Authentication, Authorisation and Accounting
Introduction
Authentication, Authorisation and Accounting (AAA) is an umbrella term referring to protocols and methods that can be used to handle and verify user access.
The three individual terms refer to who is allowed to access what device (Authentication), if access is granted what are the limitations of their available actions (authorization), and to recount what actions they performed (accounting).
For some use-cases utilizing the systems AAA options, refer to the following:
Overview
AAA in the system is separated into two different parts that are combined together. Firstly the system allows for setting up different types of AAA methods. Afterwards, the configured AAA method can be bound to various services in the system that have support for AAA methods. The best example of this is the login service.
Methods
The AAA framework in the system have support for a number of different AAA methods that are presented below:
-
Built-in Accounts: Pre-existing accounts present on the system. As an example, the admin user is one such an account. For more information see Built-in Accounts HowTo.
-
Local Databases: Allows storing of credentials locally on the device, with no need for any external infrastructure. For more information see Local Databases HowTo.
-
Remote Servers: Centralized authentication on remote servers via RADIUS and TACACS+. For additional information see Remote Servers HowTo.
Services
The system currently supports AAA methods to be used for the following services:
Service | Remote Server | Local Database | Built-in Accounts |
---|---|---|---|
Login | X | X | X |
OpenVPN | X | X |
Login Service
The login service can be bound to all available AAA methods that the system supports, in order to authenticate the user.
-
Built-in Accounts (Implicit): The built-in login methods are implicit and will always be tried after any other login method that has been configured.
-
Local Database or Remote Server (Optional): The login method can be configured to use either a Local Database or Remote Server as a login authentication method. If one of these methods are configured for the login service, it will be tried first at any login attempt. The fallback in this situation would be the Built-in Accounts.
OpenVPN
The systems AAA methods can be used to authenticate OpenVPN clients. The OpenVPN client will authenticate itself using a certificate, and optionally also via username and password. When using this option, a system acting as an OpenVPN Server, can either use a local database or a central server (or server group) to verify the client’s username and password.
For an example of how this can be done refer to this HowTo:
Configuration
The AAA configuration consists of a number of different areas, that have their settings configured inside a sub-menu. The AAA configuration consists of settings spread over a number of different context levels.
General Settings
The AAA can be configured from the configuration context in the CLI. This context contains the overall AAA configuration and access to all other AAA sub-contexts.
example:/#> configure example:/config/#> aaa example:/config/aaa/#>
Syntax
username NAME [password | hash] PASSWORD
-
Set the password for specific allowed users, like the admin user.
- NAME
- The user to change the password for.
- PASSWORD
- Password with the following allowed characters: ASCII 33-126 (octal 041-176), max length 64 chars. Allow
[no] local-db ID [plain]
-
Create and manage local databases. Default type is ‘hash’ but the keyword ‘plain’ can be used to create a database that contains plain text passwords. The type can only be defined once when the local database is created, therefore the keyword is not available in the sub-configuration context.
Note: Enters a sub-configuration context.
- no
- Remove a specific local database if an
ID
is provided, otherwise remove all local databases. - ID
- Id in the range 0-4, any other id will be invalid.
[no] remote-server ID [type <radius | tacacs>
-
Create and manage remote authentication servers.
Note: Enters a sub-configuration context.
- no
- Remove a specific remote server if an
ID
is provided, otherwise remove all servers. - ID
- Id in the range 0-5, any other id will be invalid.
- type
- The type of remote server to create, either
radius
ortacacs
. This setting can still be changed in the server configuration.
[no] server-group ID [type <radius | tacacs>
-
Create and manage server groups.
Note: Enters a sub-configuration context.
- no
- Remove a specific server group if an
ID
is provided, otherwise remove all server groups. - ID
- Id in the range 0-1, any other id will be invalid.
- type
- The type of server group to create, either
radius
ortacacs
. This setting can still be changed in the server group configuration.
[no] login
-
Manage login method.
Note: Enters a sub-configuration context.
- no
- Remove any configured login method.
Local Database Settings
Configure a local database and enter its configuration context. When creating a
local database the ID
must be a number from 0 to 4.
example:/config/aaa/#> local-db 0 Creating new local db 0 example:/config/aaa/local-db-0/#>
Syntax
[no] username NAME [password | hash] PASSWORD
-
Add a user to this local database.
- no
- Remove a specific user based on the provided
NAME
. - NAME
- The user to change the password for.
- PASSWORD
- Password with the following allowed characters: ASCII 33-126 (octal 041-176), max length 64 chars.
[no] description STRING
-
Free form description of this local database.
- no
- Remove any description.
- STRING
- Free form text with a maximum length of 15 characters.
Remote Server Settings
Configure a remote server and enter its configuration context. When creating a
remote server the ID
must be a number from 0 to 5.
example:/config/aaa/#> remote-server 0 Creating new remote server 0 example:/config/aaa/remote-server-0/#>
Syntax
[no] type <radius | tacacs>
-
Set the remote server type to be either
radius
ortacacs
.- no
- Reset the type to its default setting,
radius
.
[no] description STRING
-
Free form description of this remote server.
- no
- Remove any description.
- STRING
- Free form text with a maximum length of 15 characters.
[no] address <IP | FQDN>
-
Address of the remote server.
- no
- Remove and configured address.
- IP
- IP address in standard quad-dotted notation, e.g. 192.168.1.1.
- FQDN
- A fully qualified domain name.
[no] password PASSWORD
-
Password for remote server.
Note: May not be empty.
- no
- Remove the current configured password.
- PASSWORD
- Password with the following allowed characters: ASCII 33-126 (octal 041-176), max length 64 chars.
[no] auth-port PORT
-
Authentication port to connect to on remote server.
- no
- Use the default port for the selected type of server. For
radius
it is 1812 and fortacacs
it is 49. - PORT
- The port number to use.
Server Group Settings
Configure a server group and enter its configuration context. When creating a
server group the ID
must be a number from 0 to 1.
example:/config/aaa/#> server-group 0 Creating new server group 0 example:/config/aaa/server-group-0/#>
Syntax
[no] type <radius | tacacs>
-
Set the remote server type to be either
radius
ortacacs
.- no
- Reset the type to its default setting,
radius
.
[no] description STRING
-
Free form description of this server group.
- no
- Remove any description.
- STRING
- Free form text with a maximum length of 15 characters.
[no] server <ID|ID,ID,...>
-
Remote server(s) to be part of the server group.
Note: When using a server group for authentication each server will be tested in order. If a response is received from any of the servers the remaining ones in the group will not be tested.
- no
- Remove any configured server IDs.
- ID
- Id of a
remote-server
to be part of the server group.
Login Settings
Configure the login authentication method and enter its configuration context:
example:/config/aaa/#> login example:/config/aaa/login/#>
Syntax
[no] method <group <GID>|server <ID>|local-db <ID>>
-
Set authentication method to be used for login requests on the device.
- no
- Remove any configured authentication method.
- group
- Set an existing
server-group
with the providedGID
as the login authentication method. - server
- Set an existing
remote-server
with the providedID
as the login authentication method. - local-db
- Set an existing
local-db
with the providedID
as the login authentication method.
Status
Show any user currently connected to the device, and the authentication method used when connecting to the device.
example:/#> show users
TYPE USERNAME REMOTE HOST LOGIN
Console admin Wed Aug 14 08:47:02 2019
Show AAA status, same information as when in config mode.
example:/#> show aaa
Show local-db status, same information as when in config mode.
example:/#> show aaa local-db 1
Show local-db status for all databases.
example:/#> show aaa local-db