Configuration Notes of AAA

Owned by Tracy Yang
Last updated: Oct 22, 2024 by shengxiuhua (Unlicensed)
2 min read

When configuring AAA on a device, pay attention to the following points:

  •  TACACS+ and RADIUS cannot be used at the same time. If both TACACS+ and RADIUS are enabled, then TACACS+ is valid but RADIUS is invalid.

  •  LDAP and TACACS+/RADIUS are mutually exclusive; they cannot be configured and used simultaneously.

  •  Users authenticate with the AAA server to gain access to the NAS server when AAA function is enabled. Make sure that the communication between the NAS server and AAA server works well.

  •  If the same accounts of admin/root/operator are used in conjunction with TACACS, TACACS authorization will be ignored and the local account policy will take precedence.

  •  For redundancy management of AAA server, multiple remote AAA servers can be configured at the same time. Only one server can be used at the same time. However, there are a few differences between TACACS + and RADIUS validation.

    • If user validation on one TACACS+ server fails, it will switch to the other reachable TACACS+ servers for validation automatically.

    • Only one RADIUS server with the smallest IP address will be used for user validation, if user validation on one RADIUS server fails, it will not use the other reachable RADIUS servers for validation.

  •  When the AAA server is unreachable, users who have logged in successfully will quit CLI interface and fallback to Linux shell when they execute the CLI command that needs to be authorized.

  •  If the value of the shared key is different from that of the TACACS+/RADIUS server,

    • For RADIUS, it is considered that the RADIUS server is unreachable.

    • For TACACS+, it is considered that the TACACS+ server is reachable but the authentication failed.

  • When resetting any AAA radius / TACACS + configuration, the new setting takes effect only for the subsequent users who log in to the CLI. For example, change the IP of the current TACACS+ server.

  • LDAP cannot be enabled together with RADIUS/TACACS+ (disabled by default) in the current PICOS release. So please don't enable them if LDAP is to be enabled.

  • Before enabling LDAP commands, users need to make sure that the server is working properly.

  • Currently, a maximum of two server-ips can be configured for LDAP authentication.

  • If there are two active servers, the one that is configured first takes effect.

  • Users need to execute the server IP, base DN, and disable false relevant commands, or the LDAP service will not start.

  • LDAP CLI configured parameters cannot be changed in the nslcd.conf file, we recommend that users modify the parameters through the CLI, if necessary, you can operate in the nslcd.conf file.

  • In the current release, LDAP users must use the exact spelling with correct upper/lower cases. For example, if the user is configured as ABC in the LDAP server, then logging in as ABC will work, while abc won't work.

  • LDAP users cannot have the same UID as local users.

  • We recommend that less than 16 LDAP users log in the switch at the same time.

  • When performing VRF and default VRF switching, it is necessary that both the set/delete commands be executed simultaneously.

set system management-vrf enable true set system aaa ldap vrf mgmt-vrf

Or

delete system management-vrf enable true delete system aaa ldap vrf mgmt-vrf

NOTE:

For online users who have already passed AAA Authentication and successfully logged in ​are not affected by the resetting configurations. If the user logs out and then logs in again, the system will use the new configurations for AAA Authentication.

 

Copyright © 2024 Pica8 Inc. All Rights Reserved.