Authentication, Authorization and Accounting
This chapter is a reference for the authentication:
• Authentication identifies users by challenging them to provide a user name and password. This information can be encrypted if required, depending on the underlying protocol.
• Authorization provides a method of authorizing commands and services on a per user profile basis.
Note: Authorization will be auto-enabled if user enables the Authentication.
• Accounting collects detailed system and command information and stores it on a central server where it can be used for security and quality assurance purposes.
The authentication feature allows you to verify the identity and, grant access to managing devices. The authentication feature works with the access control protocols as described in these chapters:
Note: Only network administrators can execute these commands.
Note: The commands below are supported only on the “management” VRF.
Note: Per-command authorization needs to be enabled explicitly by the user whereas Session based authorization will be implicitly enabled when user enables authentication.
This chapter describes these commands:
aaa authentication login
Use this command to set login authentication behavior.
Use the no form of this command to disable either authentication behavior.
Command Syntax
aaa authentication login error-enable (vrf management|)
no aaa authentication login error-enable (vrf management|)
Parameters
error-enable
Display login failure messages
management
Management VRF
Default
By default, aaa authentication login is local
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#aaa authentication login error-enable vrf management
aaa accounting details
Use this command to set a list of server groups to which to redirect accounting logs.
Use the no form of this command to only log locally.
Command Syntax]
aaa accounting default (vrf management|) ((group LINE)|local)
no aaa accounting default (vrf management|) ((group)|local)
Parameters
group
Server group list for authentication
LINE
A space-separated list of up to 8 configured RADIUS or TACACS+ server group names
local
Use local authentication
management
Management VRF
Default
Default AAA method is local
Default groups: RADIUS or TACACS+
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#aaa accounting default vrf management group radius
aaa authentication login default
Use this command to set the AAA authentication methods.
Use the no form of this command to set the default AAA authentication method (local).
Command Syntax
aaa authentication login default (vrf management|) ((group LINE) | (local (|none)) | (none))
no aaa authentication login default (vrf management|) ((group) | (local (|none)) | (none))
Parameters
group
Use a server group list for authentication
LINE
A space-separated list of up to 8 configured RADIUS or TACACS+, server group names followed by local or none or both local and none. The list can also include:
radius
All configured RADIUS servers
tacacs+
All configured TACACS+ servers
local
Use local authentication
none
No authentication
management
Management VRF
Default
By default, AAA authentication method is local
By default, groups: RADIUS or TACACS+
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#aaa authentication login default vrf management group radius
aaa authorization default
Use this command to enable per-command authorization. By enabling this user should be able to authorize every command executed via configured server.
This authorization will work only when authentication is successful.
Use the no form of this command to disable authorization.
Command Syntax
aaa authorization default (vrf management|) ((group LINE)|local)
no aaa authorization default (vrf management|) ((group LINE)|local)
Parameters
group
Server group list for authentication
LINE
Space-separated list of up to 8 configured TACACS+ server group names
local
Use local authentication
management
Management VRF
Default
Default AAA method is local
Default groups: TACACS+
Command Mode
Configure mode
Applicability
This command is introduced in OcNOS version 6.1.0
Examples
#configure terminal
(config)#aaa authorization default vrf management group tacacs+
aaa authentication login default fallback error
Use this command to enable fallback to local authentication for the default login if remote authentication is configured and all AAA servers are unreachable.
Use the no form of this command to disable fallback to local authentication.
Note: If you have specified
local (use local authentication) in the
aaa authentication login default command, you do not need to use this command to ensure that “fall back to local” occurs.
Command Syntax
aaa authentication login default fallback error local (vrf management|)
no aaa authentication login default fallback error local (vrf management|)
Parameters
management
Management VRF
Default
By default, AAA authentication is local.
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#aaa authentication login default fallback error local vrf management
aaa group server
Use this command to create a server group and enter server group configuration mode.
Use the no form of this command to remove a server group.
Command Syntax
aaa group server (radius|tacacs+) WORD (vrf management|)
no aaa group server (radius|tacacs+) WORD (vrf management|)
Parameters
radius
RADIUS server group
tacacs+
TACACS+ server group
WORD
Server group name; maximum 127 characters
management
Management VRF
Default
By default, the AAA group server option is disabled.
