Cisco SD-WAN security is the hardening of the SD-WAN network management system called vManage. vManage plays a critical role in the overall security of the enterprise. For this reason, it supports a multitude of authentication and authorization methods and functionalities.

Local Authentication with Role-Based Access Control (RBAC)

Users can be authenticated into vManage through a built-in local database that can be found in the Administration section. These users can then be tied to a user group, providing customized access to the solution. There are three predefined user groups: netadmin, operator, and basic. The netadmin user group provides unfettered read and write access to the entirety of vManage. The operator user group provides read-only access to vManage. The basic user group provides read-only access to the interface and system sections of vManage. Custom user groups can also be created, and a combination of read and write access to all components of vManage can be configured.

Steps to Configure New Local Databases

The following is a summary of steps required to configure a new local database user:

Step 1. Add user. Within the Administration Manage Users section, click Add User under the Users tab.

Step 2. Configure full name. Specify the user’s full name.

Step 3. Configure username. Specify the user’s desired username.

Step 4. Configure password. Specify and confirm the user’s password, which can later be changed at first login, if necessary.

Step 5. Select user group. Select from one of the three predefined user groups or a custom user group.

Steps to Configure a Custom User Group

The following is a summary of steps required to configure a custom user group:

Step 1. Add user group. Within the Administration Manage Users section, click Add User Group under the User Groups tab.

Step 2. Configure user group name. Specify the user group name.

Step 3. Select read and write access. Select the desired read and write access levels.

Remote Authentication with Role-Based Access Control (RBAC)

vManage also supports remote authentication with role-based access control through the use of a RADIUS/TACACS or Single Sign-On (SSO) authentication server. To authenticate via RADIUS/TACACS, simply configure a AAA vManage feature template or manually configure the RADIUS/TACACS server information via vManage CLI. User groups can still be leveraged with remote authentication as long as the authentication server can pass the group name as a parameter to vManage.

Configuring AAA

AAA configuration configure local users on the Viptela device. AAA configuration is done in two steps:

• Configure Users: Configure username and password for individuals who are permitted to access the CISCO SD-WAN device. One standard username admin and custom username also created as required.
• Configure Groups: Groups can be created and types are basic, netadmin, and operator. A single user can be part of one or more groups.

Creating Users

Create local username and password

Configuring RADIUS Authentication

Configuring TACACS+ Authentication

Configuring the Authentication Order

Verification Commands

Conclusion

In CISCO SD-WAN Viptela security, local authentication is secured by AAA configuration and remote authentication secured by RADIUS and TACACS.

Continue Reading:

TACACS vs TACACS+

Understanding AAA Authentication Login & Configuration

Introduction to AAA – Authorization, Authentication and Accounting

ABOUT THE AUTHOR

Rashmi Bhardwaj

I am here to share my knowledge and experience in the field of networking with the goal being – “The more you share, the more you learn.”

I am a biotechnologist by qualification and a Network Enthusiast by interest. I developed interest in networking being in the company of a passionate Network Professional, my husband.

I am a strong believer of the fact that “learning is a constant process of discovering yourself.”
– Rashmi Bhardwaj (Author/Editor)