AAA - Login with Local Database HowTo

About

This document aims to show how to set up an AAA method in the system with Local Database, and how it is connected to the login service.

For an overview of all available configuration settings for AAA refer to the configuration guide:

Introduction

Configure

This section will cover how to configure a Local Database AAA method and how to connect it to the login service.

Local Database

Local user databases are useful for storing authentication credentials with no need for any external infrastructure. The lists consist of username and pass- word pairs.

When a local database is created, a numeric ID is associated with it. Additionally, a description string may be associated with the instance to make it easier to remember its purpose, e.g., ”maintainers” for a local database of system maintainers.

The following example shows how to create a local-db method:

example:/#> configure
example:/config/#> aaa
example:/config/aaa/#> local-db 1
Creating new local db 1
example:/config/aaa/local-db-1/#> description maintainers
example:/config/aaa/local-db-1/#> username alice password AliceSecreT
example:/config/aaa/local-db-1/#> username bob hash $1$HTwvtaTw$l5X0AkyuFD1zqHK.QWr/x0
example:/config/aaa/local-db-1/#> end
example:/config/aaa#/>

Notes on the configuration:

  • The default type for local databases is ‘hash’. It only accepts passwords that are stored as hashes.

  • It is possible, as illustrated by user ‘bob’ in the example above, to enter hashes directly.

  • It is possible to store passwords in clear-text. In the example above, the command local-db 1 plain should be entered instead to create a local-db of type ‘plain’. In that case, using the keyword hash is not allowed and ‘bob’ must enter his clear-text password, username bob password BobSeCret.

Attach to login service

In order to configure the login service to authenticate users logging in against a local-db, the ID of the created method needs to be supplied in the following manner:

example:/config/aaa/#> login
example:/config/aaa/login/#> method local-db 1
example:/config/aaa/login/#> end
example:/config/aaa/#>

Any login attempt to the device will try to authenticate against the local database. If the authentication fails, the device falls back to using the built-in accounts (e.g. the admin account).