Authentication, Authorization, and Accounting | Authentication | Cisco Catalyst SD-WAN User Management Guide, Releases 26.x and Later

Explains Authentication, Authorization, and Accounting functionality, from configuration restrictions to AAA setup using configuration groups, and details methods for template-based AAA configuration, including RADIUS, TACACS+, authorization, and accounting.

Restrictions to configure authorization and accounting

If you enter a configuration and press enter before you choose a value from an enumeration, the CLI shows a choice sub-menu. In this scenario, the system does not send the final value for authorization.

You cannot use the load merge and load override commands when authorization is configured.

Commands that you configure using load or rollback are not authorized or accounted.

Configure AAA using a configuration group

Before you begin

On the Configuration > Configuration Groups page, choose SD-WAN as the solution type.

Procedure

From the Cisco SD-WAN Manager menu, choose Configuration > Configuration Groups.

Create and configure a AAA feature in a System profile.

Configure users.

Table 1. Local
Field	Description
Enable AAA Authentication	Enable authentication parameters.
Accounting Group	Enable accounting parameters.
Add AAA User
Name	Enter a name for the user. It can be 1 to 128 characters long, and it must start with a letter. The name can contain only lowercase letters, the digits 0 through 9, hyphens (-), underscores (_), and periods (.). The name cannot contain any uppercase letters. The following usernames are reserved, so you cannot configure them: backup, basic, bin, daemon, games, gnats, irc, list, lp, mail, man, news, nobody, proxy, quagga, root, sshd, sync, sys, uucp, and www-data. Also, names that start with viptela-reserved are reserved.
Password	Enter a password for the user. The password is an MD5 digest string, and it can contain any characters, including tabs, carriage returns, and linefeeds. For more information, see Section 9.4 in RFC 7950, The YANG 1.1 Data Modeling Language. Each username must have a password. Users are allowed to change their own passwords. The default password for the admin user is admin. We strongly recommended that you change this password.
Confirm Password	Re-enter the password for the user.
Privilege	Select between privilege level 1 or 15. Level 1: User EXEC mode. Read-only, and access to limited commands, such as the ping command. Level 15: Privileged EXEC mode. Full access to all commands, such as the reload command, and the ability to make configuration changes. By default, the EXEC commands at privilege level 15 are a superset of those available at privilege level 1.
Add Public Key Chain
Key String*	Enter the authentication string for a key.
Key Type	Choose ssh-rsa.

Configure RADIUS servers.

Table 2. RADIUS
Field	Description
Address*	Enter the IP address of the RADIUS server host.
Acct Port	Enter the UDP port to use to send 802.1X and 802.11i accounting information to the RADIUS server. Range: 1 - 65534. Default: 1813
Auth Port	Enter the UDP destination port to use for authentication requests to the RADIUS server. Default: 1812 Range: 1 - 65534
Retransmit	Enter the number of times the device transmits each RADIUS request to the server before giving up. Default: 3 Range: 0 - 100
Timeout	Enter the number of seconds a device waits for a reply to a RADIUS request before retransmitting the request. Default: 5 seconds Range: 1 through 1000
Key*	Enter the key the Cisco IOS XE Catalyst SD-WAN device passes to the RADIUS server for authentication and encryption.
Key Type	Choose Protected Access Credential (PAC) key.

Configure TACACS servers.

Table 3. TACACS Server
Field	Description
Address*	Enter the IP address of the TACACS+ server host.
Port	Enter the UDP destination port to use for authentication requests to the TACACS+ server. If the server is not used for authentication, configure the port number to be 0. Default: 49
Timeout	Enter the number of seconds a device waits for a reply to a TACACS+ request before retransmitting the request. Default: 5 seconds Range: 1 through 1000
Key*	Enter the key the Cisco IOS XE Catalyst SD-WAN device passes to the TACACS+ server for authentication and encryption. You can type the key as a text string from 1 to 31 characters long, and it is immediately encrypted, or you can type an AES 128-bit encrypted key. The key must match the AES encryption key used on the TACACS+ server.

Configure accounting rules.

Table 4. Accounting
Field	Description
Rule Id*	Enter the accounting rule ID.
Method*	Specifies the accounting method list. Choose one of the following: commands: Provides accounting information about specific, individual EXEC commands associated with a specific privilege level. exec: Provides accounting records about user EXEC terminal sessions on the network access server, including username, date, and start and stop times. network: Runs accounting for all network-related service requests. system: Performs accounting for all system-level events not associated with users, such as reloads. Note When system accounting is used and the accounting server is unreachable at system startup time, the system will not be accessible for approximately two minutes.
Level	Choose the privilege level (1 or 15). Accounting records are generated only for commands entered by users with this privilege level.
Start Stop	Enable this option to if you want the system to send a start accounting notice at the beginning of an event and a stop record notice at the end of the event.
Use Server-group*	Choose a previously configured TACACS group. The parameters that this accounting rule defines are used by the TACACS servers that are associated with this group.

