1 of 4

Configuring AAA

AAA stands for Authentication, Authorization and Accounting. These protocols were defined by the Internet Engineering Task Force and are intended to provide an Authentication, Authorization, and Accounting (AAA) framework for applications, such as network access or IP mobility in both local and roaming situations.

TACACS uses (either TCP or UDP) port 49 by default. TACACS allows a client to accept a username and password and send a query to a TACACS authentication server, sometimes called a TACACS daemon or simply TACACSD. It would determine whether to accept or deny the authentication request and send a response back. In this way, the process of making the decision is "opened up" and the algorithms and data used to make the decision are under the complete control of the TACACS daemon.

RADIUS, which stands for Remote Authentication Dial-In User Service, is a network protocol commonly used for centralized authentication, authorization, and accounting (AAA) management. Similar to TACACS, RADIUS is designed to allow clients to authenticate and request services from a centralized server, referred to as a RADIUS server or RADIUS daemon.

Configuring AAA

TACACS Failthrough:

When using fail-through, if the primary TACACS server fails to respond within a specified timeout period, the authentication request is automatically forwarded to the next authentication method configured, such as a local database or a different authentication server.

If we disable fail-through, the system fails to authenticate with a reachable TACACS+ server the system does not attempt to authenticate with the next TACACS+ server.

TACACS Fallback:

The fallback is mainly intended to provide an alternative way to authenticate users when there’s an issue with the primary authentication server or method, not to give users multiple attempts to authenticate with different methods.

Fallback operates at the AAA (Authentication, Authorization, and Accounting) level, allowing the network device or system to switch to the secondary TACACS server when the primary server is not available.

In summary, failthrough refers to the process of falling back to an alternative authentication method if the primary TACACS server fails to respond, while fallback involves switching to a backup TACACS server when the primary server is unavailable for AAA services.

Configuring AAA

You can configure the Authentication, Authorization and Accounting (AAA) using the following command:

Reference

Example

pbnoscli# configure terminal 
pbnoscli(config)# aaa authentication 
  failthrough           Configure failthrough, default : enable
  fallback              Configure fallback, default : enable
  login                 Configure login, default : local
pbnoscli(config)# aaa authentication failthrough disable
pbnoscli(config)# aaa authentication fallback disable
pbnoscli(config)# aaa authentication login tacacs
pbnoscli(config)#

You can verify the configuration by using the command(s) below:

pbnoscli# show aaa authentication 
================================
Type            Value          
================================
Failthrough        Disabled          
Fallback           Disabled    
login              tacacs   
pbnoscli#

pbnoscli# show running-config 
configure terminal
aaa authentication failthrough disable
aaa authentication fallback disable
aaa authentication login tacacs+
interface mgmt
ip address 10.4.4.52/24 gateway 10.4.4.1
!
pbnoscli#

Configuring TACACS

Server Level Configurations

You can configure the TACACS server using the following command:

Reference

Command

[no] tacacs-server host <ipv4 | ipv6> [timeout<value> ] [key <value> ] [auth_type (chap |

pap | mschap | login) ] [port <value>] [priority <value> ]

Description

TACACS configuration

Parameters

IPv4 or v6 Address , timeout, key, auth_type, port, priority values

Mode

CONFIG

Example

 pbnoscli(config)# tacacs-server host 10.0.0.1           
  <cr>
  auth_type             Authentication type, default pap
  key                   Add Key
  port                  TCP port range is <1...65535>, default 49
  priority              Priority <1..64>, default 1
  timeout               Transmission timeout interval <0-60>, default 5
pbnoscli(config)# tacacs-server host 10.0.0.1 auth_type 
  chap                  chap
  login                 login
  mschap                mschap
  pap                   pap
pbnoscli(config)# tacacs-server host 10.0.0.1 auth_type pap key key_val port 44 priority 1 timeout 60
pbnoscli(config)#

