AAA Configuration for Console Connection

OcNOS SP : System Management Guide : Authentication Management Configuration : AAA Configuration for Console Connection

Overview

OcNOS uses the Accounting, Authentication, Authorization (AAA) protocol to authenticate the user through RADIUS or TACACS+ remote servers or Local authentication server to gives access to the device. The console port of the OcNOS is accessible (ssh or Telnet) only through the default VRF or VRF management port only. If the user attempts to access the device using the non VRF interface the access is denied.

The AAA authentication from console port via default VRF or VRF management is enhanced to reach the remote authentication servers through the non VRF interface.

Feature Characteristics

TACACS/RADIUS client can reach the OcNOS in both default and management VRF or non VRF interface for authentication.

Following are the features supported:

• Default VRF to reach the remote authentication (TACACS/RADIUS) server in Management VRF

• Management VRF to reach the loopback interface in Default VRF

• The AAA using servers are defined in default and management VRF

• When AAA server is not reachable, the authentication, authorization and accounting is performed via the local authentication server.

• AAA solution is performed based on the configuration only, not on the source of VRF

Configuration

The following configuration uses the TACACS+ remote server for authentication. The same configurations are holds good for RADIUS authentication server.

Perform the following configurations on host.

1. Configure TACACS client using the configuration provided in TACACS Client Configuration or RADIUS Client Configuration section.

2. In the above configuration, configure the TACACS or RADIUS server in both management and default VRF. A sample configuration is provided below:

feature tacacs+ vrf management

tacacs-server login host 10.12.97.208 vrf management seq-num 1 key 7 0x67efdb4ad9d771c3ed8312b2bc74cedb

feature tacacs+

tacacs-server login host 40.40.40.1 seq-num 1 key 7 0x67efdb4ad9d771c3ed8312b2bc74cedb

tacacs-server login host 30.30.30.1 seq-num 2 key 7 0x67efdb4ad9d771c3ed8312b2bc74cedb

3. Create server group for management VRF using the following CLI. This command changes the configure mode to server group (config-tacacs)#.

aaa group server tacacs+ TACACS_VRF_MGMT vrf management

Note:	An AAA server group name configured in a VRF cannot be used to configure another VRF. For example, if the TACACS_VRF_MGMT server group is configured in the VRF management, you cannot configure an AAA server with the same name in any other VRFs.

4. Make the TACAC+S server 10.12.30.86 part of the group TACACS_VRF_MGMT for default VRF.

server 10.12.30.86

5. Configure the authentication behavior for TACACS+ server with default VRF management, non VRF and fall-back to local authentication server if none configured for management VRF.

aaa authentication login default vrf management group TACACS_VRF_MGMT TACACS_NON_VRF_MGMT local

6. Configure AAA behavior for management VRF using the following CLIs.

aaa accounting default vrf management group TACACS_VRF_MGMT TACACS_NON_VRF_MGMT local

aaa authorization default vrf management group TACACS_VRF_MGMT TACACS_NON_VRF_MGMT local

aaa authentication login default fallback error local non-existent-user vrf management

7. Create a server group for non VRF management using the following CLI. This command changes the configure mode to server group (config-tacacs)#.

aaa group server tacacs+ TACACS_NON_VRF_MGMT

server 40.40.40.1

server 30.30.30.1

8. Configure the authentication behavior for TACACS+ server with console VRF management, non VRF and fall-back to local authentication server if none configured for management VRF.

9. Configure AAA behavior for non management VRF using the following CLIs.

aaa authentication login console group TACACS_VRF_MGMT TACACS_NON_VRF_MGMT local

aaa accounting console group TACACS_VRF_MGMT TACACS_NON_VRF_MGMT local

aaa authorization console group TACACS_VRF_MGMT TACACS_NON_VRF_MGMT local

aaa authentication login console fallback error local non-existent-user

Note: If both management and default VRF is configured, then the default VRF is used to reach the TACACS/RADIUS server. If it is not reachable, then the management VRF is used.

Validation

Following is the sample validation show output for TACACS server with default management VRF and non VRF interface.

Following output shows the interface configured for server group.

OcNOS# sh tacacs-server groups

VRF: default

group tacacs+:

server: all configured tacacs servers

group TACACS_NON_VRF_MGMT:

server 40.40.40.1

seq-num 1

port is 49

key is ********

server 30.30.30.1

seq-num 2

port is 49

key is ********

Following output shows the TACACS+ server configurations:

OcNOS#sh tacacs-server vrf management

VRF: management

total number of servers:1

Tacacs+ Server : 10.12.97.208/49

Sequence Number : 1

Failed Auth Attempts : 0

Success Auth Attempts : 0

Failed Connect Attempts : 0

Last Successful authentication:

(*) indicates last active.

OcNOS#sh tacacs-server

VRF: default

total number of servers:2

Tacacs+ Server : 40.40.40.1/49

Sequence Number : 1

Failed Auth Attempts : 0

Success Auth Attempts : 0

Failed Connect Attempts : 0

Last Successful authentication:

Tacacs+ Server : 30.30.30.1/49

Sequence Number : 2

Failed Auth Attempts : 0

Success Auth Attempts : 0

Failed Connect Attempts : 0

Last Successful authentication:

(*) indicates last active.

OcNOS#

OcNOS#show running-config tacacs+

feature tacacs+ vrf management

tacacs-server login host 10.12.97.208 vrf management seq-num 1 key 7 0x67efdb4ad9d771c3ed8312b2bc74cedb

feature tacacs+

tacacs-server login host 40.40.40.1 seq-num 1 key 7 0x67efdb4ad9d771c3ed8312b2bc74cedb

tacacs-server login host 30.30.30.1 seq-num 2 key 7 0x67efdb4ad9d771c3ed8312b2bc74cedb

Following output shows the AAA configurations:

OcNOS#show running-config aaa

aaa group server tacacs+ TACACS_VRF_MGMT vrf management

server 10.12.97.208

aaa authentication login default vrf management group TACACS_VRF_MGMT TACACS_NON_VRF_MGMT local

aaa accounting default vrf management group TACACS_VRF_MGMT TACACS_NON_VRF_MGMT local

aaa authorization default vrf management group TACACS_VRF_MGMT TACACS_NON_VRF_MGMT local

aaa authentication login default fallback error local non-existent-user vrf management

aaa group server tacacs+ TACACS_NON_VRF_MGMT

server 40.40.40.1

server 30.30.30.1

aaa authentication login console group TACACS_VRF_MGMT TACACS_NON_VRF_MGMT local

aaa accounting console group TACACS_VRF_MGMT TACACS_NON_VRF_MGMT local

aaa authorization console group TACACS_VRF_MGMT TACACS_NON_VRF_MGMT local

aaa authentication login console fallback error local non-existent-user

Glossary

Key Terms/Acronym	Description
TACACS	Terminal Access Controller Access Control System