRegex: ^[^"~$&+,]255$`No
keyStringstarts_with: $CRYPT_CLUSTER$, min: 1, max: 128Yes
secret_keyStringRegex: ^[0-9a-z]{1,150}$Yes

Examples

Example-1: Centralized AAA Policy Enforcement for Secure SD-WAN Edge Access

A large enterprise with multiple branch offices connected via Cisco SD-WAN is looking to standardize and secure administrative access across all its edge routers. To achieve this, they deploy a centralized AAA (Authentication, Authorization, and Accounting) configuration template using Netascode. The AAA template enables consistent user authentication via TACACS+ server groups, sets up RADIUS for accounting, and defines authorization rules for command execution with privilege-level enforcement. A set of local fallback users with encrypted passwords and SSH keys is also configured for redundancy. This setup ensures secure, traceable, and policy-driven access to all network devices, enhancing operational efficiency and compliance.

sdwan:
edge_feature_templates:
aaa_templates:
- name: FT-CEDGE-AAA-01
description: AAA Template for centralized admin access control
authentication_and_authorization_order:
- tacacs+
- local
tacacs_server_groups:
- name: TACACS-GRP-01
vpn_id: 0
servers:
- address: 192.168.10.10
port: 49
key: $CRYPT_CLUSTER$ENCRYPTED_TACACS_KEY
secret_key: tacacssecret
- address: 192.168.10.11
port: 49
key: $CRYPT_CLUSTER$ENCRYPTED_TACACS_KEY2
secret_key: tacacssecret2
radius_server_groups:
- name: RADIUS-GRP-01
vpn_id: 0
servers:
- address: 192.168.20.20
authentication_port: 1812
accounting_port: 1813
key: $CRYPT_CLUSTER$ENCRYPTED_RADIUS_KEY
secret_key: radiussecret
accounting_rules:
- method: exec
start_stop: true
groups:
- RADIUS-GRP-01
authorization_rules:
- method: commands
privilege_level: 15
authenticated: true
groups:
- TACACS-GRP-01
users:
- name: admin
password: $6$ENCRYPTED_PASSWORD
secret: $9$ENCRYPTED_SECRET
privilege_level: 15
ssh_rsa_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD...