3.2.9. aaa¶

Configuration data for aaa servers.

vsr running config# system aaa

remote-authentication-order¶

Set the order in which the remote authentication is tried.

vsr running config# system aaa
vsr running aaa# remote-authentication-order REMOTE-AUTHENTICATION-ORDER

`REMOTE-AUTHENTICATION-ORDER` values	Description
`tacacs`	TACACS+ servers.
`radius`	RADIUS servers.

local-authentication¶

Tell if the local authentication should be tried anyway when it failed remotely, if it should be tried only if the remote server did not answer or if it should be always done for root and be tried only when the remote server is unreachable for non root users. If unset, default is always.

vsr running config# system aaa
vsr running aaa# local-authentication LOCAL-AUTHENTICATION

`LOCAL-AUTHENTICATION` values	Description
`always`	Always try local authentication.
`always-for-root`	Always do local authentication for root. Try local authentication only if remote servers are unreachable for non root users.
`fallback`	Try local authentication only if remote servers are unreachable.

user-role-privilege¶

List of user roles with the associated privilege level. These configuration options are applied only for tacacs.

vsr running config# system aaa user-role-privilege

viewer¶

The privilege level associated to the viewer role.

vsr running config# system aaa user-role-privilege
vsr running user-role-privilege# viewer <0-15>

Default value: 5

admin¶

The privilege level associated to the administrator role.

vsr running config# system aaa user-role-privilege
vsr running user-role-privilege# admin <0-15>

Default value: 15

role¶

List of custom roles with their corresponding privilege value.

vsr running config# system aaa user-role-privilege
vsr running user-role-privilege# role <leafref> <0-15>

<leafref>

The user role name.

<0-15>

The privilege level associated to the user role.

tacacs¶

List of tacacs servers on the system.

vsr running config# system aaa tacacs <uint32>

<uint32>

Order for TACACS+ servers. They will be reached by increasing order value.

address (mandatory)¶

TACACS+ server IPv4 or IPv6 address.

vsr running config# system aaa tacacs <uint32>
vsr running tacacs <uint32># address ADDRESS

`ADDRESS` values	Description
`<ipv4-address>`	An IPv4 address.
`<ipv6-address>`	An IPv6 address.

port¶

Port number to reach the TACACS server.

vsr running config# system aaa tacacs <uint32>
vsr running tacacs <uint32># port <uint16>

Default value: 49

source¶

Source address used to reach the TACACS server.

vsr running config# system aaa tacacs <uint32>
vsr running tacacs <uint32># source SOURCE

`SOURCE` values	Description
`<ipv4-address>`	An IPv4 address.
`<ipv6-address>`	An IPv6 address.

secret (mandatory) (hidden)¶

TACACS+ client/server shared secret. The # and space characters are not allowed and the string should not exceed 63 characters.

vsr running config# system aaa tacacs <uint32>
vsr running tacacs <uint32># secret <string>{1,63}

timeout¶

Timeout before trying to reach another TACACS+ server.

vsr running config# system aaa tacacs <uint32>
vsr running tacacs <uint32># timeout <1-90>

Default value: 3

vrf¶

The VRF from which the TACACS+ server will be joined.

vsr running config# system aaa tacacs <uint32>
vsr running tacacs <uint32># vrf VRF

`VRF` values	Description
`main`	The main vrf.
`<string>`	The vrf name.

Default value: main

radius¶

The list of RADIUS servers.

vsr running config# system aaa radius <uint32>

<uint32>

Order for RADIUS servers. They will be reached by increasing order value.

address (mandatory)¶

RADIUS server IPv4 or IPv6 address.

vsr running config# system aaa radius <uint32>
vsr running radius <uint32># address ADDRESS

`ADDRESS` values	Description
`<ipv4-address>`	An IPv4 address.
`<ipv6-address>`	An IPv6 address.

port¶

Port number to reach the RADIUS server.

vsr running config# system aaa radius <uint32>
vsr running radius <uint32># port <uint16>

Default value: 1812

secret (mandatory) (hidden)¶

RADIUS client/server shared secret. The space character is not allowed.

vsr running config# system aaa radius <uint32>
vsr running radius <uint32># secret <string>

timeout¶

Timeout before trying to reach another RADIUS server.

vsr running config# system aaa radius <uint32>
vsr running radius <uint32># timeout <1-90>

Default value: 3

source¶

RADIUS IPv4 or IPv6 source address.

vsr running config# system aaa radius <uint32>
vsr running radius <uint32># source SOURCE

`SOURCE` values	Description
`<ipv4-address>`	An IPv4 address.
`<ipv6-address>`	An IPv6 address.

vrf¶

The VRF from which the RADIUS server will be joined.

vsr running config# system aaa radius <uint32>
vsr running radius <uint32># vrf VRF

`VRF` values	Description
`main`	The main vrf.
`<string>`	The vrf name.

Default value: main