Configure authorization parameters.

Table 5. Authorization
Field	Description
Server Auth Order*	Choose the authentication order. It dictates the order in which authentication methods are tried when verifying user access to a Cisco IOS XE Catalyst SD-WAN device through an SSH session or a console port.
Authorization Console	Enable this option to perform authorization for console access commands.
Authorization Config Commands	Enable this option to perform authorization for configuration commands.
Add Authorization Rule
Rule Id*	Enter the authorization rule ID.
Method*	Choose Commands, which causes commands that a user enters to be authorized.
Level	Choose the privilege level (1 or 15) for commands to be authorized. Authorization is provided for commands entered by users with this privilege level.
If Authenticated	Enable this option to apply the authorization rule parameters only to the authenticated users. If you do not enable this option, the rule is applied to all users.
Use Server-group*	Choose a previously configured TACACS group. The parameters that this authorization rule defines are used by the TACACS servers that are associated with this group.

Configure 802.1x parameters.

What to do next

Also see Deploy a configuration group.

Methods of configuring AAA using templates

You can configure authentication, authorization, and accounting (AAA) using Cisco SD-WAN Manager template and push these settings to selected devices of the same type. This helps you to conveniently configure several devices of the same type at once.

You can use the AAA template for Cisco Catalyst SD-WAN Validators, Cisco SD-WAN Manager instances, Cisco Catalyst SD-WAN Controllers, Cisco IOS XE Catalyst SD-WAN devices.

Cisco IOS XE Catalyst SD-WAN devices support configuration of AAA in combination with RADIUS and TACACS+ servers.

Note

You must configure a local user with a secret key via the template if you are using PPP or using MLPPP with CHAP.

Create a template

Procedure

From the Cisco SD-WAN Manager menu, choose Configuration > Templates.

Click Device Templates, and click Create Template.

Note

In Cisco vManage Release 20.7.x and earlier releases, Device Templates is titled Device.

From the Create Template drop-down list, select From Feature Template.

From the Device Model drop-down list, select the type of device for which you are creating the template.

Select Basic Information.

To create a custom template for AAA, select Factory_Default_AAA_CISCO_Template and click Create Template.

The AAA template form appears. The top of the form has fields where you name the template, and the bottom has fields where you define AAA parameters.

In the Template Name field, enter a name for the template.

The name can include up to 128 alphanumeric characters.

In the Template Description field, enter a description of the template.

The description can include up to 2048 alphanumeric characters.

When you first open a feature template, for each parameter that has a default value, the scope is set to Default (indicated by a check mark), and the default setting or value is shown. To change the default or to enter a value, click the Scope drop-down list to the left of the parameter field and select one of these:


Parameter Scope	Scope description
Device Specific (indicated by a host icon)	Use a device-specific value for the parameter. For device-specific parameters, you cannot enter a value in the feature template. You enter the value when you attach a Cisco IOS XE Catalyst SD-WAN device to a device template. When you click Device Specific, the Enter Key box opens. This box displays a key, which is a unique string that identifies the parameter in a CSV file you create. This file is an Excel spreadsheet that contains one column for each key. The header row contains the key names (one key per column), and each subsequent row corresponds to a device and defines the values of the keys for that device. Upload the CSV file when you attach a Cisco IOS XE Catalyst SD-WAN device to a device template. For more information, see Create a Template Variables Spreadsheet. To change the default key, type a new string and move the cursor out of the Enter Key box. Examples of device-specific parameters are system IP address, hostname, GPS location, and site ID.
Global (indicated by a globe icon)	Enter a value for the parameter, and apply that value to all devices. Examples of parameters that you might apply globally to a group of devices are DNS server, syslog server, and interface MTUs.

Configure local access for users and user groups

You can configure local access to a device for users and user groups. Local access provides access to a device if RADIUS or TACACS+ authentication fails.

Procedure

To configure local access for individual users, select Local.

