AAA

AAA (Authentication, Authorization, Accounting) is a security framework to control who has access to network resources (Authentication), what they are allowed to do (Authorization), and log their actions (Accounting).

Warning

The AAA system must be configured with great care, an incorrect configuration could leave the device inaccessible.

The AAA system supports authentication, authorization, and accounting through the local database, RADIUS, and TACACS+. RADIUS and TACACS+ servers are grouped into RADIUS and TACACS+ groups and sorted by priority. These, along with the local database are called “AAA methods” or simply “methods”.

AAA method types

AAA lists are ordered sets of methods which can be used to configure AAA features in services such as SSH or IPSec.

AAA list structure

A key feature of AAA lists is that they can be used for multiple services at once, this avoids unnecessary repetition in the configuration and unifies all AAA settings. Conversely, AAA features in services cannot be directly configured, creating a AAA list is a strictly necessary step.

The following table shows the AAA features supported by each service:

Service

Methods

Authentication

Authorization

Accounting

Login/Telnet

R T L

SSH

R T L

Command

T L

IEEE 802.1x

R L

IPSec

R

OpenVPN

R T L

  • R: RADIUS

  • T: TACACS+

  • L: Local database

Authentication

Authentication is the process of identifying a user and allowing them access to specific resources. These resources may be access to the OSDx CLI or an IPSec tunnel.

If a server cannot be reached, the next one will be queried until a server responds with a confirmation or a denegation. Once a user is allowed or denied, no other server is queried and that judgement is used for determining access. Note that the local database can always be reached, therefore if any methods are configured with a lower priority than a local method, they will effectively be disabled.

Authorization

Once a user is authenticated and has access to some resources, authorization is the process of determining what they are allowed to do with them. Namely, what commands they are allowed to execute once they access the OSDx CLI.

OSDx provides two mechanisms for configuring command authorization: Privilege levels and CLI authorization.

Whenever a user logs into the CLI using RADIUS or TACACS+, their server-defined privilege level is mapped to a locally defined role. Through the user-level configuration commands, it is possible to define what commands each role is allowed to run.

In RADIUS, privilege level is binary: A user may be a standard user or a privileged user. In TACACS+, privilege level is a numeric value from 0 to 15, where 0 is the least privileged and 15, the most. If a privilege level is not mapped, it will fall back to the next mapping below. For example, if a user attempts to login with privilege level 14 but only 0, 5, and 15 are defined, the user will actually get privilege level 5 in the system.

On the other hand, CLI authorization depends entirely on the server configuration. Whenever a user attempts to run a command, the server is asked whether that user is allowed to run said command or not. Since this mechanism needs to query the server every time a command is run, the CLI may become less responsive, especially when multiple servers are configured and the first few are unreachable.

Note

The exit command is always allowed to run and never starts the authorization process.

Accounting

Accounting is the logging of all actions performed while authenticated. It is an invaluable tool for auditing user activity, analyzing trends, and forensic analysis of security incidents. Actions that can be accounted include user access to the device, Port-based Network Access Control (PNAC) authentication, or access to a VPN tunnel.

Note

The exit command never starts the accounting process.

Examples

The following links contain examples of how to configure AAA for the different services:

Configuration commands