This tutorial demonstrates the onePK AAA (Authentication, Authorization, and Accounting) Service Set. The AAA Service Set provides AAA client functionality to onePK applications.
You will learn how to authenticate a user, how to read the user's authorization attributes configured on the AAA server, and how to send accounting requests to the AAA server.
The code used in this tutorial is located under <SDK Location>/python/tutorials/aaa.
These steps assume the application can connect properly to a network element. Please see the Connecting to a Network Element tutorial for information on how to make the initial connection.
The AAA server must first be configured with the necessary users and user authorization profiles for the application. The network element which the application connects to must also be configured to use the AAA server. For detailed steps on how to accomplish this, please see AAA Configuration.
In order for a user to be granted application-specific authorization, the application name specified here must match the application name in the attributes configured on the AAA server. It is important to use a name that uniquely identifies the application. AAA service set APIs require an established connection to the network element.
For more information on setting the application name and connecting to the network element, please see the Connecting to a Network Element tutorial.
tutorial.connect("com.cisco.onep.tutorials.aaa.AAATutorial")
Instantiate a User that holds a AAA user's attributes. The AAA user is associated with one network element, and the association can be changed using set_network_element(). The AAA user must authenticate to the AAA server prior to using other AAA services. During authentication, the application can supply an optional list of attributes if required by the AAA server.
aaaUser = User(tutorial.network_element, tutorial.username, tutorial.password)
# Authenticate without supplying any additional attributes. aaaAttributeList = aaaUser.authenticate(None)
We can get information about the AAA server that served the last request using this API.
server = aaaUser.server logger.info("IP address: " + server.address) logger.info("Protocol: " + server.protocol)
After successfully authenticating, authorization and accounting services may be accessed. If you are interested in using these services, read on. Otherwise, you may skip till the end of the tutorial.
Accounting records may be sent manually unless auto-accounting is enabled for the user.
if aaaUser.is_auto_acct_enabled: logger.info("Auto-accounting is enabled.") else: logger.info("Auto-accounting is not enabled.") try: aaaUser.send_accounting_record( User.OnepAAAAcctAction.ONEP_AAA_ACCT_ACTION_START, None) except OnepException as e: logger.error(e)
Allowed actions are returned separate from the authorization profile. Here, we check if the user is allowed to perform the requested action.
if not aaaUser.is_action_authorized(nextLine): print "You are not allowed to perform this action." continue
If the AAA server is configured with app-specific attributes, we can get them from the authorization profile. Here, we read the app attribute "custom" from the attribute list.
if nextLine == "custom": for attribute in aaaAttributeList: if (attribute.type_ == OnepAAAAttributeType.ONEP_AAA_AT_APP_ATTR and attribute.name == "aaa-tutorial-custom" and isinstance(attribute, StringAttribute)): # Print the message for the custom action. print "You " + attribute.str_value break else: print "Custom action not found." continue
When auto-accounting is enabled, accounting stops when the application disconnects from the network element. Otherwise, the application can manually send a "stop" request.
aaaUser.send_accounting_record( nepAAAAcctAction.ONEP_AAA_ACCT_ACTION_STOP, None)
Congratulations! You have authenticated a user with a AAA server, read the user's authorization profile attributes, and sent accounting requests to the AAA server.
To try out this tutorial code by compiling and running it, you can find the code located at: <SDK Location>/python/tutorials/aaa/.