Authentication, Authorisation and Accounting

Introduction

Authentication, Authorization and Accounting (AAA) is an umbrella term referring to protocols and methods that can be used to handle and verify user access.

The three individual terms refer to who is allowed to access what device (Authentication), if access is granted what are the limitations of their available actions (authorization), and to recount what actions they performed (accounting).

For some use-cases utilizing the systems AAA options, refer to the following:

• Built-in Accounts
• Local Databases HowTo
• Remote Servers HowTo

Overview

AAA in the system is separated into two different parts that are combined together. Firstly the system allows for setting up different types of AAA methods. Afterwards, the configured AAA method can be bound to various services in the system that have support for AAA methods. The best example of this is the login service.

Authentication Chain

An authentication chain is a configurable sequence of authentication methods that the system uses to verify user credentials during login attempts. Each method in the chain is evaluated in order, and the process continues until a method successfully authenticates the user or all methods have been exhausted. The chain can include remote servers, server groups, and built-in accounts, with options to control behavior on authentication rejection and fallback to local accounts. This approach provides flexibility and redundancy, ensuring reliable access control even if some authentication sources are unavailable. Below is an example of an authentication chain that includes two remote servers, a server group, and the built-in accounts as fallback. The chain is configured to try the next method on rejection and to fallback to local accounts if all methods are unavailable.

+-----------------+     +-----------------+     +----------------+     +-------------------+
| Remote Server 0 | --> | Remote Server 1 | --> | Server Group 0 | --> | Built-in Accounts |
+-----------------+     +-----------------+     +----------------+     +-------------------+
         |                       |                      |
         v                       v                      v
 [on-reject: next]       [on-reject: next]    [local-fallback: always]

Figure 1: Example AAA authentication chain showing Remote Server, Server Group, and Built-in Accounts with fallback and reject handling.

Authentication Methods

The AAA framework in the system have support for a number of different AAA methods that are presented below:

• Built-in Accounts: The only account present in a factory default system. As an example, the admin user is one such an account. Built-in accounts allow for defining per account authorization levels. For more information see Built-in Accounts HowTo. The built-in login methods are implicit and are always last in the authentication chain. For more info see local-fallback.

• Remote Servers: Centralized authentication on remote servers via RADIUS and TACACS+. For additional information see Remote Servers HowTo. NOTE: The device can be configured to use multiple remote servers, but none will be used unless they are added to the authentication chain.

• Server Groups: Allows grouping of multiple remote servers for authentication. This can be useful for load balancing and failover scenarios. For additional information see Remote Servers HowTo.

• Local Database (Deprecated): Allows storing of credentials locally on the device, with no need for any external infrastructure. This functionality is considered deprecated and no longer supported for newly configured systems. Existing configurations will continue to work. For more information see Local Databases HowTo.

Services

The system currently supports AAA methods to be used for the following services:

OpenVPN

The systems AAA methods can be used to authenticate OpenVPN clients. The OpenVPN client will authenticate itself using a certificate, and optionally also via username and password. When using this option, a system acting as an OpenVPN Server, can either use a local database or a central server (or server group) to verify the client’s username and password.

For an example of how this can be done refer to this HowTo:

• OpenVPN Host to LAN

Authorization levels

A user should be granted the least possible privilege that allows performing that user’s task. This is realized by a light-weight Role Base Access Control (RBAC) that is available for built-in accounts.

The functionality available to the users is split into multiple areas called RBAC modules. For CLI, each command will belong to one of these modules. The RBAC modules are:

• Device status for accessing the status of the device (show commands will mostly go here).

• Audit trail for accessing the audit log functionality.

• PKI for accessing Public Key Infrastructure functionality.

• AAA for accessing Authentication, Authorization, and Accounting functionality.

• Device config for accessing device configuration context.

• Utils/tools for accessing utilities and tools (like ping, ssh, telnet etc).

• Maintenance for accessing maintenance tools (like copy, export, diff etc).

• Firmware management for accessing firmware management.

• Factory reset for performing factory reset operation.

• Shell access for accessing the Linux shell.

For each RBAC module, the following permissions are defined:

Currently six roles are available:

• administrator who has all privileges in the system.

• guest who only has access to a restricted CLI with limited read-only functionality. The guest role is deprecated and replaced by the viewer role.

