Authentication, authorization, and accounting (AAA) services secure networks against unauthorized access. AAA is a centralized means of access control to users who want to access the system.
Enable AAA login authentication
Configuring AAA authentication with a fallback option provides resiliency while authentication. If one method fails, the system uses the other method of authentication.
OS10(config)# aaa authentication login {console | default} {local | group radius | group tacacs+} OS10(config)# exit OS10# write memory
The authentication methods in the method list work in the order they are configured.
Enable AAA re-authentication or enable mode
Prevent users from accessing resources, perform tasks that they are not authorized to perform, and require users to reauthenticate by logging in again when an authentication method or server changes.
OS10(config)# aaa re-authenticate enable
Configure authorization
AAA command authorization controls user access to a set of commands assigned to users and is performed after user authentication. When enabled, AAA authorization checks a remote authorization server for each command that a user enters on the switch. If the commands that are entered by the user are configured in the remote server for that user, the remote server authorizes the usage of the command.
By default, the role you configure with the username password role command sets the level of CLI commands that a user can access.
An OS10 switch uses a list of authorization methods and the sequence in which they apply to determine the level of command authorization granted to a user. You can configure authorization methods with the aaa authorization command. By default, OS10 uses only the local authorization method. You can also configure TACACS+ server-based authorization.
The authorization methods in the method list run in the order that you configure them. Reenter the methods to change the order. The local authorization method remains enabled even if you remove all configured methods in the list using the no aaa authorization command.
aaa authorization {commands | config-commands | exec-commands} {role user-role} {console | default} {[local] [group tacacs+]}
For detailed information about how to configure vendor-specific attributes on a security server, see the respective RADIUS or TACACS+ server documentation.
Examples: AAA authorization
OS10(config)# aaa authorization commands role sysadmin console group tacacs+ local
OS10(config)# aaa authorization config-commands role sysadmin default group tacacs+
Remove AAA authorization methods
OS10(config)# no aaa authorization commands role sysadmin console
Enable AAA accounting for commands
AAA accounting for commands records login and command information about console connections and remote connections, such as Telnet and SSH.
OS10(config)# aaa accounting commands all {console | default} {start-stop | stop-only | none} [logging] [group tacacs+] OS10(config)# exit OS10# write memory
Enable AAA accounting for authentication events
OS10(config)# aaa accounting exec {console | default} {start-stop | stop-only | none} [logging] [group tacacs+] OS10(config)# exit OS10# write memory
The authentication methods in the method list work in the order they are configured.
Role-based access control (RBAC) provides control for access and authorization. Users are granted permissions based on defined roles. Create user roles based on job functions to allow users appropriate system access. A user can be assigned only a single role, and many users can have the same role. A user role authenticates and authorizes a user at login.
Default roles
The following are the default roles on the system:
Configuring roles
Controlling terminal access to a switch is one method of securing the device and network. To increase security, you can limit user access to a subset of commands using privilege levels.
OS10(config)# privilege mode priv-lvl privilege-level command-string
OS10(config)# username username password password role role priv-lvl privilege-level
OS10(config)# enable password encryption-type password-string priv-lvl privilege-level OS10(config)# exit OS10# write memory
OS10(config)# privilege exec priv-lvl 12 "show version" OS10(config)# privilege exec priv-lvl 12 "configure terminal" OS10(config)# privilege configure priv-lvl 12 "interface ethernet" OS10(config)# privilege interface priv-lvl 12 "ip address" OS10(config)# username delluser password $6$Yij02Phe2n6whp7b$ladskj0HowijIlkajg981 role secadmin priv-lvl 12 OS10(config)# enable password sha-256 $5$2uThib1o$84p.tykjmz/w7j26ymoKBjrb7uepkUB priv-lvl 12 OS10(config)# exit OS10# write memory
View users and their roles
The following shows the users that are configured on the local system, their roles, and the assigned privilege levels:
OS10# show running-configuration users username admin password $6$q9QBeYjZ$jfxzVqGhkxX3smxJSH9DDz7/3OJc6m5wjF8nnLD7/VKx8SloIhp4NoGZs0I/UNwh8WVuxwfd9q4pWIgNs5BKH. role sysadmin priv-lvl 15 OS10# show running-configuration userrole
Configure user role on server
If a console user logs in with RADIUS or TACACS+ authentication, the role you configured for the user on the RADIUS or TACACS+ server applies. User authentication fails if no role is configured on the authentication server.
To authenticate a user on OS10 through a TACACS+ server, configure the mandatory role with a value.
This section describes how to configure remote authentication on the system.
Configure RADIUS authentication
Traditional RADIUS-based user authentication runs over UDP and uses the MD5 message-digest algorithm for secure communications. To provide enhanced security in RADIUS user authentication exchanges, RFC 6614 defines the RADIUS over Transport Layer Security (TLS) protocol. RADIUS over TLS secures the entire authentication exchange in a TLS connection and provides additional security.
OS10(config)# radius-server host {hostname | ip-address} tls security-profile profile-name [auth-port port-number] key {0 authentication-key | 9 authentication-key | authentication-key} OS10(config)# exit OS10# write memory
Configure RADIUS authentication retries
Configure the number of times OS10 retransmits a RADIUS authentication request. To avoid unnecessary retries, configure a lower value.
OS10(config)# radius-server retransmit retries OS10(config)# exit OS10# write memory
retries—Enter the number of retry attempts, from 0 to 100.
Configure TACACS+ authentication
Configure the global timeout used to wait for an authentication response from TACACS+ servers. To avoid long waiting, configure a lower value.
OS10(config)# tacacs-server host {hostname | ip-address} key {0 authentication-key | 9 authentication-key | authentication-key} [auth-port port-number] OS10(config)# exit OS10# write memory
Configure TACACS+ authentication response timer
Configure the global timeout used to wait for an authentication response from TACACS+ servers. To avoid long waiting, configure a lower value.
OS10(config)# tacacs-server timeout seconds OS10(config)# exit OS10# write memory
seconds—Enter the timeout period used to wait for an authentication response from a TACACS+ server, from 1 to 1000 seconds.
View what authentication method is configured
To view what authentication method is configured on the system use the following command:
OS10# show running-configuration aaa aaa authentication login default group radius local aaa authentication login console local