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#aaa group server radius maxsmart
(config-radius)#
aaa local authentication attempts max-fail
Use this command to set the number of unsuccessful authentication attempts before a user is locked out.
Use the no form of this command to disable the lockout feature.
Command Syntax
aaa local authentication attempts max-fail <1-25>
no aaa local authentication attempts max-fail
Parameters
<1-25>
Number of unsuccessful authentication attempts
Default
By default, the maximum number of unsuccessful authentication attempts before a user is locked out is 3.
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#aaa local authentication attempts max-fail 2
aaa local authentication unlock-timeout
Use this command to set timeout value in seconds to unlock local user-account.
Use the no form of this command to set default timeout value in seconds.
Note: This command is applicable only to local user but not for user/s present at the server end to authenticate using TACACS+ or RADIUS.
Command Syntax
aaa local authentication unlock-timeout <1-3600>
no aaa local authentication unlock-timeout
Parameters
<1-3600>
Timeout in seconds to unlock local user-account. Default value is 1200.
Default
By default, the unlock timeout is 1200 seconds
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#aaa local authentication unlock-timeout 1800
debug aaa
Use this command to display AAA debugging information.
Use the no form of this command to stop displaying AAA debugging information.
Command Syntax
debug aaa
no debug aaa
Parameters
None
Command Mode
Executive mode and configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#debug aaa
server
Use this command to add a server to a server group.
Use the no form of this command to remove from a server group.
Command Syntax
server (A.B.C.D | X:X::X:X | HOSTNAME)
no server (A.B.C.D | X:X::X:X | HOSTNAME)
Parameters
A.B.C.D
IPv4 address
X:X::X:X
IPv6 address
Default
None
Command Modes
RADlUS server group configure mode
TACACS+ server group configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#feature tacacs+
(config)#aaa group server tacacs+ TacacsGroup4
(config-tacacs)#server 203.0.113.127
show aaa authentication
Use this command to display AAA authentication configuration.
Command Syntax
show aaa authentication (|vrf(management|all))
Parameters
None
Command Modes
Executive mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#show aaa authentication
VRF: default
default: local
console: local
Table 17-29 explains the output fields.
Table 17-29: show aaa authentication fields
Entry | Description |
---|
VRF | Virtual Routing and Forwarding (VRF) default support. |
Default | Displays the aaa authentication method list. |
Console | Authentication setting for the console access. |
show aaa authentication login
Use this command to display AAA authentication configuration for login default and login console.
Command Syntax
show aaa authentication login error-enable (|vrf management|all))
Parameters
error-enable
Display setting for login failure messages
vrf
Management VRF or all VRFs
Command Modes
Executive mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#show aaa authentication login error-enable
VRF: default
disabled
show aaa authorization
Use this command to display AAA authorization configuration.
Command Syntax
show aaa authorization (|vrf(management|all))
Parameters
vrf management
Authorization configs present in Management VRF
vrf all
Authorization configs present in all VRFs
Command Modes
Executive mode
Applicability
This command is introduced in OcNOS version 6.1.0.
Examples
#show aaa authorization
VRF: default
default: group tacacs+
show aaa groups
Use this command to display AAA group configuration.
Command Syntax
show aaa groups (vrf (management|all)|)
Parameters
vrf
Management VRF or all VRFs
Command Modes
Executive mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#show aaa groups
VRF: default
radius
show aaa accounting
Use this command to display AAA accounting configuration.
Command Syntax
show aaa accounting (vrf (management|all)|)
Parameters
vrf
Management VRF or all VRFs
Command Modes
Executive mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#show aaa accounting
VRF: default
show running-config aaa
Use this command to display AAA settings in the running configuration.
Command Syntax
show running-config aaa (vrf(management|all)|)
Parameters
vrf
Management VRF or all VRFs
Command Modes
Executive mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#show aaa accounting
VRF: default
default: local
Table 17-30 explains the output fields.
Table 17-30: show aaa accounting fields
Entry | Description |
---|
VRF | Virtual Routing and Forwarding (VRF) default support. |
Default | Displays the aaa authentication method list. |