• viewer who has the permissions to view objects with-in the device and read values where applicable. Default role for new users.

• operator who has permissions to read and view objects and values with-in the device and where applicable peform control actions and update firmware.

• engineer who has permissions to view and read objects and values with-in the device and also to configure most functionality except some security features like AAA, PKI or audit logs.

• auditor who only has access to a restricted CLI with read-only access to the audit logs.

Only built-in accounts can have roles. Each built-in account has only one role.

Each role will have a set of permissions on each RBAC module according to the following table:

Configuration

The AAA configuration consists of a number of different areas spread over a number of different context levels.

General Settings

The AAA can be configured from the configuration context in the CLI. This context contains the overall AAA configuration and access to all other AAA sub-contexts.

example:/#> configure
example:/config/#> aaa
example:/config/aaa/#>

Syntax

[no] user USERNAME

Create and mange a built-in account.

USERNAME

Name of a new or already existing built-in user account

no

Removes specified user

username NAME [password | hash] PASSWORD

Set the password for specific allowed users, like the admin user.

Warning

DEPRECATED: use user admin to enter user-admin context and

password from within that context.

NAME

The user to change the password for.

PASSWORD

Password with the following allowed characters: ASCII 33-126 (octal 041-176), max length 64 chars.

[no] password-policy

Set password policy. For details read here.

[no] lockout-policy

The lockout policy is a security feature that prevents unauthorized access to the system by locking out users who enter incorrect login credentials too many times. You can activate and configure the lockout policy in this sub-context.

enable

Enable/disable account lockouts

deny

Number of consecutive authentication failures until lockout of the user. Default number is 3 times. Allowed values are 3 - 10 times.

deny-admin

If this option is selected even the built-in admin ackount can be locked out. Default is yes (enabled).

unlock-time

Duration of the lockout (s). Default is 600 seconds (10 minutes). Allowed values are 10 - 1800 seconds.

[no] exclude <console>

Always allow logins over the selected interface. Currently only console is selectable.

Note

Lockout only happens if deny number of failed login attempts happens within 900 seconds. This value is currently hard-coded and not configurable.

Note

You can view the locked out users with the command show lockout in the admin-exec context and unlock a locked out user with the command lockout <username> reset in the same context.

[no] auth-chain

Manage the authentication chain.

Note

Enters a sub-configuration context.

no

Reset the authentication chain to defaults.

[no] local-db ID [plain]

Create and manage local databases. Default type is ‘hash’ but the keyword ‘plain’ can be used to create a database that contains plain text passwords. The type can only be defined once when the local database is created, therefore the keyword is not available in the sub-configuration context.

Note

Enters a sub-configuration context.

no

Remove a specific local database if an ID is provided, otherwise remove all local databases.

ID

Id in the range 0-4, any other id will be invalid.

[no] remote-server ID [type <radius | tacacs>]

Create and manage remote authentication servers.

Note

Enters a sub-configuration context.

no

Remove a specific remote server if an ID is provided, otherwise remove all servers.

ID

Id in the range 0-5, any other id will be invalid.

type

The type of remote server to create, either radius or tacacs. This setting can still be changed in the server configuration.

encryption-type

The encryption-type of the remote server. Available encryption types is dependent on server type. For radius, peap-mschapv2 is available. For the rest it is none.

[no] server-group ID [type <radius | tacacs>]

Create and manage server groups.

Note

Enters a sub-configuration context.

no

Remove a specific server group if an ID is provided, otherwise remove all server groups.

ID

Id in the range 0-1, any other id will be invalid.

type

The type of server group to create, either radius or tacacs. This setting can still be changed in the server group configuration.

[no] mac-auth ID

Manage a MAC authentication group.

Note

Enters a sub-configuration context.

no

Remove a specific MAC authentication group if an ID is provided, otherwise remove all MAC authentication groups.

ID

Id in the range 0-99.

Built-in Account Settings

This section describes configuration of built-in accounts. Up to 16 built-in accounts are allowed. Only built-in accounts can have guest / operator / auditor roles. An example of a built-in account that is always present in factory configured system is admin.

example:/config/aaa/#> user admin
example:/config/aaa/user-admin/#>

[no] enable

Enable or disable this user in the system. A user cannot disable themselves.

Note

SSH Authorized Keys of a disabled user are removed and must be imported again upon enabling the user.

