Authentication, Authorization and Accounting (AAA)¶
Overview¶
Users authentication can be done using a TACACS+ remote server.
Each remote user is assigned a role (viewer
or admin
, see users section for details) that denotes its rights. The way to
specify this role is dependent of the remote server.
Note
If a local user with the same name as a remote user exists, the connection can be done by using the local or remote password. The role of the user will be the one defined locally.
Warning
Some names are reserved by the system and cannot be used: _apt, _lldpd, _tacacs, backup, bin, daemon, dhcpd, dnsmasq, fastpath, games, gnats, irc, list, lp, mail, man, messagebus, news, nobody, ntp, proxy, snmp, sshd, statd, sync, sys, syslog, systemd-bus-proxy, systemd-network, systemd-resolve, systemd-timesync, telegraf, uucp, uuidd, www-data.
If one of these names is used, the connection using a remote server will fail.
Manage TACACS+ servers list¶
To add a TACACS+ servers do:
vrouter running config# system aaa tacacs 1
Here, 1
is the priority order in case multiple servers are configured. The
lower the order, the higher the priority.
Note
Up to 8 TACACS+ servers can be specified.
An IP address and secret to authenticate the TACACS+ exchanges are required:
vrouter running tacacs 1#! address 192.168.0.1 secret testing123
vrouter running tacacs 1# commit
Warning
The specified address must be accessible from vrf ‘main’.
Let’s fetch the state afer committing this configuration:
vrouter running tacacs 1# show state
tacacs 1
address 192.168.0.1
port 49
secret testing123
timeout 3
..
The same configuration can be made using this NETCONF XML configuration:
vrouter running config# show config xml absolute system aaa tacacs
<config xmlns="urn:6wind:vrouter">
<system xmlns="urn:6wind:vrouter/system">
<aaa xmlns="urn:6wind:vrouter/system/aaa">
<tacacs>
<order>1</order>
<port>49</port>
<timeout>3</timeout>
<address>192.168.0.1</address>
<secret>testing123</secret>
</tacacs>
</aaa>
</system>
</config>
See also
The command reference for details.
Configuring TACACS+ authentication servers¶
6WIND Vendor-Specific TACACS+ Attributes can be used to configure users privileges. They are specified in the TACACS+ server configuration file on a per-user basis. Turbo IPsec retrieves these attributes through an authorization request to the TACACS+ server after authenticating a user.
To specify these attributes, include a service statement in the TACACS+ server configuration file, in a user or a group statement:
service = 6WIND {
local-role = "admin|viewer"
}
At the moment, the local-role
attribute is supported. If not specified, the
viewer
role is assigned by default.
Here is a complete example:
group = admins {
default service = permit
service = exec {
priv-lvl = 15
}
service = shell {
priv-lvl = 15
}
service = 6WIND {
local-role = "admin"
}
}
group = viewers {
default service = permit
service = exec {
priv-lvl = 15
}
service = shell {
priv-lvl = 15
}
service = 6WIND {
local-role = "viewer"
}
}
user = john {
name = "John C"
member = admins
pap = PAM
}
user = alice {
default service = permit
service = exec {
priv-lvl = 15
}
service = shell {
priv-lvl = 15
}
service = 6WIND {
local-role = "admin"
}
name = "Alice F"
pap = PAM
}
user = bob {
name = "Bob D"
member = viewers
pap = PAM
}
With this configuration, john and alice can connect to the product with the
admin
role and bob with the viewer
role.
Note
The length of the user name must be less or equal to 32 characters.