AAA Methods

NVIDIA UFM-SDN Appliance Command Reference Guide v4.9.0

aaa accounting changes default {<time-frame> | stop-only} tacacs+
no aaa accounting changes default {<time-frame> | stop-only} tacacs+

Enables logging of system changes to a AAA accounting server.
The no form of the command disables the accounting.

Syntax Description

stop-only

Sends a stop accounting notice at the end of requested user process

Default

N/A

Configuration Mode

config

History

1.5

Example

Copy
Copied!
            

ufmapl [ mgmt-sa ] (config) # aaa accounting changes default stop-only tacacs+

Related Commands

show aaa

Notes

  • TACACS+ is presently the only accounting service method supported

  • Change accounting covers both configuration changes and system actions that are visible under audit logging, however this feature operates independently of audit logging, so it is unaffected by the "logging level audit mgmt" or "configuration audit" commands

  • Configured TACACS+ servers are contacted in the order in which they appear in the configuration until one accepts the accounting data, or the server list is exhausted

  • Despite the name of the "stop-only" keyword, which indicates that this feature logs a TACACS+ accounting "stop" message, and in contrast to configuration change accounting, which happens after configuration database changes, system actions are logged when the action is started, not when the action has completed

aaa authentication login default <auth method> [<auth method> [<auth method> [<auth method> [<auth method>]]]]
no aaa authentication login

Sets a sequence of authentication methods. Up to four methods can be configured.
The no form of the command resets the configuration to its default.

Syntax Description

auth-method

Possible values:

  • local

  • radius

  • tacacs+

  • ldap

Default

N/A

Configuration Mode

config

History

1.5

Example

Copy
Copied!
            

ufmapl [ mgmt-sa ] (config) # aaa authentication login default local radius tacacs+ ldap

Related Commands

show aaa

Notes

The order in which the methods are specified is the order in which the authentication is attempted. It is required that "local" is one of the methods selected. It is recommended that "local" be listed first to avoid potential problems logging in to local accounts in the face of network or remote server issues.

aaa authorization map [default-user <username> | order <policy>]
no aaa authorization map [default-user | order]

Sets the mapping permissions of a user in case a remote authentication is done.
The no form of the command resets the attributes to default.

Syntax Description

username

Specifies what local account the authenticated user will be logged on as when a user is authenticated (via RADIUS or TACACS+) and does not have a local account. If the username is local, this mapping is ignored.

policy

Sets the user mapping behavior when authenticating users via RADIUS or TACACS+ to one of three choices. The order determines how the remote user mapping behaves. If the authenticated username is valid locally, no mapping is performed. The setting has the following three possible behaviors:

  • remote-first - If a local-user mapping attribute is returned and it is a valid local username, it maps the authenticated user to the local user specified in the attribute. Otherwise, it uses the user specified by the default-user command.

  • remote-only - Maps a remote authenticated user if the authentication server sends a local-user mapping attribute. If the attribute does not specify a valid local user, no further mapping is tried.

  • local-only - Maps all remote users to the user specified by the "aaa authorization map default-user <user name>" command. Any vendor attributes received by an authentication server are ignored.

Default

Default user: admin
Map order: remote-first

Configuration Mode

config

History

1.5

Example

Copy
Copied!
            

ufmapl [ mgmt-sa ] (config) # aaa authorization map default-user admin

Related Commands

show aaa
username

Notes

If, for example, the user is locally defined to have admin permission, but in a remote server such as RADIUS the user is authenticated as monitor and the order is remote-first, then the user will be given monitor permissions.

show aaa

Displays the AAA configuration.

Syntax Description

N/A

Default

N/A

Configuration Mode

Any configuration mode

History

1.5

Example

Copy
Copied!
            

ufmapl [ mgmt-sa ] (config) # show aaa AAA authorization: Default User: admin Map Order: remote-first Authentication method(s): local Accounting method(s): tacacs+

Related Commands

aaa accounting
aaa authentication
aaa authorization
show aaa
show usernames
username

Notes

© Copyright 2023, NVIDIA. Last updated on Sep 6, 2023.