Explains Authentication, Authorization, and Accounting functionality, from configuration restrictions to AAA setup using configuration groups, and details methods for template-based AAA configuration, including RADIUS, TACACS+, authorization, and accounting.
Restrictions to configure authorization and accounting
If you enter a configuration and press enter before you choose a value from an enumeration, the CLI shows a choice sub-menu. In this scenario, the system does not send the final value for authorization.
You cannot use the load merge and load override commands when authorization is configured.
Configure AAA using a configuration group
Before you begin
On the page, choose SD-WAN as the solution type.
Procedure
| 1. | From the Cisco SD-WAN Manager menu, choose . |
|
| 2. | Create and configure a AAA feature in a System profile. |
What to do next
Also see Deploy a configuration group.
Methods of configuring AAA using templates
You can configure authentication, authorization, and accounting (AAA) using Cisco SD-WAN Manager template and push these settings to selected devices of the same type. This helps you to conveniently configure several devices of the same type at once.
You can use the AAA template for Cisco Catalyst SD-WAN Validators, Cisco SD-WAN Manager instances, Cisco Catalyst SD-WAN Controllers, Cisco IOS XE Catalyst SD-WAN devices.
Cisco IOS XE Catalyst SD-WAN devices support configuration of AAA in combination with RADIUS and TACACS+ servers.
You must configure a local user with a secret key via the template if you are using PPP or using MLPPP with CHAP.
Create a template
Procedure
| 1. | From the Cisco SD-WAN Manager menu, choose . |
|||||||
| 2. | Click Device Templates, and click Create Template.
|
|||||||
| 3. | From the Create Template drop-down list, select From Feature Template. |
|||||||
| 4. | From the Device Model drop-down list, select the type of device for which you are creating the template. |
|||||||
| 5. | Select Basic Information. |
|||||||
| 6. | To create a custom template for AAA, select Factory_Default_AAA_CISCO_Template and click Create Template. The AAA template form appears. The top of the form has fields where you name the template, and the bottom has fields where you define AAA parameters. |
|||||||
| 7. | In the Template Name field, enter a name for the template. The name can include up to 128 alphanumeric characters. |
|||||||
| 8. | In the Template Description field, enter a description of the template. The description can include up to 2048 alphanumeric characters. |
|||||||
| 9. | When you first open a feature template, for each parameter that has a default value, the scope is set to Default (indicated by a check mark), and the default setting or value is shown. To change the default or to enter a value, click the Scope drop-down list to the left of the parameter field and select one of these:
|
Configure local access for users and user groups
You can configure local access to a device for users and user groups. Local access provides access to a device if RADIUS or TACACS+ authentication fails.
Procedure
| 1. | To configure local access for individual users, select Local. |
|||||||||||
| 2. | To add a new user, click + New User, and configure the following parameters:
|
|||||||||||
| 3. | Click Add to add the new user. Click + New User again to add additional users. To configure local access for user groups, first place the user into either the basic or operator group. The admin is automatically placed in the netadmin group. Then you configure user groups. |
|||||||||||
| 4. | From Local, select User Group. |
|||||||||||
| 5. | Click + New User Group, and configure the following parameters:
|
|||||||||||
| 6. | Click Add to add the new user group. |
|||||||||||
| 7. | To add another user group, click + New User Group again. |
|||||||||||
| 8. | To delete a user group, click the trash icon. You cannot delete the three standard user groups, basic, netadmin, and operator. |
Configure RADIUS authentication
Configure RADIUS authentication if you are using RADIUS in your deployment.
Procedure
| 1. | To configure a connection to a RADIUS server, from RADIUS, click + New Radius Server, and configure the following parameters:
|
|||||||||||||||
| 2. | Click Add to add a new RADIUS server. |
|||||||||||||||
| 3. | To add another RADIUS server, click + New RADIUS Server again. |
|||||||||||||||
| 4. | To remove a server, click the trash icon. CLI equivalent:
|
Configure TACACS+ authentication
Configure TACACS+ authentication if you are using TACACS+ in your deployment.
Procedure
| 1. | To configure a connection to a TACACS+ server, from TACACS, click + New TACACS Server. |
|||||||||
| 2. | Configure these parameters:
|
Configure authentication order
The authentication order determines the order in which the system authenticates users, and helps users proceed with authentication if the current authentication method is unavailable.
Configure the authentication order for devices using these steps.
Procedure
| 1. | To configure AAA authentication order on a Cisco IOS XE Catalyst SD-WAN device, select the Authentication tab and configure the Server Group Order parameter. Using AAA server groups allows you to group existing server hosts. By grouping these hosts, you can select a specific subset of configured servers to use for a particular service. |
|
| 2. | Change the default order of authentication methods that the software uses to verify user's access to a Cisco IOS XE Catalyst SD-WAN device: |
Configure authorization
You can configure authorization, that causes a TACACS+ server to authorize commands that the user enters on a device before the commands can be executed. Authorization is based on the policies that are configured in the TACACS+ server and on the parameters that you configure on the Authorization tab.
Before you begin
The TACACS+ server and the local server must be configured first in the authentication order on the Authentication tab.
Procedure
| 1. | To configure authorization, choose the Authorization tab, click + New Authorization Rule. |
|||||||||||||||
| 2. | Configure the following parameters:
|
|||||||||||||||
| 3. | Click Add to add the new authorization rule. |
|||||||||||||||
| 4. | To add another authorization rule, click + New Accounting Rule again. |
|||||||||||||||
| 5. | To remove an authorization rule, click the trash icon on the right side of the line. CLI commands for configuring authorization:
|
Configure accounting
Configure accounting so that the TACACS+ server generates a record of commands executed by the user on a device.
Before you begin
Ensure to configure the TACACS+ server as the first option and local server as the second option in the authentication order on the Authentication tab. Refer to Authentication order for details.
Procedure
| 1. | To configure accounting, choose the Accounting tab and click + New Accounting Rule. |
|||||||||||
| 2. | Configure these parameters:
|
|||||||||||
| 3. | Click Add to add the new accounting rule. |
|||||||||||
| 4. | To add another accounting rule, click + New Accounting Rule again. |
|||||||||||
| 5. | To remove an accounting rule, click the trash icon on the right side of the line. CLI commands for configuring authorization:
|