System AAA Feature

Version:

Specify the authentication method and order and configure Radius, TACACs, or local authentication, including local user groups with different read/write permissions.

Diagram

Classes

system_profiles (sdwan.feature_profiles)

Name	Type	Constraint	Mandatory	Default Value
aaa	Class	`[aaa]`	No

aaa (sdwan.feature_profiles.system_profiles)

Name	Type	Constraint	Mandatory	Default Value
name	String	Regex: `^[^&<>! "]{1,128}$`	No	`aaa`
description	String		No
accounting_rules	List	`[accounting_rules]`	No
auth_order	List	String[min: `1`, max: `220`]	No
authorization_config_commands	Boolean	`true`, `false`	No
authorization_config_commands_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,64}$`	No
authorization_console	Boolean	`true`, `false`	No
authorization_console_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,64}$`	No
authorization_rules	List	`[authorization_rules]`	No
dot1x_accounting	Boolean	`true`, `false`	No
dot1x_accounting_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,64}$`	No
dot1x_authentication	Boolean	`true`, `false`	No
dot1x_authentication_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,64}$`	No
radius_groups	List	`[radius_groups]`	No
tacacs_groups	List	`[tacacs_groups]`	No
users	List	`[users]`	Yes

accounting_rules (sdwan.feature_profiles.system_profiles.aaa)

Name	Type	Constraint	Mandatory
groups	List	String[min: `1`, max: `32`]	Yes
id	String	max: `32`	Yes
level	Choice	`1`, `15`	No
method	Choice	`commands`, `exec`, `network`, `system`	Yes
start_stop	Boolean	`true`, `false`	No
start_stop_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,64}$`	No

authorization_rules (sdwan.feature_profiles.system_profiles.aaa)

Name	Type	Constraint	Mandatory
authenticated	Boolean	`true`, `false`	No
groups	List	String[min: `1`, max: `32`]	Yes
id	String	max: `32`	Yes
level	Choice	`1`, `15`	No
method	Choice	`commands`	Yes

radius_groups (sdwan.feature_profiles.system_profiles.aaa)

Name	Type	Constraint	Mandatory
servers	List	`[servers]`	Yes
source_interface	String	max: `32`	No
source_interface_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,64}$`	No
vpn	Integer	min: `0`, max: `65530`	No

tacacs_groups (sdwan.feature_profiles.system_profiles.aaa)

Name	Type	Constraint	Mandatory
servers	List	`[servers]`	Yes
source_interface	String	max: `32`	No
source_interface_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,64}$`	No
vpn	Integer	min: `0`, max: `65530`	No

users (sdwan.feature_profiles.system_profiles.aaa)

Name	Type	Constraint	Mandatory
name	String	min: `1`, max: `64`	No
name_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,64}$`	No
password	String		No
password_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,64}$`	No
privilege	Choice	`1`, `15`	No
privilege_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,64}$`	No
public_key_chains	List	String[Regex: `^AAAA[0-9A-Za-z+/]+[=]{0,3}$`]	No

servers (sdwan.feature_profiles.system_profiles.aaa.radius_groups)

Name	Type	Constraint	Mandatory
accounting_port	Integer	min: `1`, max: `65534`	No
accounting_port_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,64}$`	No
address	IP		Yes
authentication_port	Integer	min: `1`, max: `65534`	No
authentication_port_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,64}$`	No
key	String	min: `1`	Yes
key_type	Choice	`key`, `pac`	No
key_type_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,64}$`	No
retransmit	Integer	min: `1`, max: `100`	No
retransmit_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,64}$`	No
timeout	Integer	min: `1`, max: `1000`	No
timeout_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,64}$`	No

servers (sdwan.feature_profiles.system_profiles.aaa.tacacs_groups)

Name	Type	Constraint	Mandatory
address	IP		Yes
key	String	min: `1`	Yes
port	Integer	min: `1`, max: `65535`	No
port_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,64}$`	No
timeout	Integer	min: `1`, max: `1000`	No
timeout_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,64}$`	No

Examples

sdwan:
  feature_profiles:
    system_profiles:
      - name: system
        aaa:
          name: aaa
          description: basic aaa
          auth_order:
            - tacacs-511
            - local
          tacacs_groups:
            - vpn: 511
              source_interface_variable: tacacs_source_interface
              servers:
                - address: 10.1.1.1
                  port: 49
                  key: $CRYPT_CLUSTER$jq34CKAzT5KGdEjIpYarKg==$MZkY/AdOWzm/kiLHOsKHJg==
                - address: 10.1.1.2
                  key: $CRYPT_CLUSTER$jq34CKAzT5KGdEjIpYarKg==$MZkY/AdOWzm/kiLHOsKHJg==
          users:
            - name: admin
              password: $6$Oz2ydqNXLLDIsPSG$LhogoactFVb9eJgqgv/O/Zb.FHg74drK4maijc.Q9q/KhyDcPfwrHx9Vy6G9hY7oKWbyas4XKms7f7Znl/ndF.
              privilege: 15
            - name: failsafe
              password: $6$v0UN8x4fkvZd0Lnj$hq13MC.W5ElstGlolO38fshGEYxSechW4K5zEdrJD1trSH30AaNKvL4VUlOtxersGmIDNefPwyrSqbJpCpXGJ.
              privilege: 15
          authorization_rules:
            - id: rule1
              method: commands
              level: 15
              groups:
                - tacacs-511
              authenticated: true