[no] password [expire] [alg ALG] secret PASSWORD

Set password in clear text and hash it using given algorithm.

expire

Expire password, forcing user to change it at next login.

ALG

md5, sha256 or sha512. By default md5crypt (md5) is used if no algorithm is given. If the password-policy option is set the password must meet the policy.

PASSWORD

Password with the following allowed characters: ASCII 33-126 (octal 041-176), max length 64 chars.

no

Disable password for the user. When issuing ‘no password’ command password-based authentication is disabled, making it impossible to log in using a username and password. However, if SSH keys exist, you can still log in using them.

Note

Please exercise caution when using ‘no password’, as it could potentially lock you out from the device if no other administrator accounts exist and no SSH keys are defined.

[no] hash HASH-STRING

Set the user password in hash format.

Note

When the password-policy option is enabled this option is disabled (See here).

HASH-STRING

An arbitrary hash-string. It should be used with caution. A cryptographically weak hash-string will compromise the system’s security.

no

disable password for the user

[no] role viewer | guest | operator | administrator | engineer | auditor

Set role of the user. Default role is viewer. There must be at least one administrator in the system.

administrator

Has all privileges in the system.

viewer

Has permissions to view objects with-in the device and read values where applicable. [Default]

guest

Has only access to a restricted interface with limited read-only functionality. Deprecated, replaced by viewer.

operator

Has permissions to read and view objects and values with-in the device and where applicable perform control actions (e.g. reboot) and update firmware.

auditor

Can read audit logs and other audit relevant information.

engineer

Can perform most of the configuration, except security related parts like AAA, PKI, audit logs.

[no] ssh-user-key import

SSH user key management

import

Import authorized public keys. Enter an interactive mode for pasting user’s authorized public keys. One key per line, each key having format as used in OpenSSH i.e.:
<type-name> <base64-encoded-ssh-public-key> [comment]
Example:
ssh-rsa AAAAB3NzaC...G6KCGOnv user@host

Notes:
o This command overwrites any existing keys.
o Imported key(s) are not checked for validity.

no

Removes imported keys.

Examples:

For examples on how to create and manage built-in accounts see Built-in Accounts

Local Database Settings

Configure a local database and enter its configuration context. When creating a local database the ID must be a number from 0 to 4.

example:/config/aaa/#> local-db 0
Creating new local db 0
example:/config/aaa/local-db-0/#>

Syntax

[no] username NAME [password | hash] PASSWORD

Add a user to this local database.

no

Remove a specific user based on the provided NAME.

NAME

The user to change the password for.

PASSWORD

Password with the following allowed characters: ASCII 33-126 (octal 041-176), max length 64 chars.

[no] description STRING

Free form description of this local database.

no

Remove any description.

STRING

Free form text with a maximum length of 15 characters.

Remote Server Settings

Configure a remote server and enter its configuration context. When creating a remote server the ID must be a number from 0 to 5.

example:/config/aaa/#> remote-server 0
Creating new remote server 0
example:/config/aaa/remote-server-0/#>

Syntax

[no] type <radius | tacacs>

Set the remote server type to be either radius or tacacs.

no

Reset the type to its default setting, radius.

[no] description STRING

Free form description of this remote server.

no

Remove any description.

STRING

Free form text with a maximum length of 15 characters.

[no] address <IP | FQDN>

Address of the remote server.

no

Remove and configured address.

IP

IP address in standard quad-dotted notation, e.g. 192.168.1.1.

FQDN

A fully qualified domain name.

[no] password PASSWORD

Password for remote server.

Note

May not be empty.

no

Remove the current configured password.

PASSWORD

Password with the following allowed characters: ASCII 33-126 (octal 041-176), max length 64 chars.

[no] auth-port PORT

Authentication port to connect to on remote server.

no

Use the default port for the selected type of server. For radius it is 1812 and for tacacs it is 49.

PORT

The port number to use.

Server Group Settings

Configure a server group and enter its configuration context. When creating a server group the ID must be a number from 0 to 1.

example:/config/aaa/#> server-group 0
Creating new server group 0
example:/config/aaa/server-group-0/#>

Syntax

[no] type <radius | tacacs>

Set the remote server type to be either radius or tacacs.

no

Reset the type to its default setting, radius.

