AAA Feature Template

Specify the authentication method and order and configure Radius, TACACs, or local authentication, including local user groups with different read/write permissions.

Diagram

Classes

edge_feature_templates (sdwan)

Name	Type	Constraint	Mandatory	Default Value
aaa_templates	List	`[aaa_templates]`	No

aaa_templates (sdwan.edge_feature_templates)

Name	Type	Constraint	Mandatory
name	String	Regex: `^[^<>!&" ]{1,128}$`	Yes
description	String		Yes
device_types	List	Choice[`ASR-1001-HX`, `ASR-1001-X`, `ASR-1002-HX`, `ASR-1002-X`, `ASR-1006-X`, `C1101-4P`, `C1101-4PLTEP`, `C1101-4PLTEPW`, `C1109-2PLTEGB`, `C1109-2PLTEUS`, `C1109-2PLTEVZ`, `C1109-4PLTE2P`, `C1109-4PLTE2PW`, `C1111-4P`, `C1111-4PLTEEA`, `C1111-4PLTELA`, `C1111-4PW`, `C1111-8P`, `C1111-8PLTEEA`, `C1111-8PLTEEAW`, `C1111-8PLTELA`, `C1111-8PLTELAW`, `C1111-8PW`, `C1111X-8P`, `C1112-8P`, `C1112-8PLTEEA`, `C1112-8PLTEEAWE`, `C1112-8PWE`, `C1113-8P`, `C1113-8PLTEEA`, `C1113-8PLTEEAW`, `C1113-8PLTELA`, `C1113-8PLTELAWZ`, `C1113-8PLTEW`, `C1113-8PM`, `C1113-8PMLTEEA`, `C1113-8PMWE`, `C1113-8PW`, `C1116-4P`, `C1116-4PLTEEA`, `C1116-4PLTEEAWE`, `C1116-4PWE`, `C1117-4P`, `C1117-4PLTEEA`, `C1117-4PLTEEAW`, `C1117-4PLTELA`, `C1117-4PLTELAWZ`, `C1117-4PM`, `C1117-4PMLTEEA`, `C1117-4PMLTEEAWE`, `C1117-4PMWE`, `C1117-4PW`, `C1118-8P`, `C1121-4P`, `C1121-4PLTEP`, `C1121-8P`, `C1121-8PLTEP`, `C1121-8PLTEPW`, `C1121X-8P`, `C1121X-8PLTEP`, `C1121X-8PLTEPW`, `C1126-8PLTEP`, `C1126X-8PLTEP`, `C1127-8PLTEP`, `C1127-8PMLTEP`, `C1127X-8PLTEP`, `C1127X-8PMLTEP`, `C1128-8PLTEP`, `C1131-8PLTEPW`, `C1131-8PW`, `C1131X-8PLTEPW`, `C1131X-8PW`, `C1161-8P`, `C1161-8PLTEP`, `C1161X-8P`, `C1161X-8PLTEP`, `C8000V`, `C8200-1N-4T`, `C8200L-1N-4T`, `C8300-1N1S-4T2X`, `C8300-1N1S-6T`, `C8300-2N2S-4T2X`, `C8300-2N2S-6T`, `C8500-12X`, `C8500-12X4QC`, `C8500-20X6C`, `C8500L-8S4X`, `IR-1101`, `IR-1821`, `IR-1831`, `IR-1833`, `IR-1835`, `IR-8140H`, `IR-8140H-P`, `IR-8340`, `ISR-4221`, `ISR-4221X`, `ISR-4321`, `ISR-4331`, `ISR-4351`, `ISR-4431`, `ISR-4451-X`, `ISR-4461`, `ISR1100-4G-XE`, `ISR1100-4GLTEGB-XE`, `ISR1100-4GLTENA-XE`, `ISR1100-6G-XE`, `ISR1100X-4G-XE`, `ISR1100X-6G-XE`]	No
accounting_rules	List	`[accounting_rules]`	No
authentication_and_authorization_order	List	String	Yes
authorization_config_commands	Boolean	`true`, `false`	No
authorization_config_commands_variable	String	Regex: `^[^"~`$&+,]255$`	No
authorization_console	Boolean	`true`, `false`	No
authorization_console_variable	String	Regex: `^[^"~`$&+,]255$`	No
authorization_rules	List	`[authorization_rules]`	No
dot1x_authentication	Boolean	`true`, `false`	No
dot1x_authentication_variable	String	Regex: `^[^"~`$&+,]255$`	No
dot1x_accounting	Boolean	`true`, `false`	No
dot1x_accounting_variable	String	Regex: `^[^"~`$&+,]255$`	No
radius_dynamic_author	Class	`[radius_dynamic_author]`	No
radius_server_groups	List	`[radius_server_groups]`	No
radius_trustsec	Class	`[radius_trustsec]`	No
tacacs_server_groups	List	`[tacacs_server_groups]`	No
users	List	`[users]`	Yes

