ARISTA - AAA Commands
AAA Overview
AAA refers to three main components used for managing access control and monitoring on network devices:
- **Authentication**: Verifies the identity of users or devices attempting to connect.
- **Authorization**: Determines what authenticated users or devices are allowed to do.
- **Accounting**: Tracks what actions users or devices perform during a session.
Enabling AAA
To enable AAA on an Arista device, use the following command:
AAA configure
This command activates AAA functionality on the device. After this, you can configure individual AAA services.
Authentication Configuration
Authentication is used to verify the identity of a user or device. Arista devices support multiple authentication methods including local, RADIUS, and TACACS+.
Local Authentication
To configure local authentication for console access:
username admin privilege 15 secret MySecretPassword line con 0 login local
Here, the `admin` user is created with privilege level 15 and a secret password. The `line con 0` command applies local authentication for console access.
RADIUS Authentication
To configure RADIUS authentication:
radius-server host 192.168.1.100 key MyRadiusSecret aaa authentication login default group radius local
In this example, RADIUS authentication is set up to authenticate users with the RADIUS server at IP address `192.168.1.100`, and if RADIUS is unavailable, it falls back to local authentication.
TACACS+ Authentication
For TACACS+ authentication, the following configuration is used:
tacacs-server host 192.168.1.200 key MyTACACSSecret aaa authentication login default group tacacs+ local
This sets up TACACS+ authentication, where the server is at IP address `192.168.1.200`.
Authorization Configuration
Authorization defines what authenticated users are permitted to do. You can configure authorization for command execution or for network services.
Command Authorization
To configure command authorization, use the following:
aaa authorization exec default group radius local
This command sets up authorization for exec commands, using RADIUS as the primary source and falling back to local authorization if RADIUS is unavailable.
Network Authorization
To configure network access authorization:
aaa authorization network default group radius local
This command ensures that the device uses RADIUS for network access authorization, and falls back to local authorization if the RADIUS server is unreachable.
Accounting Configuration
Accounting is used to log information about user sessions, which can include login times, commands executed, and bytes transferred.
Enabling Accounting
To enable accounting for user logins and exec sessions:
aaa accounting exec default start-stop group radius aaa accounting commands 15 default start-stop group radius
These commands configure accounting for exec sessions and commands executed with privilege level 15. Accounting data will be sent to the configured RADIUS server.
Accounting for Network Sessions
To enable accounting for network sessions, use:
aaa accounting network default start-stop group radius
This command sends accounting information related to network access sessions to the RADIUS server.
Advanced AAA Commands
In addition to the basic AAA configurations, Arista provides commands for more advanced management of AAA services.
Defining AAA Server Groups
You can define multiple AAA servers and assign them to specific groups. For example:
radius-server host 192.168.1.100 key MyRadiusSecret group radius_group tacacs-server host 192.168.1.200 key MyTACACSSecret group tacacs_group
This configuration defines two AAA servers: one for RADIUS and one for TACACS+, each in its own group.
AAA Command Timeout Configuration
To configure the timeout for AAA authentication, authorization, and accounting requests, use the following command:
aaa authentication login default timeout 30
This command sets a 30-second timeout for login authentication requests. Similar commands can be used for authorization and accounting timeouts.
AAA Server Deadtime Configuration
In case of a failed AAA server response, you can configure the deadtime for that server:
aaa server radius deadtime 60
This sets the deadtime to 60 seconds, during which the server will not be queried if it fails.
AAA Debugging
To troubleshoot AAA configurations, use the following debugging commands:
debug aaa authentication debug aaa authorization debug aaa accounting
These commands enable debugging for each AAA service, allowing you to track and troubleshoot issues related to authentication, authorization, and accounting.
Useful Links
- [Arista Networks Official Documentation](https://www.arista.com/en/support)
- [AAA Overview on Cisco Docs](https://www.cisco.com/c/en/us/td/docs/iosxr/ncs5500/security/71x/b-71x-security-cg/b-71x-security-cg_chapter_010.html)
- [AAA Configuration Guide - Cisco](https://www.cisco.com/c/en/us/td/docs/iosxr/ncs5500/security/71x/b-71x-security-cg/b-71x-security-cg_chapter_010.html)
- [RADIUS and TACACS+ Protocols Overview](https://www.techopedia.com/definition/22747/radius-remote-authentication-dial-in-user-service)