To add a new user, click + New User, and configure the following parameters:


Parameter Name	Description
Name	Enter a name for the user. The name must start with a letter and be between 1 and 128 characters. Use only lowercase letters, numbers 0 through 9, hyphens (-), underscores (_), or periods (.). The name should not contain any uppercase letters. These usernames are reserved, so you cannot configure them: backup, basic, bin, daemon, games, gnats, irc, list, lp, mail, man, news, nobody, proxy, quagga, root, sshd, sync, sys, uucp, and www-data. In addition to these, names starting with viptela-reserved are reserved. Note From Cisco Catalyst SD-WAN Manager Release 20.18.1, the character limit for local user accounts remains restricted to 32 characters. However, for TACACS users, usernames extend up to 128 characters.
Password	Enter a password for the user. Each username must have a password. Users are allowed to change their own passwords. The default password for the admin user is admin. We strongly recommended changing this password. Note When configuring local users using a Cisco SD-WAN Manager AAA template, SD-WAN Manager uses a Cisco type 9 password type that uses the scrypt algorithm for hashing the passwords of local users. If you configure local users using a device CLI template or a CLI add-on template, you can choose other Cisco password types for hashing of local user passwords. For more information about type 6 encryption, refer to the Cisco Catalyst SD-WAN Configuration Groups Reference Guide.
Privilege Level 1 OR 15	Select between privilege level 1 or 15. Level 1: User EXEC mode. Read-only, and access to limited commands, such as the ping command. Level 15: Privileged EXEC mode. Full access to all commands, such as the reload command, and the ability to make configuration changes. By default, the EXEC commands at privilege level 15 are a superset of those available at privilege level 1.
SSH RSA Key(s)	Click + Add to add SSH RSA keys. Paste your SSH RSA key in the field. To remove a key, click -. Devices support a maximum of 2 SSH RSA keys.

Click Add to add the new user. Click + New User again to add additional users.

To configure local access for user groups, first place the user into either the basic or operator group. The admin is automatically placed in the netadmin group. Then you configure user groups.

From Local, select User Group.

Click + New User Group, and configure the following parameters:


Parameter Name	Description
Name	Name of an authentication group. The name must start with a letter and be between 1 and 128 characters. Use only lowercase letters, numbers 0 through 9, hyphens (-), underscores (_), or periods (.). The name should not contain any uppercase letters. SD-WAN Manager provides three standard user groups, basic, netadmin, and operator. The user admin is automatically placed in the group netadmin and is the only user in this group. All users learned from a RADIUS or TACACS+ server are placed in the basic group. Users in the basic group have the same permissions to perform tasks, as in the operator group. You cannot configure these groups as they are reserved: adm, audio, backup, bin, cdrom, dialout, dip, disk, fax, floppy, games, gnats, input, irc, kmem, list, lp, mail, man, news, nogroup, plugdev, proxy, quagga, quaggavty, root, sasl, shadow, src, sshd, staff, sudo, sync, sys, tape, tty, uucp, users, utmp, video, voice, and www-data. Also, group names starting with the string viptela-reserved are reserved.
Feature Type	Click Preset to display a list of preset roles for the user group. Click Custom to display a list of authorization tasks that have been configured.
Feature	The feature table lists the roles for the user group. These roles are Interface, Policy, Routing, Security, and System. Each role allows the user group to read or write specific portions of the device's configuration and to execute specific types of operational commands. Click the appropriate boxes for Read, Write, or None to assign privileges to the group for each role.

Click Add to add the new user group.

To add another user group, click + New User Group again.

To delete a user group, click the trash icon. You cannot delete the three standard user groups, basic, netadmin, and operator.

Configure RADIUS authentication

Configure RADIUS authentication if you are using RADIUS in your deployment.

Procedure

To configure a connection to a RADIUS server, from RADIUS, click + New Radius Server, and configure the following parameters:

Table 6.
Parameter Name	Description
Address	Enter the IP address of the RADIUS server host.
Authentication Port	Enter the UDP destination port to use for authentication requests to the RADIUS server. If you do not use the server for authentication, set the port number to 0. Default: Port 1812
Accounting Port	Enter the UDP port to send 802.1X and 802.11i accounting information to the RADIUS server. Range: 0 to 65535. Default: 1813.
Timeout	Enter the number of seconds a device should wait for a reply to a RADIUS request before retransmitting the request. Default: 5 seconds. Range: 1 to 1000
Retransmit Count	Enter the number of times the device transmits each RADIUS request to the server before giving up. Default: 5 seconds.
Key (Deprecated)	Enter the Cisco IOS XE Catalyst SD-WAN devicekey the passes to the RADIUS server for authentication and encryption. Type the key as a text string from 1 to 31 characters. The system encrypts it immediately. Alternatively, type an AES 128-bit encrypted key. Use the same AES encryption key as on the RADIUS server.

