1 of 4

Configuring AAA

AAA stands for Authentication, Authorization and Accounting. These protocols were defined by the Internet Engineering Task Force and are intended to provide an Authentication, Authorization, and Accounting (AAA) framework for applications, such as network access or IP mobility in both local and roaming situations.

TACACS uses (either TCP or UDP) port 49 by default. TACACS allows a client to accept a username and password and send a query to a TACACS authentication server, sometimes called a TACACS daemon or simply TACACSD. It would determine whether to accept or deny the authentication request and send a response back. In this way, the process of making the decision is "opened up" and the algorithms and data used to make the decision are under the complete control of the TACACS daemon.

RADIUS, which stands for Remote Authentication Dial-In User Service, is a network protocol commonly used for centralized authentication, authorization, and accounting (AAA) management. Similar to TACACS, RADIUS is designed to allow clients to authenticate and request services from a centralized server, referred to as a RADIUS server or RADIUS daemon.

Configuring AAA

TACACS Failthrough:

When using fail-through, if the primary TACACS server fails to respond within a specified timeout period, the authentication request is automatically forwarded to the next authentication method configured, such as a local database or a different authentication server.

If we disable fail-through, the system fails to authenticate with a reachable TACACS+ server the system does not attempt to authenticate with the next TACACS+ server.

TACACS Fallback:

The fallback is mainly intended to provide an alternative way to authenticate users when there’s an issue with the primary authentication server or method, not to give users multiple attempts to authenticate with different methods.

Fallback operates at the AAA (Authentication, Authorization, and Accounting) level, allowing the network device or system to switch to the secondary TACACS server when the primary server is not available.

In summary, failthrough refers to the process of falling back to an alternative authentication method if the primary TACACS server fails to respond, while fallback involves switching to a backup TACACS server when the primary server is unavailable for AAA services.

Configuring AAA

You can configure the Authentication, Authorization and Accounting (AAA) using the following command:

Reference

Example

You can verify the configuration by using the command(s) below:

Configuring TACACS

Server Level Configurations

You can configure the TACACS server using the following command:

Reference

Example

You can verify the configuration by using the command(s) below:

Global TACACS Parameters

To Configure Global TACACS parameters, use the below command:

Reference

Example

You can verify the configuration by using the command(s) below:

Configuring RADIUS

RADIUS is commonly used in enterprise and service provider networks to authenticate and authorize users before granting them access to network services.

In SONiC NOS, RADIUS is supported to achieve a crucial role in securing and managing network access by providing a centralized authentication, authorization, and accounting framework. SONiC switch performs a Client - network access server (NAS) role.

RADIUS is not supported on these platforms: EdgeCore AS5812 & EdgeCore AS7712

Global Level:

Reference

Example

You can verify the configuration by using the command(s) below:

Server Level

Reference

Example

You can verify the configuration by using the command(s) below:

Configuring AAA

TACACS Failthrough:

If we disable fail-through, the system fails to authenticate with a reachable TACACS+ server the system does not attempt to authenticate with the next TACACS+ server.

TACACS Fallback:

Configuring AAA

You can configure the Authentication, Authorization and Accounting (AAA) using the following command:

Reference

Example

You can verify the configuration by using the command(s) below:

Configuring RADIUS

RADIUS is commonly used in enterprise and service provider networks to authenticate and authorize users before granting them access to network services.

Configuring AAA

Configuring AAA

hashtagTACACS Failthrough:

hashtagTACACS Fallback:

hashtagConfiguring AAA

hashtagReference

hashtagExample

Configuring TACACS

hashtagServer Level Configurations

hashtagReference

hashtagExample

hashtagGlobal TACACS Parameters

hashtagReference

hashtagExample

Configuring RADIUS

hashtagConfiguring RADIUS

hashtagGlobal Level:

hashtagReference

hashtagExample

hashtagServer Level

hashtagReference

hashtagExample

Configuring TACACS

hashtagServer Level Configurations

hashtagReference

hashtagExample

hashtagGlobal TACACS Parameters

hashtagReference

hashtagExample

Configuring AAA

Configuring AAA

hashtagTACACS Failthrough:

hashtagTACACS Fallback:

hashtagConfiguring AAA

hashtagReference

hashtagExample

Configuring RADIUS

hashtagConfiguring RADIUS

hashtagGlobal Level:

hashtagReference

hashtagExample

hashtagServer Level

hashtagReference

hashtagExample

TACACS Failthrough:

TACACS Fallback:

Configuring AAA

Reference

Example

Server Level Configurations

Reference

Example

Global TACACS Parameters

Reference

Example

Configuring RADIUS

Global Level:

Reference

Example

Server Level

Reference

Example

Server Level Configurations

Reference

Example

Global TACACS Parameters

Reference

Example

TACACS Failthrough:

TACACS Fallback:

Configuring AAA

Reference

Example

Configuring RADIUS

Global Level:

Reference

Example

Server Level

Reference

Example