OC AAA
Packages:
- openconfig-system.yang
- openconfig-aaa.yang
Configuring the Default Authentication Method to TACACS+
Configuring the Default Authentication Method to TACACS+Request:
<nc:rpc xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:0ee53f52-f02a-4d48-8a11-cab4897099b2">
<nc:edit-config>
<nc:target>
<nc:running/>
</nc:target>
<nc:config>
<system xmlns="http://openconfig.net/yang/system">
<aaa>
<authentication>
<config>
<authentication-method>tac1</authentication-method>
</config>
</authentication>
</aaa>
</system>
</nc:config>
</nc:edit-config>
</nc:rpc>
Response:
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:0ee53f52-f02a-4d48-8a11-cab4897099b2">
<ok/>
</rpc-reply>Note: This example was added in Release 9.3(3).
Container: authentication
Type: Config Data
CLI Commands
aaa authentication login default group <server group name>aaa authentication login default group tac1
Removing the Default Authentication Method from TACACS+
Removing the Default Authentication Method from TACACS+Request:
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<edit-config>
<target>
<running/>
</target>
<config>
<system xmlns="http://openconfig.net/yang/system">
<aaa>
<authentication>
<config>
<authentication-method xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0" nc:operation="delete">tac1</authentication-method>
</config>
</authentication>
</aaa>
</system>
</config>
</edit-config>
</rpc>Container: authentication
Type: Config Data
CLI Commands
no aaa authentication login default group tac1
Configures the Default Authentication Method to Radius
Configures the Default Authentication Method to RadiusRequest:
<nc:rpc xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:0ee53f52-f02a-4d48-8a11-cab4897099b2">
<nc:edit-config>
<nc:target>
<nc:running/>
</nc:target>
<nc:config>
<system xmlns="http://openconfig.net/yang/system">
<aaa>
<authentication>
<config>
<authentication-method>rad1</authentication-method>
</config>
</authentication>
</aaa>
</system>
</nc:config>
</nc:edit-config>
</nc:rpc>
Response:
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:0ee53f52-f02a-4d48-8a11-cab4897099b2">
<ok/>
</rpc-reply>Note: This example was added in Release 9.3(3).
Container: authentication
Type: Config Data
CLI Commands
aaa authentication login default group <server group name>aaa authentication login default group rad1
Removing the Default Authentication Method from Radius
Removing the Default Authentication Method from RADIUSRequest:
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<edit-config>
<target>
<running/>
</target>
<config>
<system xmlns="http://openconfig.net/yang/system">
<aaa>
<authentication>
<config>
<authentication-method xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0" nc:operation="delete">rad1</authentication-method>
</config>
</authentication>
</aaa>
</system>
</config>
</edit-config>
</rpc>Container: authentication
Type: Config Data
CLI Commands
no aaa Authentication login default group rad1
Configuring the Default Authentication Method to Local
Configuring the Default Authentication Method to LocalRequest:
<nc:rpc xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:0ee53f52-f02a-4d48-8a11-cab4897099b2">
<nc:edit-config>
<nc:target>
<nc:running/>
</nc:target>
<nc:config>
<system xmlns="http://openconfig.net/yang/system">
<aaa>
<authentication>
<config>
<authentication-method>local</authentication-method>
</config>
</authentication>
</aaa>
</system>
</nc:config>
</nc:edit-config>
</nc:rpc>
Response:
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:0ee53f52-f02a-4d48-8a11-cab4897099b2">
<ok/>
</rpc-reply>Note: This example was added in Release 9.3(3).
Container: authentication
Type: Config Data
CLI Commands
aaa Authentication login default group <server group name>aaa Authentication login default group local
Configuring the Password for an Admin User
Configuring the Password for an Admin UserRequest
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<edit-config>
<target>
<running/>
</target>
<config>
<system xmlns="http://openconfig.net/yang/system">
<aaa>
<authentication>
<admin-user>
<config>
<admin-password>Cisc0123</admin-password>
</config>
</admin-user>
</authentication>
</aaa>
</system>
</config>
</edit-config>
</rpc>
Response
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:0ee53f52-f02a-4d48-8a11-cab4897099b2">
<ok/>
</rpc-reply>Note: This example was added in Release 9.3(3).
Container: admin-user
Type: Config Data
CLI Commands
username admin password Cisc0123
Removing the Password for Admin User
Removing the Password for Admin UserRequest
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<edit-config>
<target>
<running/>
</target>
<config>
<system xmlns="http://openconfig.net/yang/system">
<aaa>
<authentication>
<admin-user>
<config>
<admin-password xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0" nc:operation="delete">Cisc0123</admin-password>
</config>
</admin-user>
</authentication>
</aaa>
</system>
</config>
</edit-config>
</rpc>
Response
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:0ee53f52-f02a-4d48-8a11-cab4897099b2">
<ok/>
</rpc-reply>Note: This example was added in Release 9.3(3).
