5. AAA Configuration¶
AAA stands for authentication, authorization and accounting. This subsystem is implemented when it is necessary to provide an identification of a user, determine what commands the user has authority to execute and track all user’s actions.
Important
Changes in the AAA settings do not apply to sessions that have already been created!
5.1. Local User Configuration¶
There is one default local user in the system named admin with the password admin in the group admin with all configuration commands available to it.
Commands to manage users are listed below.
- user USERNAME group <guest|operator|admin> encryption <md5|sha-256|sha-512> password PASSWORD¶
Add a new user to the specified group. The password is entered in plain text and will be hashed using the
encryptionalgorithm.
- user USERNAME group <guest|operator|admin> password PASSWORD_HASH¶
Add a new user to the specified group. The password is entered in a hashed form in the Modular Crypt Format:
($<id>[$<param>=<value>(,<param>=<value>)*][$<salt>[$<hash>]]). The MD5 ($1$), SHA-256 ($5$), and SHA-512 ($6$) algorithms are supported.
- user USERNAME group <guest|operator|admin>¶
Move the user to the specified group.
To configure the password for Enable Mode, use the following commands:
- enable encryption <md5|sha-256|sha-512> password PASSWORD¶
- enable password PASSWORD_HASH¶
Note
For RADIUS and TACACS+ Enable Mode configuration is applied on the servers.
5.2. RADIUS and TACACS+ Configuration¶
First, set the settings for RADIUS or TACACS+ servers to which vCGNAT will connect:
- aaa radius id (0-99) A.B.C.D auth-port (1-65535) acct-port (1-65535) secret SECRET¶
Set connection to the RADIUS server.
Keys
Argument
Description
id(0-99)Set the ID of the RADIUS server
HOSTA.B.C.DorhostnameRADIUS server IP address or hostname
auth-port(1-65535)RADIUS authentication port. The defaul is 1812
acct-port(1-65535)RADIUS accounting port. The default is 1813
secretSECRETA password which vCGNAT will use to connect to RADIUS server
The attribute cisco-avpair (9,1) is used:
|
For privilege level |
|
To forbidden an individual command (all commands whose beginning coincides with the specified one will be forbidden) |
The password configuration for Enable Mode is done by creating user $enab15$ on the RADIUS server.
test Cleartext-Password := "test"
cisco-avpair := "shell:priv-lvl=7", cisco-avpair := "shell:cmd=show interface"
$enab15$ Cleartext-Password := "enable"
- aaa tacacs+ id (0-99) HOST port (1-65535) secret SECRET¶
Set a connection to the TACACS+ server.
Keys
Argument
Description
id(0-99)Set the ID of the TACACS+ server
HOSTA.B.C.DorhostnameTACACS+ server IP address or hostname
port(1-65535)TACACS+ server port. The default is 49
secretSECRETA password which vCGNAT will use to connect to TACACS+ server
Note
You can add several RADIUS or TACACS+ servers to increase fault tolerance of the system. In that case, vCGNAT will connect to the server which comes with the highest ID number.
- aaa server <radius|tacacs+> id (0-99) set-id (0-99)¶
Change the server ID. If the server with the new ID already exists, servers are swapped.
- no aaa <radius|tacacs+> [id (0-99)]¶
Remove all connections to RADIUS or TACACS+ servers or specified by ID.
5.3. Accounting¶
- aaa accounting <console|ssh> {local|radius|tacacs+}¶
Set the type of connection (via SSH or console) and the location where users’ actions will be sent to. Logs contain the beginning/end of the session and all commands entered by the user with the authorization result.
Pay attention:
radiusandtacacs+here mean two groups of servers. For example, if you add two RADIUS and three TACACS servers, and specifylocal radius tacacs+in the accounting, then the vCGANT will sent logs to the local, and to the RADIUS server with the highest ID in the group of the RADIUS servers, and to the TACACS server with the highest ID in the group of the TACACS servers.
- no aaa accounting <console|ssh>¶
Disable accounting.
5.4. Authentication¶
- aaa authentication <console|ssh> {local|radius|tacacs+}¶
Set a type of connection (via SSH or console) and a method for authentication. You can specify several methods and the vCGNAT will use the first of the specified.
radiusandtacacs+methods mean two groups of servers. For example, if you specify for authenticationradius tacacsand add several RADIUS and TACACS servers, then the vCGNAT will first try to connect to the RADIUS server with higher ID and so on, and then, if all RADIUS servers are not available, proceed to TACACS servers.Pay attention to two things:
The local server is always available, so the following servers will not be polled.
Denied access is interpreted as a successful response, so the next server will not be polled.
During authentication, a privilege level (priv-lvl) is requested from the same source that allowed access. According to the received privilege level, the operator role is set:
admin |
=15 |
operator |
>=7; <15 |
guest |
<7 |
- no aaa authentication <console|ssh>¶
Disable remote authentication.
5.6. Show Commands¶
- show aaa server debug¶
Display debug information for all configured connections. The output is as follows:
nfware# show aaa server debug Radius server #0: 192.168.1.10 auth-port:1812 acct-port:1813 Accept: 0 Reject: 0 Connection error: 0 Tacacs+ server #0: 192.168.1.11:49 Accept: 95 Reject: 0 Connection error: 0
- show aaa server radius¶
Display information about RADIUS connections: IP address or hostname, auth-port and acct-port.
- show aaa server tacacs+¶
Display information about TACACS+ connections: IP address or hostname and port.
- show aaa sessions¶
Display information about all sessions. The output includes: Username, TTY, Remote IP, Authenticator, Start Time, Last Activity, ID.
- show aaa sessions username [USERNAME]¶
Display information about sessions for the specified user.
- clear aaa session SESSION_ID¶
Clear the specified session.