aaa authentication

Required Command-Line Mode = Configure

Use the aaa authentication command to specify the authentication methods to use for logins to the Mgmt port, as well as the order in which they should be used.

You can enable all authentication methods. If you enable more than one method, the GigaVUE‑OS node uses the methods in the same order in which they are specified, falling back as necessary. If all servers using the first method are unreachable, the GigaVUE‑OS node will fall back to the secondary method, and so on.

To prevent lockouts, it is recommended that you include local as one of the methods. However, the local method is optional. Refer to the “Authentication” section in the GigaVUE Administration Guide.

If a server responds to a login attempt with an authentication reject, no further servers using that method are tried. Instead, the next method is tried until either the user’s login is granted or all specified methods are exhausted.

If you enable radius, tacacs+, or ldap, you must also:

■   Configure the RADIUS, TACACS+, or LDAP server using the corresponding radius-server, tacacs-server, or ldap command.
■   Configure GigaVUE‑OS node users within the external authentication server itself.

The aaa authentication command has the following syntax:

aaa authentication
   attempts
      class-override
         admin no-lockout
         unknown <hash-username | no-track>
      lockout
         enable
         lock-time <seconds>
         max-fail <failure count>
         unlock-time <seconds>
      reset <all> | <user <username>> [no-clear-history | no-unlock]
      track enable
   certificate crl
     install name default pem url <URL>
      uninstall name default
   login default [ldap] [local] [radius] [tacacs+]
   password expiration
      duration <days>
      enable

The following table describes the arguments for the aaa authentication command:

Argument

Description

attempts
 class-override
  admin no-lockout

Overrides the global settings for tracking and lockouts for the admin account. Specifying no-lockout means that the admin user will never be locked out, though their authentication failure history will still be tracked if tracking is enabled overall.

This applies only to the single account with the username admin. It does not apply to any other users with administrative privileges.

attempts
 class-override unknown <hash-username | no-track>

Overrides settings for the unknown class. Unknown means all usernames that are not recognized as real accounts (not a locally configured account). The overrides specify the following:

no-track—Does not track authentication for these users.
hash-username—Applies a hash function to the username and stores the hashed result.

attempts
 lockout
  enable

Enables or disables locking out of user accounts based on authentication failures. This suspends the enforcement of any existing lockouts and prevents any new lockouts from being recorded. If lockouts are later re-enabled, any lockouts that had been recorded previously, resume being enforced, but accounts that passed the max-fail limit are not automatically locked at this time. They are permitted one more attempt, and then locked out. Lockouts are applied after an authentication failure, if the user has surpassed the threshold at that time.

Lockouts only work if tracking is enabled. Enabling lockouts will automatically enable tracking. Disabling tracking will automatically disable lockouts.

attempts
lockout
lock-time <seconds>

Specifies that no logins are permitted for this number of seconds following any login failure (not counting failures caused by the lockout mechanism, or the lock-time itself). This is not based on the number of consecutive failures.

If both unlock-time and lock-time are set, the unlock-time must be greater than the lock-time.

Unlike max-fail, this does take effect immediately for all accounts.

attempts
lockout max-fail <failure count>

Sets the maximum number of consecutive authentication failures (attempts) permitted for a user account before the account is locked. After this number of failures, the account is locked and subsequent attempts are not permitted.

This setting only impacts the lockouts imposed while the setting is active. It is not retroactive to previous logins. So if max-fail is disabled or changed, this does not immediately cause any users to be changed from locked to unlocked or vice-versa.

unlock-time <seconds>

Specifies that if a user account is locked due to authentication failures, another login attempt will be permitted if this number of seconds has elapsed since the last login failure. That does not count failures caused by the lockout mechanism itself. A user must have been permitted to attempt to login, and then failed.

After this interval has elapsed, the account does not become unlocked, nor does its history reset. It simply permits one more login attempt even if the account is locked.

Unlike max-fail, this does take effect immediately for all accounts.

attempts
reset <all> | <user <username>> [no-clear-history | no-unlock]

Clears the history of login failures, and/or unlocks the account. By default, both are done, which deletes the entire user record from the database.

If either of the two optional parameters is used, the record is left in the database, but partially cleared. The parameters specify the following:

no-clear-history—Clears the history, but leaves the account's lock alone. Therefore, if it was locked, it remains locked until further action is taken.
no-unlock—Leaves the history alone and only unlocks the account. Therefore, one more login will be permitted, but the account could then become re-locked after another failure (if it was already over the threshold).

attempts
track
enable

Enables or disables tracking of authentication failures. The default is disabled. Tracking can be used for informational purposes or with the lockout argument.

