AAA

AAA stands for Authentication, Authorization and Accounting.

  • Authentication answers who are you? and controls how a user is validated at login.

  • Authorization answers what can you do? and controls which CLI commands a user is allowed to run.

  • Accounting answers what did you do? and logs user activity such as executed commands.

SoodarOS supports local AAA rules and remote AAA servers:

  • Local: local authorization rules and local accounting (system logger).

  • TACACS+: remote AAA using TACACS+ servers.

  • RADIUS: remote AAA using RADIUS servers.

Remote servers

Remote servers are defined as named objects. After creating a server, enter its node and configure parameters such as IP address, port, shared key, VRF and source IP.

TACACS+ server

TACACS+ (Terminal Access Controller Access-Control System Plus) is a protocol used to provide centralized authentication, authorization and accounting for administrators accessing network devices. This protocol support whole payload encryption, enhancing security compared to older protocols like RADIUS; Also, only TACACS+ supports per-command authorization.

tacacs server TACACAS_SERVER_NAME

Create (or enter) a TACACS+ server configuration node.

  • TACACAS_SERVER_NAME: Name of the TACACS+ server.

Example:

soodar(config)# tacacs server TAC1
soodar(config-server-tacacs)#
no tacacs server TACACAS_SERVER_NAME

Remove a TACACS+ server definition.

  • TACACAS_SERVER_NAME: Name of the TACACS+ server.

address <A.B.C.D|X:X::X:X>

Set server address (IPv4 or IPv6).

  • <A.B.C.D|X:X::X:X>: IP address of the TACACS+ server. It can be an IPv4 or IPv6 address.

port (1-65535)

Set server port.

  • (1-65535): Port number of the TACACS+ server.

Note

Default is 49 for TACACS+.

key KEY

Set the shared secret (key) used for TACACS+.

  • KEY: The shared secret (key) string.

vrf VRFNAME

Set VRF for reaching the server.

  • VRFNAME: Name of the VRF to use for reaching the TACACS+ server.

source-ip <A.B.C.D|X:X::X:X>

Set source address used for connecting to the server.

  • <A.B.C.D|X:X::X:X>: Source IP address (IPv4 or IPv6) used in TACACS+ packets.

Global TACACS timeout

tacacs-server timeout (1-1000)

Set the time (seconds) to wait for a TACACS+ server response.

  • (1-1000): Timeout value in seconds.

Note

Default timeout is 5 seconds.

RADIUS server

radius server RADIUS_SERVER_NAME

Create (or enter) a RADIUS server configuration node.

  • RADIUS_SERVER_NAME: Name of the RADIUS server.

Example:

soodar(config)# radius server RAD1
soodar(config-server-radius)#
no radius server RADIUS_SERVER_NAME

Remove a RADIUS server definition.

  • RADIUS_SERVER_NAME: Name of the RADIUS server.

address <A.B.C.D|X:X::X:X>

Set server address (IPv4 or IPv6).

  • <A.B.C.D|X:X::X:X>: IP address of the RADIUS server. It can be an IPv4 or IPv6 address.

port (1-65535)

Set server port.

  • (1-65535): Port number of the RADIUS server.

Note

Default is 1645.

timeout (1-1000)

Set server timeout (seconds).

  • (1-1000): Timeout value in seconds.

Note

Default timeout is 5 seconds.

vrf VRFNAME

Set VRF for reaching the server.

  • VRFNAME: Name of the VRF to use for reaching the RADIUS server.

source-ip <A.B.C.D|X:X::X:X>

Set source address used in RADIUS packets.

  • <A.B.C.D|X:X::X:X>: Source IP address (IPv4 or IPv6) used in RADIUS packets.

Authentication

Authentication controls how users are validated at login.

Authentication list for login

Authentication lists define which methods are used to authenticate users at login. Lines can use these lists to determine how to authenticate users reaching to the device via that line.

aaa authentication login <AUTH_LOGIN_LIST_NAME> {local|tacacs+|radius|none}

Create or update a login authentication list. Methods can be combined.

  • <AUTH_LOGIN_LIST_NAME>: Name of the authentication list to create or modify.

  • local: Use local authentication (local user database).

  • tacacs+: Use TACACS+ server for authentication.

  • radius: Use RADIUS server for authentication.

  • none: Disable authentication (not recommended).

Note

There is a built-in default authentication list that can be modified but not removed. This list is used by default on all login lines unless another list is specified.

Note

default authentication method is local.

Note

If multiple methods are specified, they are tried in local, TACACS+, RADIUS order.

Note

For security, remote authentication (TACACS+ or RADIUS) requires the user to be defined on the device as well, but the password is not used.

Example:

soodar(config)# aaa authentication login default tacacs+ local

Apply authentication list to lines

login authentication AUTH_LOGIN_LIST_NAME

Apply a login authentication list to the current line context.

  • AUTH_LOGIN_LIST_NAME: Name of the authentication list to apply.

For example to apply only TACACS+ authentication on the vty line and both local and TACACS+ authentication on the console line:

soodar(config)# aaa authentication login TACACS_ONLY tacacs+
soodar(config)# line vty
soodar(config-line)# login authentication TACACS_ONLY
soodar(config)# aaa authentication login default local tacacs+

Note that the console line uses the built-in default authentication list so no explicit configuration is needed.

Accounting

Accounting records user actions. Command accounting logs executed CLI commands. Exec accounting controls session start/stop accounting.

Accounting list for commands

Command accounting lists define how executed commands are logged. Lines can use these lists to determine how to log executed commands.

aaa accounting commands <ACCT_CMD_LIST_NAME> start-stop {logger|tacacs+|radius}

Configure command accounting. Methods can be combined.

  • <ACCT_CMD_LIST_NAME>: Name of the accounting list to create or modify.

  • start-stop: Log both command start and stop events.

  • logger: Log to system logger.

  • tacacs+: Log to TACACS+ server.

  • radius: Log to RADIUS server.

Note

There is a built-in default accounting list that can be modified but not removed. This list is used by default on all lines unless another list is specified.

Note

By default, accounting is disabled.

Note

If multiple methods are specified, logging is done to all specified methods.

aaa accounting commands <ACCT_CMD_LIST_NAME> none

Disable command accounting for this list.

  • <ACCT_CMD_LIST_NAME>: Name of the accounting list to modify.

accounting commands <ACCT_CMD_LIST_NAME>

Apply command accounting list to the current line context.

  • <ACCT_CMD_LIST_NAME>: Name of the accounting list to apply.

For example to enable command accounting to both system logger and TACACS+ server on the vty lines and disable accounting on the console line:

soodar(config)# aaa accounting commands CMD_ACCT start-stop logger tacacs+
soodar(config)# line vty
soodar(config-line)# accounting commands CMD_ACCT

Note that the console line uses the built-in default accounting list and default configuration is to not do accounting so no explicit configuration is needed.

Accounting list for exec

Exec accounting logs session start and stop events. Exec accounting lists define how session accounting is logged. Lines can use these lists to determine how to log session accounting.

aaa accounting exec <ACCT_EXEC_LIST_NAME> start-stop {tacacs+|radius}

Configure exec accounting. Methods can be combined.

  • <ACCT_EXEC_LIST_NAME>: Name of the accounting list to create or modify.

  • start-stop: Log both command start and stop events.

  • tacacs+: Log to TACACS+ server.

  • radius: Log to RADIUS server.

Note

There is a built-in default accounting list that can be modified but not removed. This list is used by default on all lines unless another list is specified.

Note

For auditing and security reasons, session accounting is always locally logged to system logger in addition to any remote servers configured.

Note

By default, remote accounting is disabled.

Note

If multiple methods are specified, logging is done to all specified methods.

aaa accounting exec <ACCT_EXEC_LIST_NAME> none

Disable exec accounting for this list.

  • <ACCT_EXEC_LIST_NAME>: Name of the accounting list to modify.

accounting exec <ACCT_EXEC_LIST_NAME>

Apply exec accounting list to the current line context.

  • <ACCT_EXEC_LIST_NAME>: Name of the accounting list to apply.

For example to enable login accounting to both system logger and TACACS+ server on the vty lines and RADIUS on the console line:

soodar(config)# aaa accounting exec EXEC_ACCT start-stop tacacs+
soodar(config)# aaa accounting exec default start-stop radius
soodar(config)# line vty
soodar(config-line)# accounting commands CMD_ACCT

Note that the console line uses the built-in default accounting list so no explicit configuration is needed. Also in this example, system logger is always used for exec accounting in addition to any remote servers configured.

Authorization

Authorization controls whether a command is allowed to be executed.

Note

Users with privilege level 15 are always permitted to run all commands regardless of authorization configuration.

Note

RADIUS does not support per-command authorization, so only TACACS+ and local methods are available for command authorization.

Authorization list for commands

Command authorization lists define which methods are used to authorize executed commands. Lines can use these lists to determine how to authorize commands.

aaa authorization command <AUTH_CMD_LIST_NAME> {local|tacacs+|none}

Configure command authorization methods. Methods can be combined.

  • <AUTH_CMD_LIST_NAME>: Name of the authorization list to create or modify.

  • local: Use local authorization rules.

  • tacacs+: Use TACACS+ server for per-command authorization.

  • none: Disable authorization (all commands are permitted).

Note

There is a built-in default authorization list that can be modified but not removed. This list is used by default on all lines unless another list is specified.

Note

By default, authorization is disabled.

Note

If multiple methods are specified, both local and TACACS+ authorization are applied. A command is permitted if one of the methods permits it.

Note

A user with privilege level 15 is always permitted to run all commands regardless of authorization configuration.

authorization command <AUTH_CMD_LIST_NAME>

Apply command authorization list to the current line context.

  • <AUTH_CMD_LIST_NAME>: Name of the authorization list to apply.

Local privilege (command rules)

Local authorization rules are stored as regex patterns per privilege level.

privilege level (1-14) LINE ...

Add an allowed command regex for a privilege level.

  • (1-14): Privilege level (1 to 14) to add the rule to.

  • LINE: A regular expression defining allowed commands for this privilege level.

Example: allow users with privilege 5 to run a subset of show commands:

soodar(config)# privilege level 5 ^show\s(interface|ip|route|version|privilege)$
show privilege [level (0-15)] [json]

Show command privilege rules.

  • level (0-15): Show rules for the specified privilege level. If omitted, show all levels.

  • json: Show output in JSON format.