User Access and Authentication Configuration Guide

aaa configuration aaa configuration introduction introduction aaa configuration provides a security management mechanism known as authentication, authorization, and accounting it encompasses three essential security functions authentication this process verifies the identity of remote users accessing the network and determines whether the access is granted to legitimate network users authorization it involves assigning varying permissions to different users, restricting the services they can use based on their roles and privileges accounting this involves recording all user operations during their network service usage, including service types, start times, data usage, etc it is used for collecting and documenting user resource usage and can also facilitate billing based on time and data consumption it also serves a monitoring purpose aaa employs a client/server architecture, where the client typically runs on network access servers (nas) responsible for verifying user identities and managing their access servers centralize user information and execute authorization and accounting processes aaa authentication schemes aaa authentication schemes aaa categorizes users based on different access methods into the following types login users these are the management users who log in to the device, such as users logging in via ssh or the console port access users these are the users accessing the network using methods like 802 1x authentication or mac authentication login users login users the device supports the following authentication methods local authentication local users are created on the device, and their information is stored locally the device acts as an authentication server for these users when the aaa authentication method is configured as local users, ssh login users are primarily authenticated using aaa for users logging in via the console port, local authentication is given priority the default method is local authentication aaa authorization schemes aaa authorization schemes login users login users for login users, the authorization server sends a user group id to the device the device supports four types of user groups, each corresponding to an id and specific permissions 0 users can only access the klish interface and cannot perform any configuration or show operations 1 users can access the klish interface, execute show commands in system view, but cannot enter the config view for configuration 2 users can access the config view, allowing configuration and show commands at the system level however, they cannot execute system level operations like reboot or update 15 users possess the highest privilege level, granting them permission to perform all operations access users access users for access users, the radius server sends an acl (access control list) number the device must have the corresponding acl rules configured in advance after successful authentication, the device automatically binds the acl rules to the designated access port based on the authentication result it's important to note that the authorization feature is only applicable to mab (mac authentication bypass) authentication method local user configuration example local user configuration example network requirements create a local user, login as testera, password aabb1122 set the number of consecutive incorrect password entries for the local user to 5 and the lockout time to 5 minutes procedure 1 create local user sonic(config)# local user name testera passwd aabb1122 2 configure the security policy when continuously entering password measures sonic(config)# local user block time 5 sonic(config)# local user retry count 5 verify configuration 1 login to the device using the local user and login successfully 2 login to the device with the wrong password to view the information and lockout status of this user sonic# show local user brief user online blocked login ip login time admin yes no 192 168 0 109 2022 09 02 01 13 testera no yes 192 168 0 109 2022 09 02 01 10