Skip to main content
Cisco SD-WAN
Support
Product Documentation
Viptela Documentation

AAA

You can use the AAA template for all Viptela devices.

Viptela devices support configuration of authentication, authorization, and accounting (AAA) in combination with RADIUS and TACACS+.

To configure the user access and authentication using vManage templates:

  1. Create a AAA feature template to configure AAA parameters, as described in this article.
  2. Create a device template that incorporates the feature templates. See the Configuration ► Templates help topic.​​

Navigate to the Template Screen

  1. In vManage NMS, select the Configuration ► Templates screen.
  2. From the Templates title bar, select Feature.
  3. Click Add Template.
  4. In the left pane, select one or more devices. The right pane displays the available templates for the selected devices.
  5. Select the AAA template.

The right pane displays the AAA template form.

  • The top of the form contains fields for naming the template.
  • The bottom contains fields for defining parameters applicable to that template.
  • A drop-down menu to the left of each parameter field defines the scope of the parameter. When you first open a feature template form, for each parameter that has a default value, the scope is set to Default. To edit a parameter field, change the scope to Global or Device Specific. Note that if a parameter's scope is Device Specific, you cannot enter a value for it in the feature template. Instead, you enter a value when you attach the template to a device.
  • A plus sign (+) is displayed to the right when you can add multiple entries for the same parameter.

Minimum AAA Configuration

There is no minimum or default configuration for AAA. You must configure all desired functionality.

Configure Authentication Order and Fallback

To configure authentication order and authentication fallback on a Viptela device:

Parameter Name Description
Template Name Enter a name for the template. It can be up to 128 characters and can contain only alphanumeric characters.
Description (Template) Enter a description of the template. It can be up to 2048 characters and can contain only alphanumeric characters.
Authentication Order

The default order is local, then radius, and then tacacs.

To change the default order of authentication methods that the software tries when verifying user access to a Viptela device:

  1. Click the dropdown arrow to display the list of authentication methods.
  2. In the list, click the up arrows to change the order of the authentication methods and click the boxes to select or deselect a method.

If you select only one authentication method, it must be local.

Authentication Fallback Click On to configure authentication to fall back from RADIUS or TACACS+ to the next priority authentication method if the user cannot be authenticated or if the RADIUS or TACACS+ servers are unreachable. With the default configuration (Off), authentication falls back only if the RADIUS or TACACS+ servers are unreachable.

CLI equivalent:

system
aaa
    auth-fallback
    auth-order (local | radius | tacacs)    

 

Configure Local Access for Users and User Groups

To configure local access for individual users, select the Local tab, click Users, and the click the plus sign (+) to add a user:

Parameter Name Description
Username

Enter a username. It can be 1 to 32 characters long, and it must start with a letter. It can contain lowercase letters, the digits 0 through 9, and the hyphen (–) and underscore (_) characters.

The following usernames are reserved, so you cannot configure them: backup, basic, bin, daemon, games, gnats, irc, list, lp, mail, man, news, nobody, proxy, quagga, root, sshd, sync, sys, uucp, and www-data. Also, names that start with viptela-reserved are reserved.

Password

Enter a password for the user. The password is an MD5 digest string, and it can contain any characters, including tabs, carriage returns, and linefeeds. For more information, see Section 9.4 in RFC 7950, The YANG 1.1 Data Modeling Language.

Each username must have a password. Each user is allowed to change their own password.

The default password for the admin user is admin. It is strongly recommended that you change this password.

Description Enter a description for the user.
Groups

Select from the list of configured groups. You must assign the user to at least one group. The admin user is automatically placed in the netadmin group and is the only member of this group.

To configure local access for user groups, you first place the user into either the basic or operator group. The admin is automatically placed in the netadmin group. Then you can configure user groups. To do this, select the Local tab, click User Groups, and click the plus sign (+) to add a group:

