Authentication, Authorisation and Accounting

Introduction

Authentication, Authorization and Accounting (AAA) is an umbrella term referring to protocols and methods that can be used to handle and verify user access.

The three individual terms refer to who is allowed to access what device (Authentication), if access is granted what are the limitations of their available actions (authorization), and to recount what actions they performed (accounting).

For some use-cases utilizing the systems AAA options, refer to the following:

Overview

AAA in the system is separated into two different parts that are combined together. Firstly the system allows for setting up different types of AAA methods. Afterwards, the configured AAA method can be bound to various services in the system that have support for AAA methods. The best example of this is the login service.

Authentication Methods

The AAA framework in the system have support for a number of different AAA methods that are presented below:

  • Built-in Accounts: The only account present in a factory default system. As an example, the admin user is one such an account. Built-in accounts allow for defining per account authorization levels. For more information see Built-in Accounts HowTo.

  • Local Databases: Allows storing of credentials locally on the device, with no need for any external infrastructure. For more information see Local Databases HowTo.

  • Remote Servers: Centralized authentication on remote servers via RADIUS and TACACS+. For additional information see Remote Servers HowTo.

Services

The system currently supports AAA methods to be used for the following services:

Service Remote Server Local Database Built-in Accounts
Login X X
OpenVPN X X

Login Service

In order to authenticate the user the login service can be bound to the following methods:

  • Built-in Accounts (Implicit): The built-in login methods are implicit and are always last in the authentication chain. For more info see local-fallback.

  • Remote Server (Optional): The login method can be configured to use Remote Server as a login authentication method. If one of these methods are configured for the login service, it will be tried first at any login 7 attempt. The fallback in this situation would be the Built-in Accounts.

  • Local Database (Deprecated): The login method is possible in already configured legacy systems but is considered deprecated and no longer supported as authentication method for login service in newly configured systems.

OpenVPN

The systems AAA methods can be used to authenticate OpenVPN clients. The OpenVPN client will authenticate itself using a certificate, and optionally also via username and password. When using this option, a system acting as an OpenVPN Server, can either use a local database or a central server (or server group) to verify the client’s username and password.

For an example of how this can be done refer to this HowTo:

Authorization levels

A user should be granted the least possible privilege that allows performing that user’s task. This is realized by a light-weight Role Base Access Control (RBAC) that is available for built-in accounts.

The functionality available to the users is split into multiple areas called RBAC modules. For CLI, each command will belong to one of these modules. The RBAC modules are:

  • Device status for accessing the status of the device (show commands will mostly go here).

  • Audit trail for accessing the audit log functionality.

  • PKI for accessing Public Key Infrastructure functionality.

  • AAA for accessing Authentication, Authorization, and Accounting functionality.

  • Device config for accessing device configuration context.

  • Utils/tools for accessing utilities and tools (like ping, ssh, telnet etc).

  • Maintenance for accessing maintenance tools (like copy, export, diff etc).

  • Firmware management for accessing firmware management.

  • Factory reset for performing factory reset operation.

  • Shell access for accessing the Linux shell.

For each RBAC module, the following permissions are defined:

Permission Acronym Definition
view v View on screen
read r Download reports where available
write w Update data
executing e Execute a command
update u Change firmware
shell X Enter Linux shell

Currently six roles are available:

  • administrator who has all privileges in the system.

  • guest who only has access to a restricted CLI with limited read-only functionality. The guest role is deprecated and replaced by the viewer role.

  • viewer who has the permissions to view objects with-in the device and read values where applicable. Default role for new users.

  • operator who has permissions to read and view objects and values with-in the device and where applicable peform control actions and update firmware.

  • engineer who has permissions to view and read objects and values with-in the device and also to configure most functionality except some security features like AAA, PKI or audit logs.

  • auditor who only has access to a restricted CLI with read-only access to the audit logs.

Only built-in accounts can have roles. Each built-in account has only one role.