Container: admin-user
Type: Config Data
CLI Commands
no username admin password Cisc0123
Configuring the Hashed-Password for an Admin User
Configuring the Hashed-Password for an Admin UserRequest
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<edit-config>
<target>
<running/>
</target>
<config>
<system xmlns="http://openconfig.net/yang/system">
<aaa>
<authentication>
<admin-user>
<config>
<admin-password-hashed>$5$cc.DJWjG$vGuUG/bNXC.tbsAZ599AG42iFuInvb7w1uA4SYtp0Z</admin-password-hashed>
</config>
</admin-user>
</authentication>
</aaa>
</system>
</config>
</edit-config>
</rpc>
Response
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:0ee53f52-f02a-4d48-8a11-cab4897099b2">
<ok/>
</rpc-reply>Note: This example was added in Release 9.3(3).
Container: admin-user
Type: Config Data
CLI Commands
username admin password 5 $5$cc.DJWjG$vGuUG/bNXC.tbsAZ599AG42iFuInvb7w1uA4SYtp0Z
Removing the Hashed-Password for an Admin User
Removing the Hashed-Password for an Admin UserRequest
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<edit-config>
<target>
<running/>
</target>
<config>
<system xmlns="http://openconfig.net/yang/system">
<aaa>
<authentication>
<admin-user>
<config>
<admin-password-hashed xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0" nc:operation="delete">$5$cc.DJWjG$vGuUG/bNXC.tbsAZ599AG42iFuInvb7w1uA4SYtp0Z</admin-password-hashed>
</config>
</admin-user>
</authentication>
</aaa>
</system>
</config>
</edit-config>
</rpc>
Response
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:0ee53f52-f02a-4d48-8a11-cab4897099b2">
<ok/>
</rpc-reply>Note: This example was added in Release 9.3(3).
Container: admin-user
Type: Config Data
CLI Commands
no username admin password 5 $5$cc.DJWjG$vGuUG/bNXC.tbsAZ599AG42iFuInvb7w1uA4SYtp0Z
Configuring a New user
Configuring a New user Request
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<edit-config>
<target>
<running/>
</target>
<config>
<system xmlns="http://openconfig.net/yang/system">
<aaa>
<authentication>
<users>
<user>
<username>test</username>
<config>
<username>test</username>
<password>Cisc0123</password>
<role>dev-ops</role>
</config>
</user>
</users>
</authentication>
</aaa>
</system>
</config>
</edit-config>
</rpc>
Response
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:0ee53f52-f02a-4d48-8a11-cab4897099b2">
<ok/>
</rpc-reply>Note: This example was added in Release 9.3(3).
Container: users
Type: Config Data
CLI Commands
username test123 password Cisc0123 role dev-ops
Configuring a New User with a Hashed-Password
Configuring a New User with a Hashed-PasswordRequest
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<edit-config>
<target>
<running/>
</target>
<config>
<system xmlns="http://openconfig.net/yang/system">
<aaa>
<authentication>
<users>
<user>
<username>test</username>
<config>
<username>test</username>
<password-hashed>$5$cc.DJWjG$vGuUG/bNXC.tbsAZ599AG42iFuInvb7w1uA4SYtp0Z</password-hashed>
<role>dev-ops</role>
</config>
</user>
</users>
</authentication>
</aaa>
</system>
</config>
</edit-config>
</rpc>
Response
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:0ee53f52-f02a-4d48-8a11-cab4897099b2">
<ok/>
</rpc-reply>Note: This example was added in Release 9.3(3).
Container: users
Type: Config Data
CLI Commands
username test123 password 5 $5$cc.DJWjG$vGuUG/bNXC.tbsAZ599AG42iFuInvb7w1uA4SYtp0Z role dev-ops
Configuring the SSH Public Key in OpenSSH Format of a User
Configuring the SSH Public Key in OpenSSH Format of a UserRequest
<nc:rpc xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:d1327d89-2868-4e08-a26f-051a2307a544">
<nc:edit-config>
<nc:target>
<nc:running/>
</nc:target>
<nc:config>
<system xmlns="http://openconfig.net/yang/system">
<aaa>
<authentication>
<users>
<user>
<username>test</username>
<config>
<ssh-key>ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAy19oF6QaZl9G+3f1XswK3OiW4H7YyUyuA50rv7gsEPjhOBYmsi6PAVKui1nIf/DQhum+lJNqJP/eLowb7ubO+lVKRXFY/G+lJNIQW3g9igG30c6k6+XVn+NjnI1B7ihvpVh7dLddMOXwOnXHYshXmSiH3UD/vKyziEh5S4Tplx8=</ssh-key>
</config>
</user>
</users>
</authentication>
</aaa>
</system>
</nc:config>
</nc:edit-config>
</nc:rpc>
Response
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:0ee53f52-f02a-4d48-8a11-cab4897099b2">
<ok/>
</rpc-reply>Note: This example was added in Release 9.3(3).