accounting_rules (sdwan.edge_feature_templates.aaa_templates)

Name	Type	Constraint	Mandatory
method	Choice	`commands`, `exec`, `network`, `system`	Yes
privilege_level	Choice	`1`, `15`	No
start_stop	Boolean	`true`, `false`	No
start_stop_variable	String	Regex: `^[^"~`$&+,]255$`	No
groups	List	String	Yes

authorization_rules (sdwan.edge_feature_templates.aaa_templates)

Name	Type	Constraint	Mandatory
method	Choice	`commands`	Yes
privilege_level	Choice	`1`, `15`	Yes
authenticated	Boolean	`true`, `false`	Yes
groups	List	String	Yes

radius_dynamic_author (sdwan.edge_feature_templates.aaa_templates)

Name	Type	Constraint	Mandatory
domain_stripping	Choice	`yes`, `no`, `right-to-left`	No
domain_stripping_variable	String	Regex: `^[^"~`$&+,]255$`	No
authentication_type	Choice	`yes`, `all`, `session-key`	No
authentication_type_variable	String	Regex: `^[^"~`$&+,]255$`	No
port	Integer	min: `0`, max: `65535`	No
port_variable	String	Regex: `^[^"~`$&+,]255$`	No
server_key	String		No
server_key_variable	String	Regex: `^[^"~`$&+,]255$`	No
clients	List	`[clients]`	Yes

radius_server_groups (sdwan.edge_feature_templates.aaa_templates)

Name	Type	Constraint	Mandatory
name	String	min: `1`, max: `32`	Yes
servers	List	`[servers]`	Yes
source_interface	String		No
source_interface_variable	String	Regex: `^[^"~`$&+,]255$`	No
vpn_id	Integer	min: `0`, max: `65530`	No

radius_trustsec (sdwan.edge_feature_templates.aaa_templates)

Name	Type	Constraint	Mandatory
cts_authorization_list	String		No
cts_authorization_list_variable	String	Regex: `^[^"~`$&+,]255$`	No
server_group	String	min: `1`, max: `32`	No

tacacs_server_groups (sdwan.edge_feature_templates.aaa_templates)

Name	Type	Constraint	Mandatory
name	String	min: `1`, max: `32`	Yes
vpn_id	Integer	min: `0`, max: `65530`	No
source_interface	String		No
source_interface_variable	String	Regex: `^[^"~`$&+,]255$`	No
servers	List	`[servers]`	Yes

users (sdwan.edge_feature_templates.aaa_templates)

Name	Type	Constraint	Mandatory
name	String	max: `64`	Yes
optional	Boolean	`true`, `false`	No
password	String	starts_with: $6$	Yes
privilege_level	Choice	`1`, `15`	No
privilege_level_variable	String	Regex: `^[^"~`$&+,]255$`	No
secret	String	starts_with: $9$	Yes
ssh_rsa_keys	List	String	No

clients (sdwan.edge_feature_templates.aaa_templates.radius_dynamic_author)