Role Remote Server Local Database Built-in Accounts
Administrator X X X
Guest X
Viewer X
Operator X
Engineer X
Auditor X

Each role will have a set of permissions on each RBAC module according to the following table:

Module Administrator Guest Viewer Operator Engineer Auditor
Device status vr v v vr vr v
Audit trail vrwe - - vr vr vr
PKI vrwe v v vr v vr
AAA vrwe v v vr vr vr
Device config vrwe - - vr vrwe -
Utils/tools vrwe - - vre vrwe -
Maintenance vrwe - - vre vrwe -
Firmware management vrweu - - vrweu vrweu -
Factory reset vrwe - - - - -
Shell access Xvw - - - - -

Configuration

The AAA configuration consists of a number of different areas, that have their settings configured inside a sub-menu. The AAA configuration consists of settings spread over a number of different context levels.

General Settings

The AAA can be configured from the configuration context in the CLI. This context contains the overall AAA configuration and access to all other AAA sub-contexts.

example:/#> configure
example:/config/#> aaa
example:/config/aaa/#>

Syntax

[no] user USERNAME

Create and mange a built-in account.

USERNAME
Name of a new or already existing built-in user account
no
Removes specified user
username NAME [password | hash] PASSWORD

Set the password for specific allowed users, like the admin user.

Warning

DEPRECATED: use user admin to enter user-admin context and

password from within that context.

NAME
The user to change the password for.
PASSWORD
Password with the following allowed characters: ASCII 33-126 (octal 041-176), max length 64 chars.
[no] password-policy
Set password policy. For details read here.
[no] local-db ID [plain]

Create and manage local databases. Default type is ‘hash’ but the keyword ‘plain’ can be used to create a database that contains plain text passwords. The type can only be defined once when the local database is created, therefore the keyword is not available in the sub-configuration context.

Note

Enters a sub-configuration context.

no
Remove a specific local database if an ID is provided, otherwise remove all local databases.
ID
Id in the range 0-4, any other id will be invalid.
[no] lockout-policy

The lockout policy is a security feature that prevents unauthorized access to the system by locking out users who enter incorrect login credentials too many times. You can activate and configure the lockout policy in this sub-context.

enable
Enable/disable account lockouts
deny
Number of consecutive authentication failures until lockout of the user. Default number is 3 times. Allowed values are 3 - 10 times.
deny-admin
If this option is selected even the built-in admin ackount can be locked out. Default is yes (enabled).
unlock-time
Duration of the lockout (s). Default is 600 seconds (10 minutes). Allowed values are 10 - 1800 seconds.
[no] exclude <console>
Always allow logins over the selected interface. Currently only console is selectable.

Note

Lockout only happens if deny number of failed login attempts happens within 900 seconds. This value is currently hard-coded and not configurable.

Note

You can view the locked out users with the command show lockout in the admin-exec context and unlock a locked out user with the command lockout <username> reset in the same context.

[no] remote-server ID [type <radius | tacacs>

Create and manage remote authentication servers.

Note

Enters a sub-configuration context.

no
Remove a specific remote server if an ID is provided, otherwise remove all servers.
ID
Id in the range 0-5, any other id will be invalid.
type
The type of remote server to create, either radius or tacacs. This setting can still be changed in the server configuration.
encryption-type
The encryption-type of the remote server. Available encryption types is dependent on server type. For radius, peap-mschapv2 is available. For the rest it is none.
[no] server-group ID [type <radius | tacacs>

Create and manage server groups.

Note

Enters a sub-configuration context.
no
Remove a specific server group if an ID is provided, otherwise remove all server groups.
ID
Id in the range 0-1, any other id will be invalid.
type
The type of server group to create, either radius or tacacs. This setting can still be changed in the server group configuration.
[no] auth-chain

Manage the authentication chain.

Note

Enters a sub-configuration context.
no
Reset the authentication chain to defaults.

Built-in Account Settings

This section describes configuration of built-in accounts. Up to 16 built-in accounts are allowed. Only built-in accounts can have guest / operator / auditor roles. An example of a built-in account that is always present in factory configured system is admin.

example:/config/aaa/#> user admin
example:/config/aaa/user-admin/#>
[no] enable

Enable or disable this user in the system. A user cannot disable themselves.

Note

SSH Authorized Keys of a disabled user are removed and must be imported again upon enabling the user.

