Authentication, Authorisation and Accounting

Introduction

Authentication, Authorization and Accounting (AAA) is an umbrella term referring to protocols and methods that can be used to handle and verify user access.

The three individual terms refer to who is allowed to access what device (Authentication), if access is granted what are the limitations of their available actions (authorization), and to recount what actions they performed (accounting).

For some use-cases utilizing the systems AAA options, refer to the following:

Overview

AAA in the system is separated into two different parts that are combined together. Firstly the system allows for setting up different types of AAA methods. Afterwards, the configured AAA method can be bound to various services in the system that have support for AAA methods. The best example of this is the login service.

Authentication Methods

The AAA framework in the system have support for a number of different AAA methods that are presented below:

  • Built-in Accounts: The only account present in a factory default system. As an example, the admin user is one such an account. Built-in accounts allow for defining per account authorization levels. For more information see Built-in Accounts HowTo.

  • Local Databases: Allows storing of credentials locally on the device, with no need for any external infrastructure. For more information see Local Databases HowTo.

  • Remote Servers: Centralized authentication on remote servers via RADIUS and TACACS+. For additional information see Remote Servers HowTo.

Services

The system currently supports AAA methods to be used for the following services:

Service Remote Server Local Database Built-in Accounts
Login X X
OpenVPN X X

Login Service

In order to authenticate the user the login service can be bound to the following methods:

  • Built-in Accounts (Implicit): The built-in login methods are implicit and will always be tried after any other login method that has been configured.

  • Remote Server (Optional): The login method can be configured to use Remote Server as a login authentication method. If one of these methods are configured for the login service, it will be tried first at any login 7 attempt. The fallback in this situation would be the Built-in Accounts.

  • Local Database (Deprecated): The login method is possible in already configured legacy systems but is considered deprecated and no longer supported as authentication method for login service in newly configured systems.

OpenVPN

The systems AAA methods can be used to authenticate OpenVPN clients. The OpenVPN client will authenticate itself using a certificate, and optionally also via username and password. When using this option, a system acting as an OpenVPN Server, can either use a local database or a central server (or server group) to verify the client’s username and password.

For an example of how this can be done refer to this HowTo:

Authorization levels

A user should be granted the least possible privilege that allows performing that user’s task. This is realized by a light-weight Role Base Access Control (RBAC) that is available for built-in accounts. Currently two roles are available:

  • administrator who has all privileges in the system. Default role for new users.

  • guest who only has access to a restricted CLI with limited read-only functionality.

  • operator who has access to a restricted CLI with all of the guest functionality and some extra allowed commands.

Only built-in accounts can have roles. Each built-in account has only one role.

Role Remote Server Local Database Built-in Accounts
Administrator X X X
Guest X
Operator X

Configuration

The AAA configuration consists of a number of different areas, that have their settings configured inside a sub-menu. The AAA configuration consists of settings spread over a number of different context levels.

General Settings

The AAA can be configured from the configuration context in the CLI. This context contains the overall AAA configuration and access to all other AAA sub-contexts.

example:/#> configure
example:/config/#> aaa
example:/config/aaa/#>

Syntax

[no] user USERNAME
Description

Create and mange a built-in account.

Options
OptionDescription
USERNAME
Name of a new or already existing built-in user account
no
Removes specified user
username NAME [password | hash] PASSWORD
Description

Set the password for specific allowed users, like the admin user.

Warning

DEPRECATED: use user admin to enter user-admin context and

password from within that context.

Options
OptionDescription
NAME
The user to change the password for.
PASSWORD
Password with the following allowed characters: ASCII 33-126 (octal 041-176), max length 64 chars. Allow
[no] password-policy
DescriptionSet password policy. For details read here.
[no] local-db ID [plain]
Description

Create and manage local databases. Default type is ‘hash’ but the keyword ‘plain’ can be used to create a database that contains plain text passwords. The type can only be defined once when the local database is created, therefore the keyword is not available in the sub-configuration context.

Note

Enters a sub-configuration context.

Options
OptionDescription
no
Remove a specific local database if an ID is provided, otherwise remove all local databases.
ID
Id in the range 0-4, any other id will be invalid.
[no] lockout-policy
Description

The lockout policy is a security feature that prevents unauthorized access to the system by locking out users who enter incorrect login credentials too many times. You can activate and configure the lockout policy in this sub-context.

Options
OptionDescription
enable
Enable/disable account lockouts
deny
Number of consecutive authentication failures until lockout of the user. Default number is 3 times. Allowed values are 3 - 10 times.
deny-admin
If this option is selected even the built-in admin ackount can be locked out. Default is yes (enabled).
unlock-time
Duration of the lockout (s). Default is 600 seconds (10 minutes). Allowed values are 10 - 1800 seconds.
[no] exclude <console>
Always allow logins over the selected interface. Currently only console is selectable.

