3.2.9. aaa

Configuration data for aaa servers.

vsr running config# system aaa

remote-authentication-order

Set the order in which the remote authentication is tried.

vsr running config# system aaa
vsr running aaa# remote-authentication-order REMOTE-AUTHENTICATION-ORDER

REMOTE-AUTHENTICATION-ORDER values

Description

tacacs

TACACS+ servers.

radius

RADIUS servers.

local-authentication

Tell if the local authentication should be tried anyway when it failed remotely, if it should be tried only if the remote server did not answer or if it should be always done for root and be tried only when the remote server is unreachable for non root users. If unset, default is always.

vsr running config# system aaa
vsr running aaa# local-authentication LOCAL-AUTHENTICATION

LOCAL-AUTHENTICATION values

Description

always

Always try local authentication.

always-for-root

Always do local authentication for root. Try local authentication only if remote servers are unreachable for non root users.

fallback

Try local authentication only if remote servers are unreachable.

user-role-privilege

List of user roles with the associated privilege level. These configuration options are applied only for tacacs.

vsr running config# system aaa user-role-privilege

viewer

The privilege level associated to the viewer role.

vsr running config# system aaa user-role-privilege
vsr running user-role-privilege# viewer <0-15>
Default value
5

admin

The privilege level associated to the administrator role.

vsr running config# system aaa user-role-privilege
vsr running user-role-privilege# admin <0-15>
Default value
15

role

List of custom roles with their corresponding privilege value.

vsr running config# system aaa user-role-privilege
vsr running user-role-privilege# role <leafref> <0-15>

<leafref>

The user role name.

<0-15>

The privilege level associated to the user role.

tacacs

List of tacacs servers on the system.

vsr running config# system aaa tacacs <uint32>

<uint32>

Order for TACACS+ servers. They will be reached by increasing order value.

address (mandatory)

TACACS+ server IPv4 or IPv6 address.

vsr running config# system aaa tacacs <uint32>
vsr running tacacs <uint32># address ADDRESS

ADDRESS values

Description

<ipv4-address>

An IPv4 address.

<ipv6-address>

An IPv6 address.

port

Port number to reach the TACACS server.

vsr running config# system aaa tacacs <uint32>
vsr running tacacs <uint32># port <uint16>
Default value
49

source

Source address used to reach the TACACS server.

vsr running config# system aaa tacacs <uint32>
vsr running tacacs <uint32># source SOURCE

SOURCE values

Description

<ipv4-address>

An IPv4 address.

<ipv6-address>

An IPv6 address.

secret (mandatory) (hidden)

TACACS+ client/server shared secret. The # and space characters are not allowed and the string should not exceed 63 characters.

vsr running config# system aaa tacacs <uint32>
vsr running tacacs <uint32># secret <string>{1,63}

timeout

Timeout before trying to reach another TACACS+ server.

vsr running config# system aaa tacacs <uint32>
vsr running tacacs <uint32># timeout <1-90>
Default value
3

vrf

The VRF from which the TACACS+ server will be joined.

vsr running config# system aaa tacacs <uint32>
vsr running tacacs <uint32># vrf VRF

VRF values

Description

main

The main vrf.

<string>

The vrf name.

Default value
main

radius

The list of RADIUS servers.

vsr running config# system aaa radius <uint32>

<uint32>

Order for RADIUS servers. They will be reached by increasing order value.

address (mandatory)

RADIUS server IPv4 or IPv6 address.

vsr running config# system aaa radius <uint32>
vsr running radius <uint32># address ADDRESS

ADDRESS values

Description

<ipv4-address>

An IPv4 address.

<ipv6-address>

An IPv6 address.

port

Port number to reach the RADIUS server.

vsr running config# system aaa radius <uint32>
vsr running radius <uint32># port <uint16>
Default value
1812

secret (mandatory) (hidden)

RADIUS client/server shared secret. The space character is not allowed.

vsr running config# system aaa radius <uint32>
vsr running radius <uint32># secret <string>

timeout

Timeout before trying to reach another RADIUS server.

vsr running config# system aaa radius <uint32>
vsr running radius <uint32># timeout <1-90>
Default value
3

source

RADIUS IPv4 or IPv6 source address.

vsr running config# system aaa radius <uint32>
vsr running radius <uint32># source SOURCE

SOURCE values

Description

<ipv4-address>

An IPv4 address.

<ipv6-address>

An IPv6 address.

vrf

The VRF from which the RADIUS server will be joined.

vsr running config# system aaa radius <uint32>
vsr running radius <uint32># vrf VRF

VRF values

Description

main

The main vrf.

<string>

The vrf name.

Default value
main