Goal

This tutorial demonstrates the onePK AAA (Authentication, Authorization, and Accounting) Service Set. The AAA Service Set provides AAA client functionality to onePK applications.

You will learn how to authenticate a user, how to read the user's authorization attributes configured on the AAA server, and how to send accounting requests to the AAA server.

Tutorial Code

The code used in this tutorial is located under <SDK Location>/python/tutorials/aaa.

Requirements/Prerequisites

These steps assume the application can connect properly to a network element. Please see the Connecting to a Network Element tutorial for information on how to make the initial connection.

The AAA server must first be configured with the necessary users and user authorization profiles for the application. The network element which the application connects to must also be configured to use the AAA server. For detailed steps on how to accomplish this, please see AAA Configuration.

Steps In Detail

Identifying the Application for Authorization

In order for a user to be granted application-specific authorization, the application name specified here must match the application name in the attributes configured on the AAA server. It is important to use a name that uniquely identifies the application. AAA service set APIs require an established connection to the network element.

For more information on setting the application name and connecting to the network element, please see the Connecting to a Network Element tutorial.

tutorial.connect("com.cisco.onep.tutorials.aaa.AAATutorial")

Instantiating and Authenticating a User

Instantiate a User that holds a AAA user's attributes. The AAA user is associated with one network element, and the association can be changed using set_network_element(). The AAA user must authenticate to the AAA server prior to using other AAA services. During authentication, the application can supply an optional list of attributes if required by the AAA server.

aaaUser = User(tutorial.network_element,
               tutorial.username,
               tutorial.password)
#  Authenticate without supplying any additional attributes.
aaaAttributeList = aaaUser.authenticate(None)

Retrieving AAA Server Last Request Information

We can get information about the AAA server that served the last request using this API.

server = aaaUser.server
logger.info("IP address: " + server.address)
logger.info("Protocol: " + server.protocol)

Accessing Authorization and Accounting Services

After successfully authenticating, authorization and accounting services may be accessed. If you are interested in using these services, read on. Otherwise, you may skip till the end of the tutorial.

Accounting records may be sent manually unless auto-accounting is enabled for the user.

if aaaUser.is_auto_acct_enabled:
    logger.info("Auto-accounting is enabled.")
else:
    logger.info("Auto-accounting is not enabled.")
    try:
        aaaUser.send_accounting_record(
            User.OnepAAAAcctAction.ONEP_AAA_ACCT_ACTION_START, None)
    except OnepException as e:
        logger.error(e)

Allowed actions are returned separate from the authorization profile. Here, we check if the user is allowed to perform the requested action.

if not aaaUser.is_action_authorized(nextLine):
    print "You are not allowed to perform this action."
    continue

If the AAA server is configured with app-specific attributes, we can get them from the authorization profile. Here, we read the app attribute "custom" from the attribute list.

if nextLine == "custom":
    for attribute in aaaAttributeList:
        if (attribute.type_ ==
                OnepAAAAttributeType.ONEP_AAA_AT_APP_ATTR
                and attribute.name == "aaa-tutorial-custom"
                and isinstance(attribute, StringAttribute)):
            #  Print the message for the custom action.
            print "You " + attribute.str_value
            break
    else:
        print "Custom action not found."
    continue

When auto-accounting is enabled, accounting stops when the application disconnects from the network element. Otherwise, the application can manually send a "stop" request.

aaaUser.send_accounting_record(
    nepAAAAcctAction.ONEP_AAA_ACCT_ACTION_STOP, None)

Result

Congratulations! You have authenticated a user with a AAA server, read the user's authorization profile attributes, and sent accounting requests to the AAA server.

To try out this tutorial code by compiling and running it, you can find the code located at: <SDK Location>/python/tutorials/aaa/.