Authentication, Authorization and Accounting (AAA)

This configuration context enables remote AAA servers configuration. There are several commands available for your needs:

  • To configure AAA, enter the configuration context then type aaa:
router{conf:myconf}aaa
router{conf:myconf-aaa}display
order radius tacacs local
radius-retransmit 3
tacacs-timeout 3
# RADIUS servers
radius ip 1.1.1.2
  port 1812
  secret mysharedsecret
  timeout 3
  order 1
# TACACS+ servers
tacacs ip 2.1.1.2
  port 49
  secret mysharedsecret
  order 1
router{conf:myconf-aaa}
  • To reset the AAA configuration, leave the aaa context then type delete aaa:
router{conf:myconf-aaa}exit
router{conf:myconf}delete aaa

Configuring authentication mechanisms order

The order command takes any combination of local, radius and tacacs. Any of these mechanisms may appear at most once in order, which makes the latter composed of 1 (no less) to 3 (no more) elements, in preferred order. local may only be used as the last element.

When logging onto the system, these mechanisms will be tried consecutively. If a given remote server cannot be reached (connectivity issue), then the next remote server of identical type will be tried. If no configured remote servers for a given type can be reached, then the next authentication mechanism in the list will be tried.

The first server of its kind that answers determines whether authentication fails or succeeds, without going through the other remote servers of that kind. If authentication fails, then the next configured mechanism is tried.

Local authentication is tried after a remote connection rejection only if local is last in order. It will be tried nevertheless if no remote servers of any kind could be reached.

Configuring TACACS+ authentication servers

It is possible to define some TACACS+ servers for remote authentication. It is not enough to define these TACACS+ servers, tacacs must appear in order if you want the system to use them.

There is one option global to all TACACS+ servers: tacacs-timeout. It defines timeout before trying to reach another TACACS+ server. By default, it is set to 3. To change it, use:

router{conf:myconf-aaa}tacacs-timeout TIMEOUT

Entering the tacacs context

To define a new TACACS+ (or edit an existing one) using its IP address, use:

router{conf:myconf-aaa}tacacs ip IP_ADDR
IP_ADDR
TACACS+ server IPv4 or IPv6 address.

To define a new TACACS+ (or edit an existing one) using its host name, use:

router{conf:myconf-aaa}tacacs fqdn HOSTNAME
HOSTNAME
TACACS+ server host name.

Mandatory parameters

Once in that TACACS+ server context, you must at least configure the shared secret between this machine and the TACACS+ server:

router{conf:myconf-aaa-tacacs-1.1.1.2}secret MYSHAREDSECRET
MYSHAREDSECRET
TACACS+ client/server shared secret.

You must also specify the order specific to TACACS+ servers. This determines in what order TACACS+ servers will be contacted for authentication. If you do not explicitely set an order, when entering this TACACS+ server context, the next available order will be automatically set.

To define the order for TACACS+, use:

router{conf:myconf-aaa-tacacs-1.1.1.2}order ORDER
ORDER
Order for TACACS+ servers. They will be contacted by increasing order value.

Optional parameters

You may specify the port to connect to the remote TACACS+ server using:

router{conf:myconf-aaa-tacacs-1.1.1.2}port PORT
PORT
Port number. By default, 49 is set.

You may specify a source IPv4 or IPv6 address to use when connecting to the remote server, using:

router{conf:myconf-aaa-tacacs-1.1.1.2}source-address IP_ADDR

Configuring RADIUS authentication servers

It is possible to define some RADIUS servers for remote authentication. It is not enough to define these RADIUS servers, radius must appear in order if you want the system to use them.

There is one option global to all RADIUS servers: radius-retransmit. It defines the number of attempts to reach a remote RADIUS server before giving up. By default, it is set to 3. To change it, use:

router{conf:myconf-aaa}radius-retransmit ATTEMPTS

Entering the radius context

To define a new RADIUS (or edit an existing one) using its IP address, use:

router{conf:myconf-aaa}radius ip IP_ADDR
IP_ADDR
RADIUS server IPv4 or IPv6 address.

To define a new RADIUS (or edit an existing one) using its host name, use:

router{conf:myconf-aaa}radius fqdn HOSTNAME
HOSTNAME
RADIUS server host name.

Mandatory parameters

Once in that RADIUS server context, you must at least configure the shared secret between this machine and the RADIUS server:

router{conf:myconf-aaa-radius-1.1.1.2}secret MYSHAREDSECRET
MYSHAREDSECRET
RADIUS client/server shared secret.

You must also specify the order specific to RADIUS servers. This determines in what order RADIUS servers will be contacted for authentication. If you do not explicitely set an order, when entering this RADIUS server context, the next available order will be automatically set.

To define the order for RADIUS, use:

router{conf:myconf-aaa-radius-1.1.1.2}order ORDER
ORDER
Order for RADIUS servers. They will be contacted by increasing order value.

Optional parameters

You may specify the port to connect to the remote RADIUS server using:

router{conf:myconf-aaa-radius-1.1.1.2}port PORT
PORT
Port number. By default, 1812 is set.

You may specify the timeout for a specific RADIUS server. It is the number of seconds to wait for a reply from the remote server, before trying the next one. By default, it is set to 3 seconds (which is the minimum) and cannot exceed 60. To change that value, use:

router{conf:myconf-aaa-radius-1.1.1.2}timeout TIMEOUT

You may specify a source IPv4 or IPv6 address to use when connecting to the remote server, using:

router{conf:myconf-aaa-radius-1.1.1.2}source-address IP_ADDR