Authentication, Authorization, and Accounting
The Authentication, Authorization, and Accounting (AAA) is a feature that allows network administrators to
- authenticate users attempting to log in to the router
- authorize actions for authenticated users, and
- execute account commands during a user's remote login session.
These features are crucial for ensuring secure remote access to a router running SONiC, providing network administrators with essential tools for managing access and activity.
View the currently configured AAA settings on the router using the show aaa command. The default configuration settings are:
admin@sonic:~$ show aaa
AAA authentication login local (default)
AAA authentication failthrough False (default)
AAA authorization login local (default)
AAA accounting login disable (default)
Parameter description of the show aaa command:
AAA authentication login local: Specifies that users are authenticated using the local database.AAA authentication failthrough False: Specifies that authentication failthrough is disabled. This option is useful if more than one authentication server has been configured.AAA authorization login local: Specifies that users are authorized using the local database.AAA accounting login disable: Specifies that commands issued by a user are not accounted.
Authentication
Modify the default AAA authentication configuration using the config aaa authentication login command.
admin@sonic:~$ sudo config aaa authentication login -h
Usage: config aaa authentication login [OPTIONS]
[[radius|tacacs+|local|default]]...
Switch login authentication [ {radius, tacacs+, local} | default ]
Options:
-h, -?, --help Show this message and exit.
Parameter description of the config aaa authentication login command:
local: Specifies the local database, which contains user credentials.- radius, tacacs+: Alternatively, users can be authenticated using a remote server. SONiC supports
radiusortacacs+servers for authentication.
When an authentication request to a remote server fails, you can configure authentication failthrough to define the router's behavior.
admin@sonic:~$ sudo config aaa authentication failthrough -h
Usage: config aaa authentication failthrough [OPTIONS]
[enable|disable|default]
Allow AAA fail-through [enable | disable | default]
Options:
-h, -?, --help Show this message and exit.
Parameter description of the config aaa authentication failthrough command:
enable: Upon failure of an authentication request, the router moves to the next configured remote server (if any). If there are no remaining remote servers, the local database is used.disable: Upon failure of an authentication request, the router does not send requests to any other remote server. The authentication process is stopped and the login is disallowed.
Authorization
Modify the AAA authorization configuration using the config aaa authorization command:
admin@sonic:~$ sudo config aaa authorization -h
Usage: config aaa authorization [OPTIONS] [[tacacs+|local|tacacs+ local]]...
Switch AAA authorization [tacacs+ | local | '"tacacs+ local"']
Options:
-h, -?, --help Show this message and exit.
Parameter description of the config aaa authorization command:
local: Specifies the local database, which contains user credentials. Here onlytacacs+servers can be used as remote servers.
Accounting
Modify the AAA accounting configuration using the config aaa accounting command:
admin@sonic:~$ sudo config aaa accounting -h
Usage: config aaa accounting [OPTIONS] [[disable|tacacs+|local|tacacs+
local]]...
Switch AAA accounting [disable | tacacs+ | local | '"tacacs+ local"']
Options:
-?, -h, --help Show this message and exit.
Parameter description of the config aaa accounting command:
disable(default option): Disables aaa accountinglocal: Stores the accounting data on the routertacacs+: Sends the accounting data to a remote TACACS+ server