Authentication Authorization and Accounting
AAA (authentication, authorization, and accounting) supports configuring local accounts and remote servers using protocols like RADIUS, TACACS+, and LDAP. The AAA object model includes user management, general configurations, and per-protocol settings.
AAA configuration can be viewed on NVOS.
admin@nvos:~$ nv show system aaa
AAA authentication consists of authentication order and authentication failthrough.
Authentication order specifies the sequence of protocols (radius, tacacs, ldap, local) used for authentication, separated by commas, for example:
admin@nvos:~$ nv set system aaa authentication order radius,local
# or
admin@nvos:~$ nv set system aaa authentication order local,ldap
Authentication order must include local and one of the following: radius, tacacs, or ldap.
Authentication failthrough defines the behavior of authentication when it is rejected locally or by an AAA server.
When authentication failthrough is disabled (default), the authentication process is blocked if the user password is rejected either locally or by the AAA server.
When authentication failthrough is enabled, the authentication process continues to the next AAA server or method if it is rejected.
admin@nvos:~$ nv set system aaa authentication failthrough ?
<arg> Configure failthrough.
"Enabled" login authentication continues to the next option on both server and authentication errors.
"Disabled" login authentication continues only on server errors.
(enum:enabled, disabled | string | default:disabled)
Authentication failthrough does not impact behavior when the AAA server is unavailable. After a server timeout, the switch will try the next server or method in order.
For more information on Authentication Authorization and Accounting, see the following sections: