Table of Contents
Cisco SD-WAN security is the hardening of the SD-WAN network management system called vManage. vManage plays a critical role in the overall security of the enterprise. For this reason, it supports a multitude of authentication and authorization methods and functionalities.
Local Authentication with Role-Based Access Control (RBAC)
Users can be authenticated into vManage through a built-in local database that can be found in the Administration section. These users can then be tied to a user group, providing customized access to the solution. There are three predefined user groups: netadmin, operator, and basic. The netadmin user group provides unfettered read and write access to the entirety of vManage. The operator user group provides read-only access to vManage. The basic user group provides read-only access to the interface and system sections of vManage. Custom user groups can also be created, and a combination of read and write access to all components of vManage can be configured.
Steps to Configure New Local Databases
The following is a summary of steps required to configure a new local database user:
Step 1. Add user. Within the Administration Manage Users section, click Add User under the Users tab.
Step 2. Configure full name. Specify the user’s full name.
Step 3. Configure username. Specify the user’s desired username.
Step 4. Configure password. Specify and confirm the user’s password, which can later be changed at first login, if necessary.
Step 5. Select user group. Select from one of the three predefined user groups or a custom user group.
Steps to Configure a Custom User Group
The following is a summary of steps required to configure a custom user group:
Step 1. Add user group. Within the Administration Manage Users section, click Add User Group under the User Groups tab.
Step 2. Configure user group name. Specify the user group name.
Step 3. Select read and write access. Select the desired read and write access levels.
Remote Authentication with Role-Based Access Control (RBAC)
vManage also supports remote authentication with role-based access control through the use of a RADIUS/TACACS or Single Sign-On (SSO) authentication server. To authenticate via RADIUS/TACACS, simply configure a AAA vManage feature template or manually configure the RADIUS/TACACS server information via vManage CLI. User groups can still be leveraged with remote authentication as long as the authentication server can pass the group name as a parameter to vManage.
Configuring AAA
AAA configuration configure local users on the Viptela device. AAA configuration is done in two steps:
- Configure Users: Configure username and password for individuals who are permitted to access the CISCO SD-WAN device. One standard username admin and custom username also created as required.
- Configure Groups: Groups can be created and types are basic, netadmin, and operator. A single user can be part of one or more groups.
Creating Users
| Commands | Description |
|---|---|
| system aaa user username password password group group-name | This command creates a user account, configures the username and password, and places the user into a group. |
| system aaa usergroup group-name task privilege | This command creates a custom group with specific authorization. |
Create local username and password
| Commands | Description |
|---|---|
| system aaa admin password password | Factory-default password for the admin username is admin. |
Configuring RADIUS Authentication
| Commands | Description |
|---|---|
| system radius server ip-address secret–key password priority number auth–port port-number acct–port port-number source-interface interface-name tag tag vpn vpn-id | Viptela device use RADIUS servers for user authentication. |
Configuring TACACS+ Authentication
| Commands | Description |
| system tacacs server ip-address secret–key password priority number auth–port port-number source–interface interface-name vpn vpn-id | Viptela device use TACACS+ servers for user authentication.
|
Configuring the Authentication Order
| Commands | Description |
|---|---|
| auth-order (local | radius | tacacs) | Configuring the order of authentication. |
Verification Commands
| Commands | Description |
|---|---|
| show running-config system aaa | It shows the running configuration of AAA. |
| show aaa usergroup | It shows the usergroup configured. |
Conclusion
In CISCO SD-WAN Viptela security, local authentication is secured by AAA configuration and remote authentication secured by RADIUS and TACACS.
Continue Reading
Understanding AAA Authentication Login & Configuration
Introduction to AAA – Authorization, Authentication and Accounting
ABOUT THE AUTHOR
You can learn more about her on her linkedin profile – Rashmi Bhardwaj