You can verify the configuration by using the command(s) below:

pbnoscli# show tacacs-sever 10.0.0.1
TACPLUS global auth_type pap (Default)
TACPLUS global passkey <EMPTY_STRING> (Default)
TACPLUS global timeout 5 (Default)
=====================================================================================================================
IP              Auth_type       Passkey         Tcp_port        Priority        Mgmtvrf         Timeout        
=====================================================================================================================
10.0.0.1        pap               key_val          44               1              N/A             60             
pbnoscli#

pbnoscli# show running-config 
configure terminal
aaa authentication failthrough disable
aaa authentication fallback disable
aaa authentication login tacacs+
tacacs-server host 10.0.0.1 auth_type pap key key_val port 44 priority 1 timeout 60
interface mgmt
ip address 10.4.4.52/24 gateway 10.4.4.1
!
pbnoscli#

Global TACACS Parameters

To Configure Global TACACS parameters, use the below command:

Reference

Command

[no] tacacs [authtype (chap | pap | mschap | login)] [passkey <value>] [timeout <value>]

Description

TACACS global configuration

Parameters

Timeout, key, auth_type, passkey values

Mode

CONFIG

Example

pbnoscli(config)# tacacs 
  authtype              Configure authentication type, default : pap
  passkey               Specify TACACS server global passkey, default : <EMPTY_STRING>
  timeout               Specify TACACS server global timeout <0-60>, default : 5      

//configuring authentication type
pbnoscli(config)# tacacs authtype 
  chap                  chap
  login                 login
  mschap                mschap
  pap                   pap
pbnoscli(config)# tacacs authtype pap 

//configuring tacacs passkey
pbnoscli(config)# tacacs passkey key_value

//configuring timout value
pbnoscli(config)# tacacs timeout 60

You can verify the configuration by using the command(s) below:

pbnoscli# show tacacs-sever 
TACPLUS global auth_type pap            
TACPLUS global passkey key_value      
TACPLUS global timeout 60             
=====================================================================================================================
IP              Auth_type       Passkey         Tcp_port        Priority        Mgmtvrf         Timeout        
=====================================================================================================================
10.0.0.1        pap               key_val          44               1              N/A             60             
pbnoscli#

pbnoscli# show running-config 
configure terminal
aaa authentication failthrough disable
aaa authentication fallback disable
aaa authentication login tacacs+
tacacs-server host 10.0.0.1 auth_type pap key key_val port 44 priority 1 timeout 60
tacacs auth_type pap
tacacs passkey key_value
tacacs timeout 60
interface mgmt
ip address 10.4.4.52/24 gateway 10.4.4.1
!
pbnoscli#

Configuring RADIUS

RADIUS is commonly used in enterprise and service provider networks to authenticate and authorize users before granting them access to network services.

In SONiC NOS, RADIUS is supported to achieve a crucial role in securing and managing network access by providing a centralized authentication, authorization, and accounting framework. SONiC switch performs a Client - network access server (NAS) role.

RADIUS is not supported on these platforms: EdgeCore AS5812 & EdgeCore AS7712

Global Level:

Reference

Example

pbnoscli(config)# radius 
  <cr>
  auth-type             Authentication type, default pap
  key                   Add key
  nasip                 NAS IP address
  retransmit            Number of retries, default 3
  source-ip             source ip address
  timeout               Transmission timeout interval <1-60>, default 5
pbnoscli(config)# radius timeout 60
pbnoscli(config)# radius source-ip 10.4.4.52
pbnoscli(config)# radius key testing123
pbnoscli(config)# end

You can verify the configuration by using the command(s) below:

pbnoscli# show radius 
RADIUS global auth_type pap            
RADIUS global passkey *****          
RADIUS global timeout 5              
RADIUS global nasip <EMPTY_STRING> (Default)
RADIUS global source-ip 10.4.4.52      
RADIUS global retransmit 3              
===========================================================================================================================================
IP              Auth_type       Passkey         Auth-port       Priority        source-intf     retransmit      Timeout        
===========================================================================================================================================
10.4.4.11       pap             N/A             1812            1               N/A             3               5               
pbnoscli#

