Authentication, Authorization and Accounting - FAQ

Authentication, Authorization and Accounting - FAQ

 

1. What is AAA in SONiC?

A: AAA stands for Authentication, Authorization, and Accounting, used to manage access control in SONiC.

2. How is AAA fail-through configured in SONiC?

A: Use aaa authentication failthrough enable in configuration mode to enable fail-through.

3. What does the aaa authentication failthrough command do?

A: This command enables backup authentication methods if the primary method fails.

4. What is the default authentication method for the SONiC console?

A: By default, console login uses local authentication.

5. How do I set up login authentication for console access in SONiC?

A: Use aaa authentication login console local to configure console authentication.

6. How do I configure TACACS+ as the primary login authentication method?

A: Execute aaa authentication login default group tacacs+ local in the terminal.

7. What does aaa authorization commands default configure?

A: It configures command authorization to use TACACS+ for user command verification.

8. How do I add a group in AAA for LDAP services?

A: Use aaa name-service group group ldap in configuration mode.

9. What happens if TACACS+ fails during login authentication?

A: If failthrough is enabled, SONiC will attempt the next method, like local authentication.

10. What is the purpose of aaa authorization login default?

A: It sets the default login authorization method to use LDAP.

11. How can I add multiple authentication methods for login?

A: Use aaa authentication login default group tacacs+ local to specify multiple methods.

12. Is it possible to configure both LDAP and local for login?

A: Yes, use aaa authentication login default group ldap local to chain methods.

13. How do I disable console login authentication?

A: Use no aaa authentication login console local to disable console login authentication.

14. How do I configure an LDAP group for netgroup services in AAA?

A: Use aaa name-service netgroup group ldap in configuration mode.

15. What does aaa name-service shadow configure in AAA?

A: It configures the shadow name service for AAA to use LDAP integration.

16. How do I set up the sudoers service for AAA?

A: Use aaa name-service sudoers group ldap to configure sudoers in AAA via LDAP.

17. Can I use both TACACS+ and local for command authorization?

A: Yes, use aaa authorization commands default group tacacs+ local.

18. How do I verify current AAA authentication configurations?

A: Use show aaa to display the current AAA settings.

19. What does the aaa server radius dynamic-author command do?

A: It enables Dynamic Authorization Server (DAS) for RADIUS, allowing dynamic authorization.

20. How can I configure the RADIUS server for dynamic authorization?

A: Use aaa server radius dynamic-author in the RADIUS configuration mode.

21. How can AAA services be disabled?

A: Use no before the AAA command you want to disable.

22. What does aaa name-service passwd group ldap configure?

A: It sets the password service to use an LDAP group.

23. How is fail-through handled when multiple groups are defined?

A: SONiC attempts each group in order until one succeeds.

24. How do I configure RADIUS authentication with a local fallback?

A: Use aaa authentication login default group radius local.

25. Can AAA support both local and LDAP simultaneously?

A: Yes, it can be configured to try both local and LDAP methods.

26. How do I reset AAA configurations?

A: Use no before the specific AAA configuration command to reset it.

27. How is the sudoers service configured for local authorization?

A: Use aaa name-service sudoers local.

28. How do I configure LDAP as the default login method?

A: Use aaa authentication login default group ldap.

29. What does aaa authorization login default do in LDAP?

A: It sets the login authorization method to LDAP.

30. How can I remove the configuration of the RADIUS server for dynamic authorization?

A: Use no aaa server radius dynamic-author in the RADIUS configuration mode.

31. What happens if all AAA methods fail?

A: If all configured methods fail, access is denied.

32. How do I configure the shadow password service in AAA?

A: Use the command aaa name-service shadow to configure the shadow password service via LDAP.

33. What is aaa name-service shadow in LDAP used for?

A: It sets the shadow password service to LDAP.

34. How can I set up AAA authorization for multiple user levels?

A: Use aaa authorization commands default group tacacs+ local.

35. Is it possible to configure AAA on a per-user basis?

A: AAA configurations typically apply globally.

36. How do I verify the AAA authorization configuration?

A: Use show aaa authorization to view the current authorization setup.

37. Can AAA be configured only for specific commands?

A: AAA applies to all commands as configured.

38. How do I assign local as the final fallback for all AAA methods?

A: Place local at the end of the method chain in aaa authentication login default.

39. What happens if no authentication method is configured?

A: SONiC defaults to local authentication.

40. How do I test AAA configurations?

A: Log in with a test account or use a RADIUS/TACACS+ simulator.

41. What does the aaa name-service command do?

A: It configures services like passwd and shadow to use LDAP or other name services.

42. How can I view statistics for dynamic authorization in RADIUS?

A: The command show radius-server dynamic-author statistics shows detailed DAS statistics.

43. How do I clear the statistics for a RADIUS dynamic authorization server?

A: Use clear radius-server dynamic-author statistics to reset DAS counters.

44. How do I clear the statistics for a RADIUS server?

A: Use clear radius-server statistics.

45. What is the syntax to remove a RADIUS server client?

A: Use no client <hostname_or_ipaddr> to remove a specified RADIUS client.

46. How can I set the session timeout for login?

A: Use login exec-timeout <time> to define the timeout period for login sessions.

47. How do I limit login attempts before lockout?

A: Configure login lockout max-retries <limit> to set the retry limit.

48. How can I specify minimum password length requirements?

A: Use login password-attribute min-length <length> to set a password length requirement.

49. How do I configure password complexity requirements in AAA?

A: Use login password-attribute character-restriction with options for uppercase, lowercase, numeric, or special characters.

50. How can I set the maximum number of logins retries for AAA in SONiC?

A: Use the command login lockout max-retries <limit> to configure the maximum number of unsuccessful login attempts before the account is temporarily locked.

 

 



    • Related Articles

    • Border Gateway Protocol- FAQ (Broadcom SoNiC)

      1. How do I configure BGP hold and keepalive timers? Use timers <keepalive> <hold>. 2. How do I enable BGP in SONiC? Use router bgp <AS_number> to enter BGP configuration mode. 3. What does neighbor mean in BGP configuration? neighbor defines the IP ...

    • Configuring AAA in Broadcom sonic

      AAA Authentication Fail through Description: Configures AAA authentication fail through. Syntax: aaa authentication failthrough <enable> Parameters: enable: Enable or disable the feature. Example: sonic(config)# aaa authentication failthrough enable ...

    • Where can I get the Configuration guide for SONiC

      Attached document provides the details about the Configuration of SONiC