AAA Configuration for Console Connection
Overview
OcNOS uses the Accounting, Authentication, Authorization (AAA) protocol to authenticate the user through RADIUS or TACACS+ remote servers or Local authentication server to gives access to the device. The console port of the OcNOS is accessible (ssh or Telnet) only through the default VRF or VRF management port only. If the user attempts to access the device using the non VRF interface the access is denied.
The AAA authentication from console port via default VRF or VRF management is enhanced to reach the remote authentication servers through the non VRF interface.
Feature Characteristics
TACACS/RADIUS client can reach the OcNOS in both default and management VRF or non VRF interface for authentication.
Following are the features supported:
• Default VRF to reach the remote authentication (TACACS/RADIUS) server in Management VRF
• Management VRF to reach the loopback interface in Default VRF
• The AAA using servers are defined in default and management VRF
• When AAA server is not reachable, the authentication, authorization and accounting is performed via the local authentication server.
• AAA solution is performed based on the configuration only, not on the source of VRF
Configuration
The following configuration uses the TACACS+ remote server for authentication. The same configurations are holds good for RADIUS authentication server.
Perform the following configurations on host.
2. In the above configuration, configure the TACACS or RADIUS server in both management and default VRF. A sample configuration is provided below:
feature tacacs+ vrf management
tacacs-server login host 10.12.97.208 vrf management seq-num 1 key 7 0x67efdb4ad9d771c3ed8312b2bc74cedb
feature tacacs+
tacacs-server login host 40.40.40.1 seq-num 1 key 7 0x67efdb4ad9d771c3ed8312b2bc74cedb
tacacs-server login host 30.30.30.1 seq-num 2 key 7 0x67efdb4ad9d771c3ed8312b2bc74cedb
3. Create server group for management VRF using the following CLI. This command changes the configure mode to server group (config-tacacs)#.
aaa group server tacacs+ TACACS_VRF_MGMT vrf management
Note: An AAA server group name configured in a VRF cannot be used to configure another VRF. For example, if the TACACS_VRF_MGMT server group is configured in the VRF management, you cannot configure an AAA server with the same name in any other VRFs.
4. Make the TACAC+S server 10.12.30.86 part of the group TACACS_VRF_MGMT for default VRF.
server 10.12.30.86
5. Configure the authentication behavior for TACACS+ server with default VRF management, non VRF and fall-back to local authentication server if none configured for management VRF.
aaa authentication login default vrf management group TACACS_VRF_MGMT TACACS_NON_VRF_MGMT local
6. Configure AAA behavior for management VRF using the following CLIs.
aaa accounting default vrf management group TACACS_VRF_MGMT TACACS_NON_VRF_MGMT local
aaa authorization default vrf management group TACACS_VRF_MGMT TACACS_NON_VRF_MGMT local
aaa authentication login default fallback error local non-existent-user vrf management
7. Create a server group for non VRF management using the following CLI. This command changes the configure mode to server group (config-tacacs)#.
aaa group server tacacs+ TACACS_NON_VRF_MGMT
server 40.40.40.1
server 30.30.30.1
8. Configure the authentication behavior for TACACS+ server with console VRF management, non VRF and fall-back to local authentication server if none configured for management VRF.
9. Configure AAA behavior for non management VRF using the following CLIs.
aaa authentication login console group TACACS_VRF_MGMT TACACS_NON_VRF_MGMT local
aaa accounting console group TACACS_VRF_MGMT TACACS_NON_VRF_MGMT local
aaa authorization console group TACACS_VRF_MGMT TACACS_NON_VRF_MGMT local
aaa authentication login console fallback error local non-existent-user
Note: If both management and default VRF is configured, then the default VRF is used to reach the TACACS/RADIUS server. If it is not reachable, then the management VRF is used.
Validation
Following is the sample validation show output for TACACS server with default management VRF and non VRF interface.
Following output shows the interface configured for server group.
OcNOS# sh tacacs-server groups
VRF: default
group tacacs+:
server: all configured tacacs servers
group TACACS_NON_VRF_MGMT:
server 40.40.40.1
seq-num 1
port is 49
key is ********
server 30.30.30.1
seq-num 2
port is 49
key is ********
Following output shows the TACACS+ server configurations:
OcNOS#sh tacacs-server vrf management
VRF: management
total number of servers:1
Tacacs+ Server : 10.12.97.208/49
Sequence Number : 1
Failed Auth Attempts : 0
Success Auth Attempts : 0
Failed Connect Attempts : 0
Last Successful authentication:
(*) indicates last active.
OcNOS#sh tacacs-server
VRF: default
total number of servers:2
Tacacs+ Server : 40.40.40.1/49
Sequence Number : 1
Failed Auth Attempts : 0
Success Auth Attempts : 0
Failed Connect Attempts : 0
Last Successful authentication:
Tacacs+ Server : 30.30.30.1/49
Sequence Number : 2
Failed Auth Attempts : 0
Success Auth Attempts : 0
Failed Connect Attempts : 0
Last Successful authentication:
(*) indicates last active.
OcNOS#
OcNOS#show running-config tacacs+
feature tacacs+ vrf management
tacacs-server login host 10.12.97.208 vrf management seq-num 1 key 7 0x67efdb4ad9d771c3ed8312b2bc74cedb
feature tacacs+
tacacs-server login host 40.40.40.1 seq-num 1 key 7 0x67efdb4ad9d771c3ed8312b2bc74cedb
tacacs-server login host 30.30.30.1 seq-num 2 key 7 0x67efdb4ad9d771c3ed8312b2bc74cedb
Following output shows the AAA configurations:
OcNOS#show running-config aaa
aaa group server tacacs+ TACACS_VRF_MGMT vrf management
server 10.12.97.208
aaa authentication login default vrf management group TACACS_VRF_MGMT TACACS_NON_VRF_MGMT local
aaa accounting default vrf management group TACACS_VRF_MGMT TACACS_NON_VRF_MGMT local
aaa authorization default vrf management group TACACS_VRF_MGMT TACACS_NON_VRF_MGMT local
aaa authentication login default fallback error local non-existent-user vrf management
aaa group server tacacs+ TACACS_NON_VRF_MGMT
server 40.40.40.1
server 30.30.30.1
aaa authentication login console group TACACS_VRF_MGMT TACACS_NON_VRF_MGMT local
aaa accounting console group TACACS_VRF_MGMT TACACS_NON_VRF_MGMT local
aaa authorization console group TACACS_VRF_MGMT TACACS_NON_VRF_MGMT local
aaa authentication login console fallback error local non-existent-user
Glossary
Key Terms/Acronym | Description |
TACACS | Terminal Access Controller Access Control System |