Server Level

Reference

Example

pbnoscli# configure terminal 
pbnoscli(config)# radius 
  host                  Add host
pbnoscli(config)# radius-server host 
  <ipaddr>              A.B.C.D
  <ip6addr>             A:B::C:D
pbnoscli(config)# radius-server host 10.4.4.11

You can verify the configuration by using the command(s) below:

pbnoscli# show radius 10.4.4.11
RADIUS global auth_type pap            
RADIUS global passkey *****          
RADIUS global timeout 5              
RADIUS global nasip <EMPTY_STRING> (Default)
RADIUS global source-ip 10.4.4.52      
RADIUS global retransmit 3              
===========================================================================================================================================
IP              Auth_type       Passkey         Auth-port       Priority        source-intf     retransmit      Timeout        
===========================================================================================================================================
10.4.4.11       pap             N/A             1812            1               N/A             3               5               
pbnoscli#

Configuring TACACS

Server Level Configurations

You can configure the TACACS server using the following command:

Reference

Command

[no] tacacs-server host <ipv4 | ipv6> [timeout<value> ] [key <value> ] [auth_type (chap |

pap | mschap | login) ] [port <value>] [priority <value> ]

Description

TACACS configuration

Parameters

IPv4 or v6 Address , timeout, key, auth_type, port, priority values

Mode

CONFIG

Example

 pbnoscli(config)# tacacs-server host 10.0.0.1           
  <cr>
  auth_type             Authentication type, default pap
  key                   Add Key
  port                  TCP port range is <1...65535>, default 49
  priority              Priority <1..64>, default 1
  timeout               Transmission timeout interval <0-60>, default 5
pbnoscli(config)# tacacs-server host 10.0.0.1 auth_type 
  chap                  chap
  login                 login
  mschap                mschap
  pap                   pap
pbnoscli(config)# tacacs-server host 10.0.0.1 auth_type pap key key_val port 44 priority 1 timeout 60
pbnoscli(config)#

You can verify the configuration by using the command(s) below:

pbnoscli# show tacacs-sever 10.0.0.1
TACPLUS global auth_type pap (Default)
TACPLUS global passkey <EMPTY_STRING> (Default)
TACPLUS global timeout 5 (Default)
=====================================================================================================================
IP              Auth_type       Passkey         Tcp_port        Priority        Mgmtvrf         Timeout        
=====================================================================================================================
10.0.0.1        pap               key_val          44               1              N/A             60             
pbnoscli#

pbnoscli# show running-config 
configure terminal
aaa authentication failthrough disable
aaa authentication fallback disable
aaa authentication login tacacs+
tacacs-server host 10.0.0.1 auth_type pap key key_val port 44 priority 1 timeout 60
interface mgmt
ip address 10.4.4.52/24 gateway 10.4.4.1
!
pbnoscli#

Global TACACS Parameters

To Configure Global TACACS parameters, use the below command:

Reference

Command

[no] tacacs [authtype (chap | pap | mschap | login)] [passkey <value>] [timeout <value>]

Description

TACACS global configuration

Parameters

Timeout, key, auth_type, passkey values

Mode

CONFIG

Example

pbnoscli(config)# tacacs 
  authtype              Configure authentication type, default : pap
  passkey               Specify TACACS server global passkey, default : <EMPTY_STRING>
  timeout               Specify TACACS server global timeout <0-60>, default : 5      

//configuring authentication type
pbnoscli(config)# tacacs authtype 
  chap                  chap
  login                 login
  mschap                mschap
  pap                   pap
pbnoscli(config)# tacacs authtype pap 