Note

Lockout only happens if deny number of failed login attempts happens within 900 seconds. This value is currently hard-coded and not configurable.

Note

You can view the locked out users with the command show lockout in the admin-exec context and unlock a locked out user with the command lockout <username> reset in the same context.

[no] remote-server ID [type <radius | tacacs>
Description

Create and manage remote authentication servers.

Note

Enters a sub-configuration context.

Options
OptionDescription
no
Remove a specific remote server if an ID is provided, otherwise remove all servers.
ID
Id in the range 0-5, any other id will be invalid.
type
The type of remote server to create, either radius or tacacs. This setting can still be changed in the server configuration.
encryption-type
The encryption-type of the remote server. Available encryption types is dependent on server type. For radius, peap-mschapv2 is available. For the rest it is none.
[no] server-group ID [type <radius | tacacs>
Description

Create and manage server groups.

Note

Enters a sub-configuration context.
Options
OptionDescription
no
Remove a specific server group if an ID is provided, otherwise remove all server groups.
ID
Id in the range 0-1, any other id will be invalid.
type
The type of server group to create, either radius or tacacs. This setting can still be changed in the server group configuration.
[no] login
Description

Manage login method.

Note

Enters a sub-configuration context.
Options
OptionDescription
no
Remove any configured login method.

Built-in Account Settings

This section describes configuration of built-in accounts. Up to 16 built-in accounts are allowed. Only built-in accounts can have guest / operator roles. An example of a built-in account that is always present in factory configured system is admin.

example:/config/aaa/#> user admin
example:/config/aaa/user-admin/#>
[no] enable
Description

Enable or disable this user in the system. A user cannot disable themselves.

Note

SSH Authorized Keys of a disabled user are removed and must be imported again upon enabling the user.

[no] password [alg ALG] secret PASSWORD
Description

Set password in clear text and hash it using given algorithm.

Options
OptionDescription
ALG
md5, sha256 or sha512. By default md5crypt (md5) is used if no algorithm is given. If the password-policy option is set the password must meet the policy.
PASSWORD
Password with the following allowed characters: ASCII 33-126 (octal 041-176), max length 64 chars.
no

Disable password for the user. When issuing ‘no password’ command password-based authentication is disabled, making it impossible to log in using a username and password. However, if SSH keys exist, you can still log in using them.

Note

Please exercise caution when using ‘no password’, as it could potentially lock you out from the device if no other administrator accounts exist and no SSH keys are defined.

[no] hash HASH-STRING
Description

Set the user password in hash format.

Note

When the password-policy option is enabled this option is disabled (See here).

Options
OptionDescription
HASH-STRING
An arbitrary hash-string. It should be used with caution. A cryptographically weak hash-string will compromise the system’s security.
no
disable password for the user
[no] role guest | operator | administrator
Description

Set role of the user. Default role is administrator. There must be at least one administrator in the system.

Options
OptionDescription
administrator
Has all privileges in the system. [Default]
guest
Has only access to a restricted interface with limited read-only functionality.
operator
Has access to an interface that is less restricted than the guest role but still limited in functionality.
[no] ssh-user-key import
Description

SSH user key management

Options
OptionDescription
import

Import authorized public keys. Enter an interactive mode for pasting user’s authorized public keys. One key per line, each key having format as used in OpenSSH i.e.:
<type-name> <base64-encoded-ssh-public-key> [comment]
Example:
ssh-rsa AAAAB3NzaC...G6KCGOnv user@host

Notes:
o This command overwrites any existing keys.
o Imported key(s) are not checked for validity.

no
Removes imported keys.

Examples:

For examples on how to create and manage built-in accounts see Built-in Accounts

Local Database Settings

Configure a local database and enter its configuration context. When creating a local database the ID must be a number from 0 to 4.

example:/config/aaa/#> local-db 0
Creating new local db 0
example:/config/aaa/local-db-0/#>

Syntax

[no] username NAME [password | hash] PASSWORD
Description

Add a user to this local database.

Options
OptionDescription
no
Remove a specific user based on the provided NAME.
NAME
The user to change the password for.
PASSWORD
Password with the following allowed characters: ASCII 33-126 (octal 041-176), max length 64 chars.
[no] description STRING
Description

Free form description of this local database.

Options
OptionDescription
no
Remove any description.
STRING
Free form text with a maximum length of 15 characters.

Remote Server Settings

Configure a remote server and enter its configuration context. When creating a remote server the ID must be a number from 0 to 5.

example:/config/aaa/#> remote-server 0
Creating new remote server 0
example:/config/aaa/remote-server-0/#>

Syntax

[no] type <radius | tacacs>
Description

Set the remote server type to be either radius or tacacs.

Options
OptionDescription
no
Reset the type to its default setting, radius.
[no] description STRING
Description

Free form description of this remote server.

