VTYSH extensions. AAA


Preliminary version.

23.08.2023


Contents

Changelog 3

The user subsystem 4

Privilege levels 4

AAA node 4

Internal (login) users 4

Authentication of system users 4

Dialin users 5

Authentication and authorization against external RADIUS and TACACS servers 5

Debug of CLI logins 6


Changelog

02.08.2023 — Changelog and Contents pages have been added.

23.08.2023 — Accounting and access restriction parts are documented.


Here is implemented some new configuration nodes and commands.


The user subsystem

Is the extension which allows to define and (or) to authenticate and authorize some CLI users. Any authenticated and authorized CLI user has own assigned (or configured) privilege level.


Privilege levels

The user subsystem recognizes 4 privilege levels at this time:

Level 0 — does not allow to do anything with CLI. Just allow to login.

Level 7 — allow to enter enable mode, to issue some debug commands, to reboot device, to execute telnet and ssh clients,

Level 10 — allow to use previous level abilities plus display configured authentication details, configured dial in users, show some services setup, to save configureation.
Level 15 — allow any commands and actions.


AAA node

User subsystem and ability to do AAA against external servers are implemented inside AAA node.

Some informational commands like «show ...» are impleented inside enable mode.

To enter AAA node type «aaa» and hit enter from configuration mode.

To leave AAA node type «exit» or «quit» and hit enter.


Internal (login) users

User subsystem allows to define some internal users with or without password and with different privilege levels.

Such users can enter to CLI independently and will not use any kind of AAA to manage their access.

Local user logins can not be disabled. Once created, login user can enter the CLI.


To define local user NAME with specified privilege level and password (or without it) use command «user login NAME privilege (0-15) <nopasswd | password WORD [encrypted]>»


To delete previously configured local user use command «no user login NAME»


Please pay attention that local users changes will be applied not immediately but activated when configuration will be saved by «write» command and CLI restarted.


Authentication of system users

In an additiona to local configured users, user subsystem allows to authenticate traditional system users with their passwords as CLI user (e.g. user „root“). Such kind of logins can be disabled at any time by «no authentication login system» command and enabled back by «authentication login system».


Please pay attention that MUST to configure at least one local user and (or) authentication against external AAA servers before to disable login for system users.

Right way is to use complex password to user root and to remain ability to authenticate system users. Any system user will be authenticated as CLI user with privilege level 15.


Some commands inside node «aaa» allow to manipulate system users.


Use command «system user NAME <create | password>» to create system user or to change system user NAME password.

Use command «no system user NAME» to delete system user.

Command line interface does not display system users.

Please be maximally careful when manipulate system users.


Command «show aaa login user» displays current logged in user and current privilege level.


Dialin users

User subsystem allows to define user which can connect to built in Network Access Server (NAS) via PPPoE, L2TP, PPTP and IpoE services.

Such users can be defined as login/password pair and enabled service. Any NAS services are enabled when none is specified.

Use command «dial user NAME password WORD [service <l2tp| pptp | pppoe | ipoe>]» and command «no dial user NAME» to delete specified dialin user.

Use command «show aaa dial users» to display dialin user list.


Authentication and authorization against external RADIUS and TACACS servers

It is possible to authenticate non local and non system users against external AAA servers: RADIUS (not yet implemented) and TACACS+.

In such case, user MUST not be defined inside CLI; privilege level for user will be obtained from „ptiv-lvl» attribute for TACACS+ and related RADIUS attribute.

In case when no related attribute found, privilege level will be assigned as «0».


To configure users, authentication methods and details need to enter „configure terminal“ mode and then to enter „aaa“ mode.


To specify external RADIUS server to do AAA of login or dialin users against this server. use command «server radius <A.B.C.D|X:X::X:X|FQDN> key WORD [auth-port (1-65535) [acct-port (1-65536)]]»

Use command «no server radius <A.B.C.D|X:X::X:X|FQDN>» to delete previously configured radius server.


Use command «server tacacs <A.B.C.D|X:X::X:X|FQDN> key WORD [auth-port (1-65535)]» to specify external TACACS server to do AAA of login or dialin users against this server and command «no server tacacs <A.B.C.D|X:X::X:X|FQDN>» to delete previously configured TACACS server.


Use command «show aaa servers [<radius|tacacs>]» to display configured aaa servers. Command will show only RADIUS servers configured If optional word «radius» will be specified or show only TACACS servers configured If optional word «tacacs» will be specified .


To do AAA for CLI users by radius servers, issue command «authentication login radius» inside «aaa» mode. To use TACACS+ servers instead of RADIUS, use command «authentication login tacacs».

To display current settings, type «show aaa authentication login».


Accounting (periodic updates of RADIUS or TACACS server if used) is implemented.

«accounting interval (0-180)» specifies interval to update server (if no related attribute exists in the authorization reply). Zero value means do not to do accounting.


«show aaa accounting interval» can be used to get configured value.


In addition to accounting, ability to log out inactive user as well as to restrict one login with maximal privilege level simultaneously is implemented. It is activating by «inactivity interval (0-10)» command where number means amount of accounting intervals should be passed until inactivity state discovered. Zero value disables inactivity checking.

Any command input and «Return» key hit in CLI resets inactivity time. Another key hit does not reset inactivity time.


«show aaa inactivity interval» can be used to get configured value. As most of such commands, it requires privilege level 10 at least.


Non-zero accounting and inactivity intervals prevents multiple login for users with maximal privilege level.


To setup timeout in case of non-successful access of AAA servers, use command «authentication timeout (0-60)» where NUMBER represents seconds.

Use «show aaa authentication timeout» to display current settings.


To setup AAA service name, use command «authentication service NAME». Default value is «login».

To display service name, type «show aaa authentication service».


Debug of CLI logins

To enable debug of CLI login process, please use command «debug authentication» inside «aaa» mode and «no debug authentication» to switch debug off.