[no] password [expire] [alg ALG] secret PASSWORD

Set password in clear text and hash it using given algorithm.

expire
Expire password, forcing user to change it at next login.
ALG
md5, sha256 or sha512. By default md5crypt (md5) is used if no algorithm is given. If the password-policy option is set the password must meet the policy.
PASSWORD
Password with the following allowed characters: ASCII 33-126 (octal 041-176), max length 64 chars.
no

Disable password for the user. When issuing ‘no password’ command password-based authentication is disabled, making it impossible to log in using a username and password. However, if SSH keys exist, you can still log in using them.

Note

Please exercise caution when using ‘no password’, as it could potentially lock you out from the device if no other administrator accounts exist and no SSH keys are defined.

[no] hash HASH-STRING

Set the user password in hash format.

Note

When the password-policy option is enabled this option is disabled (See here).

HASH-STRING
An arbitrary hash-string. It should be used with caution. A cryptographically weak hash-string will compromise the system’s security.
no
disable password for the user
[no] role viewer | guest | operator | administrator | engineer | auditor

Set role of the user. Default role is viewer. There must be at least one administrator in the system.

administrator
Has all privileges in the system.
viewer
Has permissions to view objects with-in the device and read values where applicable. [Default]
guest
Has only access to a restricted interface with limited read-only functionality. Deprecated, replaced by viewer.
operator
Has permissions to read and view objects and values with-in the device and where applicable perform control actions (e.g. reboot) and update firmware.
auditor
Can read audit logs and other audit relevant information.
engineer
Can perform most of the configuration, except security related parts like AAA, PKI, audit logs.
[no] ssh-user-key import

SSH user key management

import

Import authorized public keys. Enter an interactive mode for pasting user’s authorized public keys. One key per line, each key having format as used in OpenSSH i.e.:
<type-name> <base64-encoded-ssh-public-key> [comment]
Example:
ssh-rsa AAAAB3NzaC...G6KCGOnv user@host

Notes:
o This command overwrites any existing keys.
o Imported key(s) are not checked for validity.

no
Removes imported keys.

Examples:

For examples on how to create and manage built-in accounts see Built-in Accounts

Local Database Settings

Configure a local database and enter its configuration context. When creating a local database the ID must be a number from 0 to 4.

example:/config/aaa/#> local-db 0
Creating new local db 0
example:/config/aaa/local-db-0/#>

Syntax

[no] username NAME [password | hash] PASSWORD

Add a user to this local database.

no
Remove a specific user based on the provided NAME.
NAME
The user to change the password for.
PASSWORD
Password with the following allowed characters: ASCII 33-126 (octal 041-176), max length 64 chars.
[no] description STRING

Free form description of this local database.

no
Remove any description.
STRING
Free form text with a maximum length of 15 characters.

Remote Server Settings

Configure a remote server and enter its configuration context. When creating a remote server the ID must be a number from 0 to 5.

example:/config/aaa/#> remote-server 0
Creating new remote server 0
example:/config/aaa/remote-server-0/#>

Syntax

[no] type <radius | tacacs>

Set the remote server type to be either radius or tacacs.

no
Reset the type to its default setting, radius.
[no] description STRING

Free form description of this remote server.

no
Remove any description.
STRING
Free form text with a maximum length of 15 characters.
[no] address <IP | FQDN>

Address of the remote server.

no
Remove and configured address.
IP
IP address in standard quad-dotted notation, e.g. 192.168.1.1.
FQDN
A fully qualified domain name.
[no] password PASSWORD

Password for remote server.

Note

May not be empty.

no
Remove the current configured password.
PASSWORD
Password with the following allowed characters: ASCII 33-126 (octal 041-176), max length 64 chars.
[no] auth-port PORT

Authentication port to connect to on remote server.

no
Use the default port for the selected type of server. For radius it is 1812 and for tacacs it is 49.
PORT
The port number to use.

Server Group Settings

Configure a server group and enter its configuration context. When creating a server group the ID must be a number from 0 to 1.

example:/config/aaa/#> server-group 0
Creating new server group 0
example:/config/aaa/server-group-0/#>

Syntax

[no] type <radius | tacacs>

Set the remote server type to be either radius or tacacs.

no
Reset the type to its default setting, radius.
[no] description STRING

Free form description of this server group.

no
Remove any description.
STRING
Free form text with a maximum length of 15 characters.
[no] server <ID|ID,ID,...>

Remote server(s) to be part of the server group.

