AAA
The authentication, authorization, and accounting (AAA) feature configures authentication of users logging in to the Cisco Catalyst SD-WAN router, determines what permissions to give them, and performs accounting of their actions.
The following tables describe the options for configuring the AAA feature.
Local
Add users.
Field |
Description |
---|---|
Enable AAA Authentication |
Enable authentication parameters. |
Accounting Group |
Enable accounting parameters. |
Add AAA User |
|
Name |
Enter a name for the user. It can be 1 to 128 characters long, and it must start with a letter. The name can contain only lowercase letters, the digits 0 through 9, hyphens (-), underscores (_), and periods (.). The name cannot contain any uppercase letters. The following usernames are reserved, so you cannot configure them: backup, basic, bin, daemon, games, gnats, irc, list, lp, mail, man, news, nobody, proxy, quagga, root, sshd, sync, sys, uucp, and www-data. Also, names that start with viptela-reserved are reserved. |
Password |
Enter a password for the user. The password is an MD5 digest string, and it can contain any characters, including tabs, carriage returns, and linefeeds. For more information, see Section 9.4 in RFC 7950, The YANG 1.1 Data Modeling Language. Each username must have a password. Users are allowed to change their own passwords. The default password for the admin user is admin. We strongly recommended that you change this password. |
Confirm Password |
Re-enter the password for the user. |
Privilege |
Select between privilege level 1 or 15.
|
Add Public Key Chain |
|
Key String* |
Enter the authentication string for a key. |
Key Type |
Choose ssh-rsa. |
RADIUS
Add RADIUS servers.
Field |
Description |
---|---|
Address* |
Enter the IP address of the RADIUS server host. |
Acct Port |
Enter the UDP port to use to send 802.1X and 802.11i accounting information to the RADIUS server. Range: 0 through 65535. Default: 1813 |
Auth Port |
Enter the UDP destination port to use for authentication requests to the RADIUS server. If the server is not used for authentication, configure the port number to be 0. Default: 1812 |
Retransmit |
Enter the number of times the device transmits each RADIUS request to the server before giving up. Default: 3 seconds |
Timeout |
Enter the number of seconds a device waits for a reply to a RADIUS request before retransmitting the request. Default: 5 seconds Range: 1 through 1000 |
Key* |
Enter the key the Cisco IOS XE Catalyst SD-WAN device passes to the RADIUS server for authentication and encryption. |
Key Type |
Choose Protected Access Credential (PAC) or key type. |
TACACS Server
Add TACACS server.
Field |
Description |
---|---|
Address* |
Enter the IP address of the TACACS+ server host. |
Port |
Enter the UDP destination port to use for authentication requests to the TACACS+ server. If the server is not used for authentication, configure the port number to be 0. Default: 49 |
Timeout |
Enter the number of seconds a device waits for a reply to a TACACS+ request before retransmitting the request. Default: 5 seconds Range: 1 through 1000 |
Key* |
Enter the key the Cisco IOS XE Catalyst SD-WAN device passes to the TACACS+ server for authentication and encryption. You can type the key as a text string from 1 to 31 characters long, and it is immediately encrypted, or you can type an AES 128-bit encrypted key. The key must match the AES encryption key used on the TACACS+ server. |
Accounting
Add accounting rules.
Field |
Description |
||
---|---|---|---|
Rule Id* |
Enter the accounting rule ID. |
||
Method* |
Specifies the accounting method list. Choose one of the following:
|
||
Level |
Choose the privilege level (1 or 15). Accounting records are generated only for commands entered by users with this privilege level. |
||
Start Stop |
Enable this option to if you want the system to send a start accounting notice at the beginning of an event and a stop record notice at the end of the event. |
||
Use Server-group* |
Choose a previously configured TACACS group. The parameters that this accounting rule defines are used by the TACACS servers that are associated with this group. |
Authorization
Field |
Description |
---|---|
Server Auth Order* |
Choose the authentication order. It dictates the order in which authentication methods are tried when verifying user access to a Cisco IOS XE Catalyst SD-WAN device through an SSH session or a console port. |
Authorization Console |
Enable this option to perform authorization for console access commands. |
Authorization Config Commands |
Enable this option to perform authorization for configuration commands. |
Add Authorization Rule |
|
Rule Id* |
Enter the authorization rule ID. |
Method* |
Choose Commands, which causes commands that a user enters to be authorized. |
Level |
Choose the privilege level (1 or 15) for commands to be authorized. Authorization is provided for commands entered by users with this privilege level. |
If Authenticated |
Enable this option to apply the authorization rule parameters only to the authenticated users. If you do not enable this option, the rule is applied to all users. |
Use Server-group* |
Choose a previously configured TACACS group. The parameters that this authorization rule defines are used by the TACACS servers that are associated with this group. |