Parameter Name Description
Name Name of an authentication group. It can be 1 to 32 characters long, and must start with a letter. The name can contain only lowercase letters, the digits 0 through 9, and the hyphen (–) and underscore (_) characters. (The name cannot contain any uppercase letters.)
The Viptela software provides three standard user groups, basic, netadmin, and operator. The user admin is automatically placed in the group netadmin and is the only user in this group. All users learned from a RADIUS or TACACS+ server are placed in the group basic. All users in the basic group have the same permissions to perform tasks, as do all users in the operator group.
The following groups names are reserved, so you cannot configure them: adm, audio, backup, bin, cdrom, dialout, dip, disk, fax, floppy, games, gnats, input, irc, kmem, list, lp, mail, man, news, nogroup, plugdev, proxy, quagga, quaggavty, root, sasl, shadow, src, sshd, staff, sudo, sync, sys, tape, tty, uucp, users, utmp, video, voice, and www-data. Also, group names that start with the string viptela-reserved are reserved.
Task Click the right arrow (>) to display the privilege roles for the group. The roles are interface, policy, routing, security, and system. Each role allows the group to read or write specific portions of the device's configuration and to execute specific types of operational commands. Select the appropriate boxes for Read, Write, and None to assign privileges to the group for each role.

To add another group, click the plus sign (+).

To delete a group, click the trash icon at the right side of the entry.

CLI equivalent:

system
  ​aaa  
    user username      
      group group-name      
      password password    
    usergroup group-name      
      task (interface | policy | routing | security | system) (read | write)

 

Configure RADIUS Authentication

To configure RADIUS, select the RADIUS tab:

Parameter Name Description
Retransmit Count

Specify how many times to search through the list of RADIUS servers while attempting to locate a server.

Range: 1 through 1000
Default: 3

Timeout

Specify how long to wait to receive a reply form the RADIUS server before retransmitting a request.

Range: 1 through 1000
Default: 5 seconds

To configure a connection to a RADIUS server, select the RADIUS tab, and click the plus sign (+):

Parameter Name Description
IP Address Enter the IP address of the RADIUS server host.
Authentication Port

Enter the UDP destination port to use for authentication requests to the RADIUS server. If the server is not used for authentication, configure the port number to be 0.

Default: Port 1812

Key (Deprecated) This field is deprecated. Use the Secret Key field instead.
Secret Key Enter the key the Viptela device passes to the RADIUS server for authentication and encryption. You can type the key as a text string from 1 to 32 characters long, and it is immediately encrypted, or you can type an AES 128-bit encrypted key. The key must match the AES encryption key used on the RADIUS server.
Source Interface Enter the name of the interface on the local device to use to reach the RADIUS server.
VPN Enter the VPN in which the RADIUS server is located or through which the server can be reached. If you configure multiple RADIUS servers, they must all be in the same VPN.

To configure another RADIUS server, click the plus sign (+).

To remove a server, click the trash icon on the right side of the line.

CLI equivalent:

system
  radius    
    retransmit number    
    server ip-address      
      auth-port port-number      
      key key 
      source-interface interface-name      
      ​vpn vpn-id    
    timeout seconds  

Configure TACACS+ Authentication

To configure the device to use TACACS+ authentication, select the TACACS tab:

Parameter Name Description
Timeout

Enter how long to wait to receive a reply from the TACACS+ server before retransmitting a request.

Range: 1 through 1000
Default: 5 seconds

To configure a connection to a TACACS+ server, select the TACACS tab, and click the plus sign (+):

Parameter Name Description
IP Address Enter the IP address of the TACACS+ server host.
Authentication Port

Enter the UDP destination port to use for authentication requests to the TACACS+ server. If the server is not used for authentication, configure the port number to be 0.

Default: Port 49

Key (Deprecated) This field is deprecated. Use the Secret Key field instead.
Secret Key Enter the key the Viptela device passes to the TACACS+ server for authentication and encryption. You can type the key as a text string from 1 to 32 characters long, and it is immediately encrypted, or you can type an AES 128-bit encrypted key. The key must match the AES encryption key used on the TACACS+ server.
Source Interface Enter the name of the interface on the local device to use to reach the TACACS+ server.
VPN VPN in which the TACACS+ server is located or through which the server can be reached. If you configure multiple TACACS+ servers, they must all be in the same VPN.

To configure another TACACS+ server, click the plus sign (+).

To remove a server, click the trash icon on the right side of the line.

CLI equivalent:

system
  tacacs 
    server ip-address      
      auth-port port-number      
      key key 
      source-interface interface-name    
      ​vpn vpn-id    
    timeout seconds 

Release Information

Introduced in vManage NMS in Release 15.2.

  • Was this article helpful?