Container: users
Type: Config Data
CLI Commands
username User1 sshkeyssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAy19oF6QaZl9G+3f1XswK3OiW4H7YyUyuA50rv7gsEPj
hOBYmsi6PAVKui1nIf/DQhum+lJNqJP/eLowb7ubO+lVKRXFY/G+lJNIQW3g9igG30c6k6+
XVn+NjnI1B7ihvpVh7dLddMOXwOnXHYshXmSiH3UD/vKyziEh5S4Tplx8=
Configuring the Default Authorization Method to TACACS++
Configuring the Default Authorization Method to TACACS++Request:
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<edit-config>
<target>
<running/>
</target>
<config>
<system xmlns="http://openconfig.net/yang/system">
<aaa>
<authorization>
<config>
<authorization-method>tac1</authorization-method>
</config>
</authorization>
</aaa>
</system>
</config>
</edit-config>
</rpc>
Response:
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:0ee53f52-f02a-4d48-8a11-cab4897099b2">
<ok/>
</rpc-reply>Note: This example was added in Release 9.3(3).
Container: authorization
Type: Config Data
CLI Commands
aaa authorization commands default group tac1
Removing the Default Authorization Method from TACACS++
Removing the Default Authorization Method from TACACS++Request:
<nc:rpc xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:412de95f-46a6-4129-a761-35962d890382">
<nc:edit-config>
<nc:target>
<nc:running/>
</nc:target>
<nc:config>
<system xmlns="http://openconfig.net/yang/system">
<aaa>
<authorization>
<config>
<authorization-method nc:operation="delete">tac1</authorization-method>
</config>
</authorization>
</aaa>
</system>
</nc:config>
</nc:edit-config>
</nc:rpc>Container: authorization
Type: Config Data
CLI Commands
no aaa authorization commands default group tac1
Configuring the Default Authorization Method to Local
Configuring the Default Authorization Method to LocalRequest:
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<edit-config>
<target>
<running/>
</target>
<config>
<system xmlns="http://openconfig.net/yang/system">
<aaa>
<authorization>
<config>
<authorization-method>local</authorization-method>
</config>
</authorization>
</aaa>
</system>
</config>
</edit-config>
</rpc>
Response:
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:0ee53f52-f02a-4d48-8a11-cab4897099b2">
<ok/>
</rpc-reply>Note: This example was added in Release 9.3(3).
Container: authorization
Type: Config Data
CLI Commands
aaa authorization commands default local
Configuring the Default Accounting Method to TACACS++
Configuring the Default accounting Method to TACACS++Request:
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<edit-config>
<target>
<running/>
</target>
<config>
<system xmlns="http://openconfig.net/yang/system">
<aaa>
<accounting>
<config>
<accounting-method>tac1</accounting-method>
</config>
</accounting>
</aaa>
</system>
</config>
</edit-config>
</rpc>
Response:
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:0ee53f52-f02a-4d48-8a11-cab4897099b2">
<ok/>
</rpc-reply>Note: This example was added in Release 9.3(3).
Container: accounting
Type: Config Data
CLI Commands
aaa accounting default group tac1
Removing the Default Accounting Method from TACACS++
Removing the Default Accounting Method from TACACS++Request:
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<edit-config>
<target>
<running/>
</target>
<config>
<system xmlns="http://openconfig.net/yang/system">
<aaa>
<accounting>
<config>
<accounting-method xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0" nc:operation="delete">tac1</accounting-method>
</config>
</accounting>
</aaa>
</system>
</config>
</edit-config>
</rpc>Container: accounting
Type: Config Data
CLI Commands
no aaa accounting default group tac1
Configuring the Default Accounting Method to Radius
Configuring the Default Accounting Method to RadiusRequest:
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<edit-config>
<target>
<running/>
</target>
<config>
<system xmlns="http://openconfig.net/yang/system">
<aaa>
<accounting>
<config>
<accounting-method>rad1</accounting-method>
</config>
</accounting>
</aaa>
</system>
</config>
</edit-config>
</rpc>
Response:
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:0ee53f52-f02a-4d48-8a11-cab4897099b2">
<ok/>
</rpc-reply>Note: This example was added in Release 9.3(3).