Click Add to add a new RADIUS server.

To add another RADIUS server, click + New RADIUS Server again.

To remove a server, click the trash icon.

CLI equivalent:

Device(config)# radius server 10.99.144.201
Device1(config-radius-server)# retransmit 5
Device(config-radius-server)# timeout 10

Configure TACACS+ authentication

Configure TACACS+ authentication if you are using TACACS+ in your deployment.

Procedure

To configure a connection to a TACACS+ server, from TACACS, click + New TACACS Server.

Configure these parameters:


Parameter Name	Description
Address	Enter the IP address of the TACACS+ server host.
Port	Enter the UDP destination port to use for authentication requests to the TACACS+ server. If the server is not used for authentication, configure the port number to be 0. Default: Port 49
Key	Enter the key the Cisco IOS XE Catalyst SD-WAN device passes to the TACACS+ server for authentication and encryption. You can type the key as a text string from 1 to 31 characters long, and it is immediately encrypted, or you can type an AES 128-bit encrypted key. The key must match the AES encryption key used on the TACACS+ server.

Configure authentication order

The authentication order determines the order in which the system authenticates users, and helps users proceed with authentication if the current authentication method is unavailable.

Configure the authentication order for devices using these steps.

Procedure

To configure AAA authentication order on a Cisco IOS XE Catalyst SD-WAN device, select the Authentication tab and configure the Server Group Order parameter.

Using AAA server groups allows you to group existing server hosts. By grouping these hosts, you can select a specific subset of configured servers to use for a particular service.

Change the default order of authentication methods that the software uses to verify user's access to a Cisco IOS XE Catalyst SD-WAN device:

Click the ServerGroups priority order field to display the drop-down list of server groups.

The list displays groups from local, RADIUS, and TACACS authentication methods.
Select the groups in the order the software should use to verify users accessing the device.

Note

Select at least one group from the list.

Configure authorization

You can configure authorization, that causes a TACACS+ server to authorize commands that the user enters on a device before the commands can be executed. Authorization is based on the policies that are configured in the TACACS+ server and on the parameters that you configure on the Authorization tab.

Before you begin

The TACACS+ server and the local server must be configured first in the authentication order on the Authentication tab.

Procedure

To configure authorization, choose the Authorization tab, click + New Authorization Rule.

Configure the following parameters:


Parameter Name	Description
Console	Enable this option to perform authorization for console access commands.
Config Commands	Enable this option to perform authorization for configuration commands.
Method	Choose Command to authorize the commands entered by the user.
Privilege Level 1 OR 15	Choose the privilege level (1 or 15) for commands to be authorized. Authorization is provided for commands entered by users with this privilege level.
Groups	Choose a previously configured TACACS group. TACACS servers associated with this group use the parameters defined by this authorization rule.
Authenticated	Enable this option to apply the parameters defined by this authorization rule only to authenticated users. If you do not enable this option, the rule is applied to all users.

Click Add to add the new authorization rule.

To add another authorization rule, click + New Accounting Rule again.

To remove an authorization rule, click the trash icon on the right side of the line.

CLI commands for configuring authorization:

system
   aaa  
     aaa authorization console
     aaa authorization config-commands
     aaa authorization exec default list-name method 
     aaa authorization commands level default list-name method

Configure accounting

Configure accounting so that the TACACS+ server generates a record of commands executed by the user on a device.

Before you begin

Ensure to configure the TACACS+ server as the first option and local server as the second option in the authentication order on the Authentication tab. Refer to Authentication order for details.

Procedure

To configure accounting, choose the Accounting tab and click + New Accounting Rule.

Configure these parameters:

Table 7. Accounting
Parameter Name	Description
Method	Choose Command to log commands executed by a user.
Privilege Level 1 OR 15	Choose the privilege level (1 or 15). Accounting records are generated only for commands entered by users with this privilege level.
Enable Start-Stop	Click On to have the system send a start accounting notice at the beginning of an event and a stop record notice at the end of the event.
Groups	Choose a previously configured TACACS group. TACACS servers associated with this group use the parameters defined by this accounting rule.

Click Add to add the new accounting rule.

To add another accounting rule, click + New Accounting Rule again.

To remove an accounting rule, click the trash icon on the right side of the line.

CLI commands for configuring authorization:

 system
   aaa  
     aaa accounting exec default start-stop group group-name
     aaa accounting commands level default start-stop group group-name
     aaa accounting network default start-stop group group-name
     aaa accounting system default start-stop group group-name