[no] description STRING

Free form description of this server group.

no

Remove any description.

STRING

Free form text with a maximum length of 15 characters.

[no] server <ID|ID,ID,...>

Remote server(s) to be part of the server group.

Note

When using a server group for authentication each server will be tested in order. If a response is received from any of the servers the remaining ones in the group will not be tested.

no

Remove any configured server IDs.

ID

Id of a remote-server to be part of the server group.

Authentication Chain Settings

The Authentication chains provides a way to specify how the device priorities different authentication methods. It also allows to specify how the device should handle a reject, and the conditions for local fallback at the end of the chain. Each link in the chain may either be a remote server, or a server group..

example:/config/aaa/#> auth-chain
example:/config/aaa/auth-chain/#>

Syntax

Syntax: [no] order [..] Usage: Authentication chain order

[no] order [server-<SID>|group-<GID>] [..]

Set zero or more authentication methods to be used for login requests on the device. NOTE: Order matters

no

Remove any configured authentication methods.

server-

Use an existing remote-server with the provided SID in the chain.

group-

Use an existing server-group with the provided GID in the chain.

[no] on-reject next|deny

Dictates how the authentication chain behaves when an authentication method rejects the user credentials. NOTE: Admin accounts are always available over the serial console, regardless of on-reject and local-fallback settings.

no

Reset on-reject to the default value of next

next

When an authentication method rejects the users credentials: Try the next authentication method in order, or local-fallback if there are no more methods.

deny

When an authentication method rejects the users credentials: Deny the login attempt

[no] local-fallback never|serial|always

Acts as a last resort after all other methods fail to give a authorative answer. NOTE: Admin accounts are always available over the serial console, regardless of on-reject and local-fallback settings.

no

Reset local-fallback to the default value of always

never

Only admins accounts over the serial console work.

serial

Local accounts are used as a fallback when logging in over the serial console

always

Local accounts are used as a fallback

Password Compliance Policy Settings

Password compliance policy provides a way to check a password at creation time against a set of policies. If enabling the password compliance policy the password will be checked for compliance when changing an existing users password or adding a new user in the cli or webgui.

Configure the password policy and enter its configuration context:

example:/config/aaa/#> password-policy
Activating password policy with default settings, type 'abort' to cancel.
example:/config/aaa/password-policy/#>

Syntax

[no] enable

This setting controls if the password compliance policy is enabled or disabled. Default is Disabled.

no

Disable password compliance policy

min-length

Set password policy min length <8-64>. Default is 14.

value

Minimum length of password

uppercases

Specify number of uppercase letters <0-64>. Default is 0.

value

Number of uppercase letters

lowercases

Specify number of lowercase letters <0-64>. Default is 0.

value

Number of lowercase letters

digits

Specify number of digits <0-64>. Default is 0.

value

Number of digits

specials

Specify number of special characters <0-64>. Default is 0.

value

Number of special characters

reject-username

Enable/Disable reject username in password. Default is Enabled. If enabled the username, in any form, must not be part of the password.

0

Disabled

1

Enabled

MAC auth group Settings

Configure a MAC auth group and enter its configuration context.

example:/config/#> aaa
example:/config/aaa/#> mac-auth 0
Creating new mac-auth group 0.
Remember, you need to reference it from a Port Access instance as well!
example:/config/aaa/mac-auth-0/#> mac match aa:bb:cc:dd:ee:ff description "My MAC match"
example:/config/aaa/mac-auth-0/#> leave
example:/config/#> leave

Syntax

[no] description STRING

Free form description of this MAC auth group.

no

Remove any description.

STRING

Free form text with a maximum length of 15 characters.

[no] mac match <MAC-PATTERN> [description <STRING>]

Create or delete a Ethernet MAC address pattern.

A single MAC address can be specified in the format: hh:hh:hh:hh:hh:hh

no

Remove MAC-PATTERN

Status

Show any user currently connected to the device, and the authentication method used when connecting to the device.

example:/#> show users
TYPE    USERNAME            REMOTE HOST          LOGIN                        
Console admin                                    Wed Aug 14 08:47:02 2019

Show AAA status, same information as when in config mode.

example:/#> show aaa

Show local-db status, same information as when in config mode.

example:/#> show aaa local-db 1

Show local-db status for all databases.

example:/#> show aaa local-db