Note

When using a server group for authentication each server will be tested in order. If a response is received from any of the servers the remaining ones in the group will not be tested.

no
Remove any configured server IDs.
ID
Id of a remote-server to be part of the server group.

Authentication Chain Settings

Configure the authentication chain and enter its configuration context:

example:/config/aaa/#> auth-chain
example:/config/aaa/auth-chain/#>

Syntax

Syntax: [no] order [..] Usage: Authentication chain order

[no] order [server-<SID>|group-<GID>] [..]

Set zero or more authentication methods to be used for login requests on the device. NOTE: Order matters

no
Remove any configured authentication methods.
server-
Use an existing remote-server with the provided SID in the chain.
group-
Use an existing server-group with the provided GID in the chain.
[no] on-reject next|deny

Dictates how the authentication chain behaves when an authentication method rejects the user credentials. NOTE: Admin accounts are always available over the serial console, regardless of on-reject and local-fallback settings.

no
Reset on-reject to the default value of next
next
When an authentication method rejects the users credentials: Try the next authentication method in order, or local-fallback if there are no more methods.
deny
When an authentication method rejects the users credentials: Deny the login attempt
[no] local-fallback never|serial|always

Acts as a last resort after all other methods fail to give a authorative answer. NOTE: Admin accounts are always available over the serial console, regardless of on-reject and local-fallback settings.

no
Reset local-fallback to the default value of always
never
Only admins accounts over the serial console work.
serial
Local accounts are used as a fallback when logging in over the serial console
always
Local accounts are used as a fallback

Password Compliance Policy Settings

Password compliance policy provides a way to check a password at creation time against a set of policies. If enabling the password compliance policy the password will be checked for compliance when changing an existing users password or adding a new user in the cli or webgui.

Configure the password policy and enter its configuration context:

example:/config/aaa/#> password-policy
Activating password policy with default settings, type 'abort' to cancel.
example:/config/aaa/password-policy/#>

Syntax

[no] enable

This setting controls if the password compliance policy is enabled or disabled. Default is Disabled.

no
Disable password compliance policy
min-length

Set password policy min length <8-64>. Default is 14.

value
Minimum length of password
uppercases

Specify number of uppercase letters <0-64>. Default is 0.

value
Number of uppercase letters
lowercases

Specify number of lowercase letters <0-64>. Default is 0.

value
Number of lowercase letters
digits

Specify number of digits <0-64>. Default is 0.

value
Number of digits
specials

Specify number of special characters <0-64>. Default is 0.

value
Number of special characters
reject-username

Enable/Disable reject username in password. Default is Enabled. If enabled the username, in any form, must not be part of the password.

0
Disabled
1
Enabled

MAC auth group Settings

Configure a MAC auth group and enter its configuration context.

example:/config/#> aaa
example:/config/aaa/#> mac-auth 0
Creating new mac-auth group 0.
Remember, you need to reference it from a Port Access instance as well!
example:/config/aaa/mac-auth-0/#> mac match aa:bb:cc:dd:ee:ff description "My MAC match"
example:/config/aaa/mac-auth-0/#> leave
example:/config/#> leave

Syntax

[no] description STRING

Free form description of this MAC auth group.

no
Remove any description.
STRING
Free form text with a maximum length of 15 characters.
[no] mac match <MAC-PATTERN> [description <STRING>]

Create or delete a Ethernet MAC address pattern.

A single MAC address can be specified in the format: hh:hh:hh:hh:hh:hh

no
Remove MAC-PATTERN

Status

Show any user currently connected to the device, and the authentication method used when connecting to the device.

example:/#> show users
TYPE    USERNAME            REMOTE HOST          LOGIN                        
Console admin                                    Wed Aug 14 08:47:02 2019

Show AAA status, same information as when in config mode.

example:/#> show aaa

Show local-db status, same information as when in config mode.

example:/#> show aaa local-db 1

Show local-db status for all databases.

example:/#> show aaa local-db