Name	Type	Constraint	Mandatory
ip	IP		No
ip_variable	String	Regex: `^[^"~`$&+,]255$`	No
vpn_id	Integer	min: `0`, max: `65530`	No
vpn_id_variable	String	Regex: `^[^"~`$&+,]255$`	No
server_key	String		No

servers (sdwan.edge_feature_templates.aaa_templates.radius_server_groups)

Name	Type	Constraint	Mandatory
address	IP		Yes
authentication_port	Integer	min: `1`, max: `65535`	No
authentication_port_variable	String	Regex: `^[^"~`$&+,]255$`	No
accounting_port	Integer	min: `1`, max: `65535`	No
accounting_port_variable	String	Regex: `^[^"~`$&+,]255$`	No
timeout	Integer	min: `1`, max: `1000`	No
timeout_variable	String	Regex: `^[^"~`$&+,]255$`	No
retransmit_count	Integer	min: `1`, max: `100`	No
retransmit_count_variable	String	Regex: `^[^"~`$&+,]255$`	No
key_type	Choice	`key`, `pac`	No
key_type_variable	String	Regex: `^[^"~`$&+,]255$`	No
key	String	starts_with: $CRYPT_CLUSTER$ , min: `1`, max: `128`	Yes
secret_key	String	Regex: `^[0-9a-z]{1,150}$`	Yes

servers (sdwan.edge_feature_templates.aaa_templates.tacacs_server_groups)

Name	Type	Constraint	Mandatory
address	IP		Yes
port	Integer	min: `1`, max: `65535`	No
port_variable	String	Regex: `^[^"~`$&+,]255$`	No
timeout	Integer	min: `1`, max: `1000`	No
timeout_variable	String	Regex: `^[^"~`$&+,]255$`	No
key	String	starts_with: $CRYPT_CLUSTER$ , min: `1`, max: `128`	Yes
secret_key	String	Regex: `^[0-9a-z]{1,150}$`	Yes

Examples

Example-1: Centralized AAA Policy Enforcement for Secure SD-WAN Edge Access

A large enterprise with multiple branch offices connected via Cisco SD-WAN is looking to standardize and secure administrative access across all its edge routers. To achieve this, they deploy a centralized AAA (Authentication, Authorization, and Accounting) configuration template using Netascode. The AAA template enables consistent user authentication via TACACS+ server groups, sets up RADIUS for accounting, and defines authorization rules for command execution with privilege-level enforcement. A set of local fallback users with encrypted passwords and SSH keys is also configured for redundancy. This setup ensures secure, traceable, and policy-driven access to all network devices, enhancing operational efficiency and compliance.

sdwan:
  edge_feature_templates:
    aaa_templates:
      - name: FT-CEDGE-AAA-01
        description: AAA Template for centralized admin access control
        authentication_and_authorization_order:
          - tacacs+
          - local
        tacacs_server_groups:
          - name: TACACS-GRP-01
            vpn_id: 0
            servers:
              - address: 192.168.10.10
                port: 49
                key: $CRYPT_CLUSTER$ENCRYPTED_TACACS_KEY
                secret_key: tacacssecret
              - address: 192.168.10.11
                port: 49
                key: $CRYPT_CLUSTER$ENCRYPTED_TACACS_KEY2
                secret_key: tacacssecret2
        radius_server_groups:
          - name: RADIUS-GRP-01
            vpn_id: 0
            servers:
              - address: 192.168.20.20
                authentication_port: 1812
                accounting_port: 1813
                key: $CRYPT_CLUSTER$ENCRYPTED_RADIUS_KEY
                secret_key: radiussecret
        accounting_rules:
          - method: exec
            start_stop: true
            groups:
              - RADIUS-GRP-01
        authorization_rules:
          - method: commands
            privilege_level: 15
            authenticated: true
            groups:
              - TACACS-GRP-01
        users:
          - name: admin
            password: $6$ENCRYPTED_PASSWORD
            secret: $9$ENCRYPTED_SECRET
            privilege_level: 15
            ssh_rsa_keys:
              - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD...