AAA Configuration

aaa configuration aaa configuration introduction introduction aaa configuration provides a security management mechanism known as authentication, authorization, and accounting it encompasses three essential security functions authentication this process verifies the identity of remote users accessing the network and determines whether the access is granted to legitimate network users authorization it involves assigning varying permissions to different users, restricting the services they can use based on their roles and privileges accounting this involves recording all user operations during their network service usage, including service types, start times, data usage, etc it is used for collecting and documenting user resource usage and can also facilitate billing based on time and data consumption it also serves a monitoring purpose aaa employs a client/server architecture, where the client typically runs on network access servers (nas) responsible for verifying user identities and managing their access servers centralize user information and execute authorization and accounting processes aaa authentication schemes aaa authentication schemes aaa categorizes users based on different access methods into the following types login users these are the management users who log in to the device, such as users logging in via ssh or the console port access users these are the users accessing the network using methods like 802 1x authentication or mac authentication login users login users the device supports the following authentication methods tacacs authentication user information is configured on a tacacs server, and the tacacs server authenticates the users local authentication local users are created on the device, and their information is stored locally the device acts as an authentication server for these users when the aaa authentication method is configured as tacacs and local users, ssh login users are primarily authenticated using aaa for users logging in via the console port, local authentication is given priority the default method is local authentication access users access users the device supports the following authentication methods radius authentication user information is configured on a radius server, and the radius server authenticates the users various authentication methods can be used, such as pap, chap, eap, and mab no authentication by default, no authentication is performed aaa authorization schemes aaa authorization schemes login users login users for login users, the authorization server sends a user group id to the device the device supports four types of user groups, each corresponding to an id and specific permissions 0 users can only access the klish interface and cannot perform any configuration or show operations 1 users can access the klish interface, execute show commands in system view, but cannot enter the config view for configuration 2 users can access the config view, allowing configuration and show commands at the system level however, they cannot execute system level operations like reboot or update 15 users possess the highest privilege level, granting them permission to perform all operations access users access users for access users, the radius server sends an acl (access control list) number the device must have the corresponding acl rules configured in advance after successful authentication, the device automatically binds the acl rules to the designated access port based on the authentication result it's important to note that the authorization feature is only applicable to mab (mac authentication bypass) authentication method aaa configuration aaa configuration configure tasks instructions configure aaa authentication method for login users required configure aaa authorization method for login users required configure tacacs server required configure aaa server failover optional configuring aaa authentication method for login users configuring aaa authentication method for login users user have the flexibility to configure either a singular authentication method or to employ both methods concurrently in scenarios where both methods are configured simultaneously, the tacacs authorization will be the initial preference however, if the tacacs server encounters an issue and the aaa server failover mechanism is enabled, the system will resort to utilizing local authorization operation command description enter the system configuration view configure terminal configure aaa authentication method for login users aaa authentication login {tacacs+| local} configuring aaa authorization method for login users configuring aaa authorization method for login users operation command description enter the system configuration view configure terminal configure aaa authorization method for login users aaa authorization command {tacacs+|local} configuring tacacs server configuring tacacs server operation command description enter the system configuration view configure terminal configure tacacs server tacacs ip address \[key key vaule ] \[pri priority ] \[auth type {chap|pap|mschap|login}] \[mgmt vrf] \[port number ] configuring aaa server failover configuring aaa server failover enabling failover ensures that the failure of the tacacs server for authentication does not impact the authentication and authorization of local users operation command description enter the system configuration view configure terminal configure aaa server failover aaa authentication failthrough enable tacacs authentication configuration example tacacs authentication configuration example network requirements use tacacs server to authenticate and authorize ssh users logging into the device users can execute all system commands after authentication tacacs server can manage devices through local users when escaping procedure \# configure user login using tacacs and local user method sonic(config)# aaa authentication login tacacs+ local \# configure command line authorization for tacacs and local users sonic(config)# aaa authorization command tacacs+ local \# configure the tacacs server ip address sonic(config)# tacacs 150 0 0 3 verify configuration when the tacacs server connection is normal, logging in to the device using the local user fails when the tacacs server is connected normally, use tacacs to log in to the device and log in normally, the tacacs user can use all command lines of the device normally when the tacacs server is disconnected, use the local user to log in to the device, the login is successful and the local user can use all command lines of the device normally local user configuration example local user configuration example network requirements create a local user, login as testera, password aabb1122 set the number of consecutive incorrect password entries for the local user to 5 and the lockout time to 5 minutes procedure create local user sonic(config)# local user name testera passwd aabb1122 configure the security policy when continuously entering password measures sonic(config)# local user block time 5 sonic(config)# local user retry count 5 verify configuration login to the device using the local user and login successfully login to the device with the wrong password to view the information and lockout status of this user sonic# show local user brief user online blocked login ip login time admin yes no 192 168 0 109 2022 09 02 01 13 testera no yes 192 168 0 109 2022 09 02 01 10