Goal

This tutorial demonstrates the pre-configuration needed for the AAA Tutorial.

The following examples will use FreeRADIUS as the AAA server and will configure IOS or NX-OS. Your configuration may vary depending on the platform and AAA server you are using.

The FreeRADIUS AAA server is a daemon that enables you to set up a radius protocol server, which can be used for Authentication, Authorization, and Accounting various types of network access. To connect to the server, you need to set up a network device that will talk to it. Configure your network operating system (NOS) by following the step Configuring IOS or Configuring NX-OS below. For more information, see www.freeradius.org. FreeRADIUS is an open-source software project.

Requirements/Prerequisites

These steps assume that you have a network element running IOS and a FreeRADIUS server that is accessible by the network element.

Steps In Detail

Configuring FreeRADIUS

Create a user in the "users" configuration file. This will be the username and password used to connect to the network element. Here we will use user1/pass1.

user1   Cleartext-Password := "pass1"
        Cisco-AVPair += "priv-lvl=15",

To enable auto-accounting for a user, append the following:

        Cisco-AVPair += "auto-acct=enable",

To authorize a user to use a specific onePK application, add a Cisco-AVPair of the type "allowed-app=<app-name>". The app-name is the unique name given to a onePK application. For the AAA Tutorial, append the following to user1's configuration:

        Cisco-AVPair += "allowed-app=com.cisco.onep.tutorials.aaa.AAATutorial",

In additional to the enumerated AAA attributes, the onePK AAA client recognizes app-specific attributes "allowed-action=<app-name>:<action>" and "app-attr=<app-attr-name>:<type>:<app-attr-value>". For the AAA Tutorial, append the following to user1's configuration:

        Cisco-AVPair += "allowed-action=com.cisco.onep.tutorials.aaa.AAATutorial:walk",
        Cisco-AVPair += "allowed-action=com.cisco.onep.tutorials.aaa.AAATutorial:run",
        Cisco-AVPair += "allowed-action=com.cisco.onep.tutorials.aaa.AAATutorial:custom",
        Cisco-AVPair += "app-attr=aaa-tutorial-custom:string:jump"

The full user configuration for the AAA Tutorial is as follows:

user1   Cleartext-Password := "pass1"
        Cisco-AVPair += "priv-lvl=15",
        Cisco-AVPair += "auto-acct=enable",
        Cisco-AVPair += "allowed-app=com.cisco.onep.tutorials.aaa.AAATutorial",
        Cisco-AVPair += "allowed-action=com.cisco.onep.tutorials.aaa.AAATutorial:walk",
        Cisco-AVPair += "allowed-action=com.cisco.onep.tutorials.aaa.AAATutorial:run",
        Cisco-AVPair += "allowed-action=com.cisco.onep.tutorials.aaa.AAATutorial:custom",
        Cisco-AVPair += "app-attr=aaa-tutorial-custom:string:jump"

Configuring IOS

If you are connecting to a network element that runs IOS, you must configure the network element to obtain its AAA attributes from the AAA server. The following steps show how this is done from the IOS command line interface.

IOS>enable
IOS#configure terminal
IOS(config)#aaa new-model
IOS(config)#radius server <alias-of-radius-server>
IOS(config-radius-server)#address <ipv4|ipv6> <address-of-radius-server> [auth-port <port-#>] [acct-port <port-#>]
IOS(config-radius-server)#key <pre-shared-key>
IOS(config-radius-server)#exit
IOS(config)#aaa authentication onep default group radius
IOS(config)#aaa authorization onep default group radius
IOS(config)#aaa accounting onep default <accounting-mode> [group radius]
IOS(config)#end

Configuring NX-OS

If you are connecting to a network element that runs NX-OS, you must configure the network element to obtain its AAA attributes from the AAA server. The following steps show how this is done from the NX-OS command line interface.

NX-OS#configure terminal
NX-OS(config)#radius distribute
NX-OS(config)#radius-server host <ip-of-radius-server> [key <pre-shared-key>]
NX-OS(config)#radius commit
NX-OS(config)#aaa group server radius <name-the-server-group>
NX-OS(config-radius)#server <ip-of-radius-server>
NX-OS(config-radius)#use-vrf <vrf-to-use>
NX-OS(config-radius)#source-interface <source-interface-to-use>
NX-OS(config-radius)#exit
NX-OS(config)#aaa authentication onep default group <name-of-server-group>
NX-OS(config)#aaa accounting onep default group <name-of-server-group>
NX-OS(config)#end

Result

Congratulations! You have configured a network element and a AAA server and are now ready to run the AAA Tutorial.