Disabling tracking does not clear any records of past authentication failures or the locks in the database. However, it prevents any updates to this database from being made. No new failures are recorded. It also disables lockout, preventing new lockouts from being recorded and existing lockouts from being enforced.

certificate crl
   install name default pem url <URL>   
uninstall name default

Configures certification authentication settings for Certificate Revocation List (CRL), as follows:

install—Downloads and installs a CRL as follows:
o name—Specifies the name of the CRL to install.
o default—Installs the specified CRL.
o pem—Downloads and installs the specified CRL in PEM format.
o url—Downloads the specified CRL in PEM format via the URL and installs it.
uninstall—Uninstalls a CRL as follows:
o name—Specifies the name of the CRL to uninstall.
o default—Uninstalls the specified CRL.

Examples:

(config) # aaa authentication certificate crl install name default pem url http://192.168.1.2/godaddy.crl.pem

(config) # aaa authentication certificate crl uninstall name default% NOTICE: local method is last in order and it will be used only if remoteservers are not reachable.

login default [ldap] [local] [radius] [tacacs+]

Configures the order in which authentication methods for system logins are tried. The valid values are ldap, local, radius, and tacacs+. The order in which the methods are specified is the order in which the authentication is tried.

To prevent lockouts, it is recommended that you include local as one of the methods. However, the local method is optional.

In the following example, if local is not included as one of the methods, the device will be authenticated exclusively by the TACACS+ server:

(config) # aaa authentication login default tacacs+

Access is only given to one method at a time.

In the following example, if the TACACS+ server is reachable, the local method will not be checked. Only if the TACACS+ server becomes unreachable will the method fall back to local.

(config) # aaa authentication login default tacacs+ local

In the following example, the local method will only be checked if neither the TACACS+ server or the RADIUS server are reachable:

(config) # aaa authentication login default tacacs+ radius local

In the following example, if the TACACS+ server is not reachable, the next method in order will be checked, which is local:

(config) # aaa authentication login default tacacs+ local radius

password expiration   
duration <days>
 enable

Configures the number of days before a password expires and enables it for user accounts. When a user account is created, it is given the currently configured password expiration duration.

If the duration is configured to 20 days, all user accounts that are created after that duration was configured, will expire after 20 days. If the duration is changed to 15 days, all user accounts that are created after that duration was configured, will expire after 15 days. That is, the user accounts configured to expire after 20 days, will not expire after 15  days as a result of the change to the duration.

For example:

(config) # aaa authentication password expiration duration 20

Related Commands

The following table summarizes other commands related to the aaa authentication command:

Task

Command

Displays general AAA settings.

# show aaa

Displays configuration and history of authentication failures.

# show aaa authentication attempts

Displays configuration of authentication failure tracking.

# show aaa authentication attempts configured

Displays status of authentication failure tracking and lockouts for all users.

# show aaa authentication attempts status

Displays failure tracking for a specified user.

# show aaa authentication attempts status user manager

Display authentication-certificate settings.

# show aaa authentication certificate

Displays the currently installed CRL.

# show aaa authentication certificate crl name default

Displays the tracked login attempts.

# show aaa authentication login

Displays the tracked login attempts for last x days (default 10).

Add last to specify the number of days to track.

Shows user name, # login attempts, hostname or IP address, and time. There are separate sections for successful and failed attempts.

# show aaa authentication login

# show aaa authentication login tracked last

Deletes all overrides from the admin account.

(config) # no aaa authentication attempts class-override admin

Deletes the no-lockout override from the admin account.

(config) # no aaa authentication attempts class-override admin no-lockout

Deletes all overrides from unknown users.

(config) # no aaa authentication attempts class-override unknown

Deletes the hash-username override from unknown users.

(config) # no aaa authentication attempts class-override unknown hash-username

Deletes the no-track override from unknown users.

(config) # no aaa authentication attempts class-override unknown no-track

Disables lockout of accounts based on failed authentication attempts.

(config) # no aaa authentication attempts lockout enable

Disables temporary lock on account after every authentication failure.

(config) # no aaa authentication attempts lockout lock-time

Does not lock out users based on consecutive authentication failures.

(config) # no aaa authentication attempts lockout max-fail

Never allows authentication retry on locked account.

(config) # no aaa authentication attempts lockout unlock-time

Disables tracking of failed authentication attempts.

(config) # no aaa authentication attempts track enable

Clears authentication login settings.

(config) # no aaa authentication login

Negates authentication password expiration settings.

(config) # no aaa authentication password expiration duration

Disables password expirations.

(config) # no aaa authentication password expiration enable