//configuring tacacs passkey
pbnoscli(config)# tacacs passkey key_value

//configuring timout value
pbnoscli(config)# tacacs timeout 60

You can verify the configuration by using the command(s) below:

pbnoscli# show tacacs-sever 
TACPLUS global auth_type pap            
TACPLUS global passkey key_value      
TACPLUS global timeout 60             
=====================================================================================================================
IP              Auth_type       Passkey         Tcp_port        Priority        Mgmtvrf         Timeout        
=====================================================================================================================
10.0.0.1        pap               key_val          44               1              N/A             60             
pbnoscli#

pbnoscli# show running-config 
configure terminal
aaa authentication failthrough disable
aaa authentication fallback disable
aaa authentication login tacacs+
tacacs-server host 10.0.0.1 auth_type pap key key_val port 44 priority 1 timeout 60
tacacs auth_type pap
tacacs passkey key_value
tacacs timeout 60
interface mgmt
ip address 10.4.4.52/24 gateway 10.4.4.1
!
pbnoscli#

Configuring RADIUS

RADIUS is commonly used in enterprise and service provider networks to authenticate and authorize users before granting them access to network services.

RADIUS is not supported on these platforms: EdgeCore AS5812 & EdgeCore AS7712

Global Level:

Reference

Example

pbnoscli(config)# radius 
  <cr>
  auth-type             Authentication type, default pap
  key                   Add key
  nasip                 NAS IP address
  retransmit            Number of retries, default 3
  source-ip             source ip address
  timeout               Transmission timeout interval <1-60>, default 5
pbnoscli(config)# radius timeout 60
pbnoscli(config)# radius source-ip 10.4.4.52
pbnoscli(config)# radius key testing123
pbnoscli(config)# end

You can verify the configuration by using the command(s) below:

pbnoscli# show radius 
RADIUS global auth_type pap            
RADIUS global passkey *****          
RADIUS global timeout 5              
RADIUS global nasip <EMPTY_STRING> (Default)
RADIUS global source-ip 10.4.4.52      
RADIUS global retransmit 3              
===========================================================================================================================================
IP              Auth_type       Passkey         Auth-port       Priority        source-intf     retransmit      Timeout        
===========================================================================================================================================
10.4.4.11       pap             N/A             1812            1               N/A             3               5               
pbnoscli#

Server Level

Reference

Example

pbnoscli# configure terminal 
pbnoscli(config)# radius 
  host                  Add host
pbnoscli(config)# radius-server host 
  <ipaddr>              A.B.C.D
  <ip6addr>             A:B::C:D
pbnoscli(config)# radius-server host 10.4.4.11

You can verify the configuration by using the command(s) below:

pbnoscli# show radius 10.4.4.11
RADIUS global auth_type pap            
RADIUS global passkey *****          
RADIUS global timeout 5              
RADIUS global nasip <EMPTY_STRING> (Default)
RADIUS global source-ip 10.4.4.52      
RADIUS global retransmit 3              
===========================================================================================================================================
IP              Auth_type       Passkey         Auth-port       Priority        source-intf     retransmit      Timeout        
===========================================================================================================================================
10.4.4.11       pap             N/A             1812            1               N/A             3               5               
pbnoscli#

Configuring AAA

TACACS Failthrough:

If we disable fail-through, the system fails to authenticate with a reachable TACACS+ server the system does not attempt to authenticate with the next TACACS+ server.

TACACS Fallback:

Configuring AAA

You can configure the Authentication, Authorization and Accounting (AAA) using the following command:

Reference

Example

pbnoscli# configure terminal 
pbnoscli(config)# aaa authentication 
  failthrough           Configure failthrough, default : enable
  fallback              Configure fallback, default : enable
  login                 Configure login, default : local
pbnoscli(config)# aaa authentication failthrough disable
pbnoscli(config)# aaa authentication fallback disable
pbnoscli(config)# aaa authentication login tacacs
pbnoscli(config)#

You can verify the configuration by using the command(s) below:

pbnoscli# show aaa authentication 
================================
Type            Value          
================================
Failthrough        Disabled          
Fallback           Disabled    
login              tacacs   
pbnoscli#

pbnoscli# show running-config 
configure terminal
aaa authentication failthrough disable
aaa authentication fallback disable
aaa authentication login tacacs+
interface mgmt
ip address 10.4.4.52/24 gateway 10.4.4.1
!
pbnoscli#