Command Line Reference
User Access And Authentication
AAA Configuration
17 min
show aaa show aaa \[command] show aaa \[purpose] view the authentication, authorization and billing settings configured in the network node \[view] system view \[use cases] sonic# show aaa aaa accounting debug false aaa accounting command local (default) aaa authentication debug false aaa authentication login tacacs+,local aaa authentication failthrough true aaa authentication fallback true aaa authorization debug false aaa authorization auth cmd false aaa authorization command tacacs+,local aaa authorization auth service true aaa accounting command {tacacs+|radius|local|default} aaa accounting command {tacacs+|radius|local|default} \[command] aaa accounting command {tacacs+|radius|local|default} \[purpose] configure aaa audit method \[parameter] parameter description tacacs+ command auditing using tacacs+ radius command auditing using radius local local audit default reset to default values, local auditing \[view] system configuration view \[notes] after enabling tacacs+ or radius auditing, commands executed by users at the command line will be logged on the tacacs+ server or radius server \[important notes] tacacs+ and local authentication can be used independently or in combination radius and local authentication can be used independently or in combination tacacs+ and radius cannot be used in combination configure the billing mode to match the authentication mode, meaning either both use local auditing, or both use tacacs+, or both use radius \[use cases] sonic(config)# aaa accounting command local tacacs+ aaa authentication debug enable aaa authentication debug enable \[command] aaa authentication debug enable no aaa authentication debug enable \[purpose] enable user authentication debug information \[view] system configuration view \[notes] when users enable authentication debug information, corresponding authentication details for each user will be logged to the /var/log/syslog file during the authentication process \[use cases] sonic(config)# aaa authentication debug enable aaa authentication failthrough {enable|default} aaa authentication failthrough {enable|default} \[command] aaa authentication failthrough {enable|default} no aaa authentication failthrough enable \[purpose] enable fail through \[view] system configuration view \[notes] configure this command when multiple tacacs+ servers are set up and tacacs+ authentication is enabled this configuration allows authentication requests to proceed to the next server if the first server fails, continuing until a server responds or all configured servers have been polled if this option is disabled and authentication fails on the first server, the authentication process stops and login to the device is denied configure this command when both tacacs+ authentication and local authentication are enabled after tacacs+ server authentication fails, the device will then attempt authentication with the local server \[use cases] sonic(config)# aaa authentication failthrough enable aaa authentication fallback {enable|default} aaa authentication fallback {enable|default} \[command] aaa authentication fallback {enable|default} no aaa authentication fallback enable \[purpose] enable fallback \[view] system configuration view \[notes] configure this command when multiple tacacs+ servers are set up and tacacs+ authentication is enabled this enables sequential authentication attempts when certain tacacs+ servers become inaccessible without this feature enabled, authentication occurs only on the highest priority tacacs+ server; if authentication fails, the device login process will not proceed normally \[use cases] sonic(config)# aaa authentication fallback enable aaa authentication login {tacacs+|radius|local|default} aaa authentication login {tacacs+|radius|local|default} \[command] aaa authentication login {tacacs+|radius|local|default} \[purpose] configure aaa login authentication method \[parameter] parameter description tacacs+ remote authentication based on tacacs + radius authentication based on a radius server local using local authentication default reset back to the default value to enable local authentication only \[view] system configuration view \[notes] in enterprise networks, to protect network security, user identities must be verified to ensure only authorized users can access network resources this command allows administrators to select the authentication method for user logins based on specific scenarios, thereby enhancing network security and management efficiency \[important notes] tacacs+,radius, and local are optional parameters that can be configured individually or in combination, but tacacs+ and radius cannot be configured simultaneously \[use cases] sonic(config)# aaa authentication login tacacs+ local sonic(config)# aaa authentication login radius local aaa authorization debug enable aaa authorization debug enable \[command] aaa authentication debug enable \[purpose] enable user authentication debug information \[view] system configuration view \[notes] after enabling user authentication debug information, the user's permission details will be printed in the device's /var/log/syslog log upon successful authentication and login \[use cases] sonic(config)# aaa authorization debug enable aaa authorization command {tacacs+|radius|local|default} aaa authorization command {tacacs+|radius|local|default} \[command] aaa authentication command {tacacs+|radius|local|default} \[purpose] configure aaa command line authentication method \[parameter] parameter description tacacs+ using tacacs + for command authentication radius authentication via radius server local command local authentication default reset back to default values, local forensics \[view] system configuration view \[notes] tacacs+, radius, and local are optional parameters that can be configured individually or in combination, but tacacs+ and radius cannot be configured simultaneously after enabling tacacs+ or radius authentication, the system will authenticate based on the user level configured for that user in tacacs or radius the system currently supports four distinct permission types 0 non login user 1 read only user, only supports viewing with show commands 2 14 regular user, possesses execution permissions for all commands except system commands (reboot/image update/delete startup config/) 15 system user, capable of executing all commands including system commands \[use cases] sonic(config)# aaa authentication command tacacs+,local aaa authorization mode {service|cmd} enable aaa authorization mode {service|cmd} enable \[command] aaa authorization mode {service|cmd} enable no aaa authorization mode {service|cmd} enable \[purpose] configure the aaa command authentication method \[parameter] parameter description service grant permissions to the command line based on different service functions cmd authorize the command line based on the regular expression match results of the command line \[view] system configuration view \[notes] when users employ tacacs+ or radius authentication and require more granular authentication methods beyond user levels, server/cmd authentication can be configured server authenticates based on the service associated with functional features for example, a level 2 user can only access the interface view for related operations but cannot configure other functions cmd classifies based on command line keywords for example, authentication succeeds when commands containing show or ping are executed, while other commands fail authentication and are not permitted when multiple authentication methods coexist, they are matched sequentially in the order user level > service authentication > command line authentication if authentication fails at any higher level, the process immediately terminates if a user lacks sufficient permissions, authentication at lower levels is not attempted \[important notes] for the mapping between functional features and services, please consult technical support personnel it is not recommended to enable both service level authentication and command line authentication simultaneously during cmd authentication, regardless of whether the device is configured with service authentication, the authentication sequence on the server side remains user level > service authentication > command line authentication \[use cases] sonic(config)# aaa authorization mode service enable