Container: accounting
Type: Config Data
CLI Commands
aaa authorization commands default group rad1
Removing the Default Accounting Method from Radius
Removing the Default Accounting Method from RadiusRequest:
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<edit-config>
<target>
<running/>
</target>
<config>
<system xmlns="http://openconfig.net/yang/system">
<aaa>
<accounting>
<config>
<accounting-method xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0" nc:operation="delete">rad11</accounting-method>
</config>
</accounting>
</aaa>
</system>
</config>
</edit-config>
</rpc>
Response:
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:0ee53f52-f02a-4d48-8a11-cab4897099b2">
<ok/>
</rpc-reply>Note: This example was added in Release 9.3(3).
Container: accounting
Type: Config Data
CLI Commands
no aaa accounting default group rad1
Configuring the Default Accounting Method to Local
Configuring the Default Accounting Method to LocalRequest:
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<edit-config>
<target>
<running/>
</target>
<config>
<system xmlns="http://openconfig.net/yang/system">
<aaa>
<accounting>
<config>
<accounting-method>local</accounting-method>
</config>
</accounting>
</aaa>
</system>
</config>
</edit-config>
</rpc>
Response:
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:0ee53f52-f02a-4d48-8a11-cab4897099b2">
<ok/>
</rpc-reply>Note: This example was added in Release 9.3(3).
Container: accounting
Type: Config Data
CLI Commands
aaa authorization commands default local
Querying aaa container
Quering AAA containerRequest:
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">
<get-config>
<source>
<running/>
</source>
<filter>
<system xmlns="http://openconfig.net/yang/system">
<aaa/>
</system>
</filter>
</get-config>
</rpc>
Response:
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:31257167-ca49-4052-bd2f-b8fd4fb7e8d0">
<data>
<system xmlns="http://openconfig.net/yang/system">
<aaa>
<accounting>
<config>
<accounting-method>local</accounting-method>
</config>
</accounting>
<authentication>
<admin-user>
<config>
<admin-password-hashed>$5$WMHzx0Sy$uFO6c5ZlibAqKCt9PoMVhVSbo.R5C29HfnC0JWIkvE4</admin-password-hashed>
</config>
</admin-user>
<users>
<user>
<username>user2</username>
<config>
<password-hashed>$5$AMMLHH$yIbHUttxjAzmkVs3x1IfwWhHEnATKdIgYxkdEC7MTO4</password-hashed>
<role>network-operator dev-ops</role>
<username>user2</username>
</config>
</user>
<user>
<username>User1</username>
<config>
<password-hashed>$5$DIFJGE$1AsXfvdszNSEfqnzm7vfwB5n7yd.AVKY8uqa9terPJC</password-hashed>
<role>dev-ops</role>
<username>User1</username>
</config>
</user>
<user>
<username>admin</username>
<config>
<password-hashed>$5$WMHzx0Sy$uFO6c5ZlibAqKCt9PoMVhVSbo.R5C29HfnC0JWIkvE4</password-hashed>
<role>network-admin</role>
<username>admin</username>
</config>
</user>
</users>
<config>
<authentication-method>tac1</authentication-method>
</config>
</authentication>
<authorization>
<config>
<authorization-method>local</authorization-method>
</config>
</authorization>
<server-groups>
<server-group>
<name>tac1</name>
<servers>
<server>
<address>20.1.1.1</address>
<tacacs>
<config>
<port>13</port>
<secret-key>sizxrec</secret-key>
</config>
</tacacs>
<config>
<address>20.1.1.1</address>
<timeout>0</timeout>
</config>
</server>
<server>
<address>10.1.1.1</address>
<tacacs>
<config>
<port>12</port>
<secret-key>pmvszeh</secret-key>
</config>
</tacacs>
<config>
<address>10.1.1.1</address>
<timeout>0</timeout>
</config>
</server>
<server>
<address>30.1.1.1</address>
<tacacs>
<config>
<port>14</port>
<secret-key>jfuhva</secret-key>
</config>
</tacacs>
<config>
<address>30.1.1.1</address>
<timeout>0</timeout>
</config>
</server>
</servers>
<config>
<name>tac1</name>
<type xmlns:oc-aaa="http://openconfig.net/yang/aaa">oc-aaa:TACACS</type>
</config>
</server-group>
</server-groups>
</aaa>
</system>
</data>
</rpc-reply>
Note: This example was added in Release 9.3(3).