Admin: Text replacement - "Category:Wiki" to "Category:Wiki '''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]''''' "

2026-01-17T07:10:01Z

Text replacement - "Category:Wiki" to "Category:Wiki '''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]''''' "

← Older revision		Revision as of 07:10, 17 January 2026
Line 1:		Line 1:
	[[Category:Wiki]]		[[Category:Wiki]]

			'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''


	== AAA Overview ==		== AAA Overview ==

Admin: Created page with "Category:Wiki == AAA Overview == AAA refers to three main components used for managing access control and monitoring on network devices: * Authentication: Verifies the identity of users or devices attempting to connect. * Authorization: Determines what authenticated users or devices are allowed to do. * Accounting: Tracks what actions users or devices perform during a session. == Enabling AAA == To enable AAA on an Arista device, use the following com..."

2025-12-14T16:31:42Z

Created page with "Category:Wiki == AAA Overview == AAA refers to three main components used for managing access control and monitoring on network devices: * **Authentication**: Verifies the identity of users or devices attempting to connect. * **Authorization**: Determines what authenticated users or devices are allowed to do. * **Accounting**: Tracks what actions users or devices perform during a session. == Enabling AAA == To enable AAA on an Arista device, use the following com..."

New page

[[Category:Wiki]]

== AAA Overview ==

AAA refers to three main components used for managing access control and monitoring on network devices:
* **Authentication**: Verifies the identity of users or devices attempting to connect.
* **Authorization**: Determines what authenticated users or devices are allowed to do.
* **Accounting**: Tracks what actions users or devices perform during a session.

== Enabling AAA ==

To enable AAA on an Arista device, use the following command:

<nowiki>
AAA configure</nowiki>

This command activates AAA functionality on the device. After this, you can configure individual AAA services.

== Authentication Configuration ==

Authentication is used to verify the identity of a user or device. Arista devices support multiple authentication methods including local, RADIUS, and TACACS+.

=== Local Authentication ===

To configure local authentication for console access:

<nowiki>
username admin privilege 15 secret MySecretPassword
line con 0
login local</nowiki>

Here, the `admin` user is created with privilege level 15 and a secret password. The `line con 0` command applies local authentication for console access.

=== RADIUS Authentication ===

To configure RADIUS authentication:

<nowiki>
radius-server host 192.168.1.100 key MyRadiusSecret
aaa authentication login default group radius local</nowiki>

In this example, RADIUS authentication is set up to authenticate users with the RADIUS server at IP address `192.168.1.100`, and if RADIUS is unavailable, it falls back to local authentication.

=== TACACS+ Authentication ===

For TACACS+ authentication, the following configuration is used:

<nowiki>
tacacs-server host 192.168.1.200 key MyTACACSSecret
aaa authentication login default group tacacs+ local</nowiki>

This sets up TACACS+ authentication, where the server is at IP address `192.168.1.200`.

== Authorization Configuration ==

Authorization defines what authenticated users are permitted to do. You can configure authorization for command execution or for network services.

=== Command Authorization ===

To configure command authorization, use the following:

<nowiki>
aaa authorization exec default group radius local</nowiki>

This command sets up authorization for exec commands, using RADIUS as the primary source and falling back to local authorization if RADIUS is unavailable.

=== Network Authorization ===

To configure network access authorization:

<nowiki>
aaa authorization network default group radius local</nowiki>

This command ensures that the device uses RADIUS for network access authorization, and falls back to local authorization if the RADIUS server is unreachable.

== Accounting Configuration ==

Accounting is used to log information about user sessions, which can include login times, commands executed, and bytes transferred.

=== Enabling Accounting ===

To enable accounting for user logins and exec sessions:

<nowiki>
aaa accounting exec default start-stop group radius
aaa accounting commands 15 default start-stop group radius</nowiki>

These commands configure accounting for exec sessions and commands executed with privilege level 15. Accounting data will be sent to the configured RADIUS server.

=== Accounting for Network Sessions ===

To enable accounting for network sessions, use:

<nowiki>
aaa accounting network default start-stop group radius</nowiki>

This command sends accounting information related to network access sessions to the RADIUS server.

== Advanced AAA Commands ==

In addition to the basic AAA configurations, Arista provides commands for more advanced management of AAA services.

=== Defining AAA Server Groups ===

You can define multiple AAA servers and assign them to specific groups. For example:

<nowiki>
radius-server host 192.168.1.100 key MyRadiusSecret group radius_group
tacacs-server host 192.168.1.200 key MyTACACSSecret group tacacs_group</nowiki>

This configuration defines two AAA servers: one for RADIUS and one for TACACS+, each in its own group.

=== AAA Command Timeout Configuration ===

To configure the timeout for AAA authentication, authorization, and accounting requests, use the following command:

<nowiki>
aaa authentication login default timeout 30</nowiki>

This command sets a 30-second timeout for login authentication requests. Similar commands can be used for authorization and accounting timeouts.

=== AAA Server Deadtime Configuration ===

In case of a failed AAA server response, you can configure the deadtime for that server:

<nowiki>
aaa server radius deadtime 60</nowiki>

This sets the deadtime to 60 seconds, during which the server will not be queried if it fails.

== AAA Debugging ==

To troubleshoot AAA configurations, use the following debugging commands:

<nowiki>
debug aaa authentication
debug aaa authorization
debug aaa accounting</nowiki>

These commands enable debugging for each AAA service, allowing you to track and troubleshoot issues related to authentication, authorization, and accounting.

== Useful Links ==

* [Arista Networks Official Documentation](https://www.arista.com/en/support)
* [AAA Overview on Cisco Docs](https://www.cisco.com/c/en/us/td/docs/iosxr/ncs5500/security/71x/b-71x-security-cg/b-71x-security-cg_chapter_010.html)
* [AAA Configuration Guide - Cisco](https://www.cisco.com/c/en/us/td/docs/iosxr/ncs5500/security/71x/b-71x-security-cg/b-71x-security-cg_chapter_010.html)
* [RADIUS and TACACS+ Protocols Overview](https://www.techopedia.com/definition/22747/radius-remote-authentication-dial-in-user-service)

ARISTA - AAA Commands - Revision history

Admin: Text replacement - "Category:Wiki" to "Category:Wiki '''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]''''' "