Options
OptionDescription
no
Remove any description.
STRING
Free form text with a maximum length of 15 characters.
[no] address <IP | FQDN>
Description

Address of the remote server.

Options
OptionDescription
no
Remove and configured address.
IP
IP address in standard quad-dotted notation, e.g. 192.168.1.1.
FQDN
A fully qualified domain name.
[no] password PASSWORD
Description

Password for remote server.

Note

May not be empty.

Options
OptionDescription
no
Remove the current configured password.
PASSWORD
Password with the following allowed characters: ASCII 33-126 (octal 041-176), max length 64 chars.
[no] auth-port PORT
Description

Authentication port to connect to on remote server.

Options
OptionDescription
no
Use the default port for the selected type of server. For radius it is 1812 and for tacacs it is 49.
PORT
The port number to use.

Server Group Settings

Configure a server group and enter its configuration context. When creating a server group the ID must be a number from 0 to 1.

example:/config/aaa/#> server-group 0
Creating new server group 0
example:/config/aaa/server-group-0/#>

Syntax

[no] type <radius | tacacs>
Description

Set the remote server type to be either radius or tacacs.

Options
OptionDescription
no
Reset the type to its default setting, radius.
[no] description STRING
Description

Free form description of this server group.

Options
OptionDescription
no
Remove any description.
STRING
Free form text with a maximum length of 15 characters.
[no] server <ID|ID,ID,...>
Description

Remote server(s) to be part of the server group.

Note

When using a server group for authentication each server will be tested in order. If a response is received from any of the servers the remaining ones in the group will not be tested.

Options
OptionDescription
no
Remove any configured server IDs.
ID
Id of a remote-server to be part of the server group.

Login Settings

Configure the login authentication method and enter its configuration context:

example:/config/aaa/#> login
example:/config/aaa/login/#>

Syntax

[no] method <group <GID>|server <ID>|local-db <ID>>
Description

Set authentication method to be used for login requests on the device.

Options
OptionDescription
no
Remove any configured authentication method.
group
Set an existing server-group with the provided GID as the login authentication method.
server
Set an existing remote-server with the provided ID as the login authentication method.
local-db
Set an existing local-db with the provided ID as the login authentication method.

Password Compliance Policy Settings

Password compliance policy provides a way to check a password at creation time against a set of policies. If enabling the password compliance policy the password will be checked for compliance when changing an existing users password or adding a new user in the cli or webgui.

Configure the password policy and enter its configuration context:

example:/config/aaa/#> password-policy
Activating password policy with default settings, type 'abort' to cancel.
example:/config/aaa/password-policy/#>

Syntax

[no] enable
Description

This setting controls if the password compliance policy is enabled or disabled. Default is Disabled.

Options
OptionDescription
no
Disable password compliance policy
min-length
Description

Set password policy min length <8-64>. Default is 14.

Options
OptionDescription
value
Minimum length of password
uppercases
Description

Specify number of uppercase letters <0-64>. Default is 0.

Options
OptionDescription
value
Number of uppercase letters
lowercases
Description

Specify number of lowercase letters <0-64>. Default is 0.

Options
OptionDescription
value
Number of lowercase letters
digits
Description

Specify number of digits <0-64>. Default is 0.

Options
OptionDescription
value
Number of digits
specials
Description

Specify number of special characters <0-64>. Default is 0.

Options
OptionDescription
value
Number of special characters
reject-username
Description

Enable/Disable reject username in password. Default is Enabled. If enabled the username, in any form, must not be part of the password.

Options
OptionDescription
0
Disabled
1
Enabled

MAC auth group Settings

Configure a MAC auth group and enter its configuration context.

example:/config/#> aaa
example:/config/aaa/#> mac-auth 0
Creating new mac-auth group 0.
Remember, you need to reference it from a Port Access instance as well!
example:/config/aaa/mac-auth-0/#> mac match aa:bb:cc:dd:ee:ff description "My MAC match"
example:/config/aaa/mac-auth-0/#> leave
example:/config/#> leave

Syntax

[no] description STRING
Description

Free form description of this MAC auth group.

Options
OptionDescription
no
Remove any description.
STRING
Free form text with a maximum length of 15 characters.
[no] mac match <MAC-PATTERN> [description <STRING>]
Description

Create or delete a Ethernet MAC address pattern.

A single MAC address can be specified in the format: hh:hh:hh:hh:hh:hh

Options
OptionDescription
no
Remove MAC-PATTERN

Status

Show any user currently connected to the device, and the authentication method used when connecting to the device.

example:/#> show users
TYPE    USERNAME            REMOTE HOST          LOGIN                        
Console admin                                    Wed Aug 14 08:47:02 2019

Show AAA status, same information as when in config mode.

example:/#> show aaa

Show local-db status, same information as when in config mode.

example:/#> show aaa local-db 1

Show local-db status for all databases.

example:/#> show aaa local-db