AAA is the abbreviation of Authentication Authorization and Accounting, which provides for authentication, authorization and accounting function into the configuration of the consistency framework. AAA provides the following services in a modular fashion:<\/p>\n
Using AAA has the following advantages:<\/p>\n
AAA has the following relevant standards: RFC2865 Remote Authentication Dial In User Service (RADIUS). C. Rigney, S. Willens, A. Rubens, W. Simpson. June 2000. (Format: TXT, HTML). RFC2866 RADIUS Accounting. C. Rigney. June 2000. (Format: TXT, HTML). RFC8907 The Terminal Access Controller Access-Control System Plus (TACACS+) Protocol. T. Dahm, A. Ota, DC Medway Gash, D. Carrel, L. Grant. September 2020.<\/p>\n
SWITCH( config)# aaa new-model<\/code><\/pre>\nSWITCH( config)# no aaa new-model<\/code><\/pre>\nGlobally enable or disable the AAA function.<\/p>\n
SWITCH( config)# aaa group server (radius) ( default| NAME )<\/code><\/pre>\nSWITCH( config ) # aaa group server ( tacacs + ) ( default| NAME )<\/code><\/pre>\nSWITCH( config)# no aaa group server ( radius|tacacs +) ( default| NAME )<\/code><\/pre>\nServer group configuration. Optional. By default there is no server group configuration and no server method is used.<\/p>\n
SWITCH(config-gs-rad )# server A.B.C.D (auth-port <1-65535> |) (acct-port <1-65535> |) (key STRING )<\/code><\/pre>\nSWITCH(config-gs-tac)# server A.B.C.D (port <1-65535> |) (key STRING )<\/code><\/pre>\nSWITCH(config-gs-rad)# no server A.B.C.D<\/code><\/pre>\nSWITCH(config-gs-tac)# no server A.B.C.D<\/code><\/pre>\nserver group mode . Configure RADIUS, TACACS + server information, including basic IP address, port information, shared key Optional. Note: Due to implementation restrictions, the current radius accounting port number is always the authentication port number + 1, and the configuration is invalid.<\/p>\n
SWITCH(config-gs-rad)# timeout <1-120><\/code><\/pre>\nSWITCH(config-gs-tac)# timeout <1-120><\/code><\/pre>\nSWITCH(config-gs-rad)# no timeout<\/code><\/pre>\nSWITCH(config-gs-tac)# no timeout<\/code><\/pre>\nserver group mode . Configure the timeout period for servers in the group. Optional.<\/p>\n
SWITCH(config-gs-tac)# service NAME<\/code><\/pre>\nSWITCH(config-gs-tac)# no service<\/code><\/pre>\nTACACS+ server group mode . Configure the service information in the group. Optional.<\/p>\n
SWITCH(config)# aaa (authentication|authorization|accounting) (login|ssh|web|dot1x|command) default {group (radius|tacacs+|NAME)|local|none}<\/code><\/pre>\nSWITCH(config)#no aaa (authentication|authorization|accounting) (login|ssh|web|dot1x|command) default<\/code><\/pre>\nGlobal configuration mode. Configure AAA method information. Optional.Local authentication is used by default. Note1: The username (such as admin) that exists on the machine also needs to be provided during the none authentication, otherwise an error may occur. Note2: Web do not support accounting\/authorization now.<\/p>\n
Examples<\/h2>\n
SSH Login Authentication Using Tacacs+ Method \u200f \u2022 Requirements<\/p>\n
\n- See the description of the network diagram<\/li>\n<\/ul>\n
\u200f \u2022 Network diagram Figure 8 Typical networking diagram for SSH through tacacs+ server authentication and accounting Description: none \u200f \u2022 Typical configuration example Switch\uff1a<\/p>\n
SWITCH(config)# aaa new-model<\/code><\/pre>\nSWITCH(config)# aaa group server tacacs+ default<\/code><\/pre>\nSWITCH(config-gs-tac) # server 2.2.2.106 key testkey123<\/code><\/pre>\nSWITCH(config-gs-tac)# exit<\/code><\/pre>\nSWITCH(config)# aaa authentication ssh default group tacacs+<\/code><\/pre>\nSWITCH(config)# aaa accounting ssh default group tacacs+<\/code><\/pre>\nSWITCH(config)# username test remote<\/code><\/pre>\nDevice IP configuration and ssh configuration refer to the corresponding chapters in the configuration documentation, which are omitted here.<\/p>\n
Use the None Method to Perform Serial Port Login<\/h2>\n
\u200f \u2022 Requirements<\/p>\n
\n- See the description of the network diagram<\/li>\n<\/ul>\n
\u200f \u2022 Network diagram Figure9 Typical network diagram of serial port using none authentication and accounting \u200f \u2022 Typical configuration example Refer to the network diagram<\/p>\n
Display Information<\/h2>\n\n- None<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"
Networking \u203a Switching \u203a Edge \u203a Synapse<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":6349,"menu_order":29,"comment_status":"open","ping_status":"closed","template":"","doc_tag":[115,119,116],"class_list":["post-6378","docs","type-docs","status-publish","hentry","doc_tag-connexite","doc_tag-network","doc_tag-synapse-cli-documentation","no-post-thumbnail"],"acf":[],"_links":{"self":[{"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/docs\/6378","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/docs"}],"about":[{"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/types\/docs"}],"author":[{"embeddable":true,"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/comments?post=6378"}],"version-history":[{"count":1,"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/docs\/6378\/revisions"}],"predecessor-version":[{"id":6426,"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/docs\/6378\/revisions\/6426"}],"up":[{"embeddable":true,"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/docs\/6349"}],"wp:attachment":[{"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/media?parent=6378"}],"wp:term":[{"taxonomy":"doc_tag","embeddable":true,"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/doc_tag?post=6378"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}