Local & Remote Authentication in CISCO SD-WAN

Advertisements

Cisco SD-WAN security is the hardening of the SD-WAN network management system called vManage. vManage plays a critical role in the overall security of the enterprise. For this reason, it supports a multitude of authentication and authorization methods and functionalities.

Local Authentication with Role-Based Access Control (RBAC)

Users can be authenticated into vManage through a built-in local database that can be found in the Administration section. These users can then be tied to a user group, providing customized access to the solution. There are three predefined user groups: netadmin, operator, and basic. The netadmin user group provides unfettered read and write access to the entirety of vManage. The operator user group provides read-only access to vManage. The basic user group provides read-only access to the interface and system sections of vManage. Custom user groups can also be created, and a combination of read and write access to all components of vManage can be configured.

Advertisements

Steps to Configure New Local Databases

The following is a summary of steps required to configure a new local database user:

Step 1. Add user. Within the Administration Manage Users section, click Add User under the Users tab.

Step 2. Configure full name. Specify the user’s full name.

Step 3. Configure username. Specify the user’s desired username.

Step 4. Configure password. Specify and confirm the user’s password, which can later be changed at first login, if necessary.

Step 5. Select user group. Select from one of the three predefined user groups or a custom user group.

 

Steps to Configure a Custom User Group

The following is a summary of steps required to configure a custom user group:

Step 1. Add user group. Within the Administration Manage Users section, click Add User Group under the User Groups tab.

Step 2. Configure user group name. Specify the user group name.

Step 3. Select read and write access. Select the desired read and write access levels.

 

Remote Authentication with Role-Based Access Control (RBAC)

vManage also supports remote authentication with role-based access control through the use of a RADIUS/TACACS or Single Sign-On (SSO) authentication server. To authenticate via RADIUS/TACACS, simply configure a AAA vManage feature template or manually configure the RADIUS/TACACS server information via vManage CLI. User groups can still be leveraged with remote authentication as long as the authentication server can pass the group name as a parameter to vManage.

 

Configuring AAA

AAA configuration configure local users on the Viptela device. AAA configuration is done in two steps:

  • Configure Users: Configure username and password for individuals who are permitted to access the CISCO SD-WAN device. One standard username admin and custom username also created as required.
  • Configure Groups: Groups can be created and types are basic, netadmin, and operator. A single user can be part of one or more groups.

Creating Users

Commands

Description

system aaa

user username password password

group group-name

This command creates a user account, configures the username and password, and places the user into a group.
system aaa usergroup group-name task privilege This command creates a custom group with specific authorization.

Create local username and password

Commands

Description

system aaa admin password password Factory-default password for the admin username is admin.

Configuring RADIUS Authentication

Commands

Description

system radius

server ip-address

secretkey password

priority number

authport port-number

acctport​​​​​​​ ​​​​​​​port-number

source-interface interface-name

tag tag

vpn vpn-id

Viptela device use RADIUS servers for user authentication.

Configuring TACACS+ Authentication

Commands

Description

system tacacs

server ip-address

secretkey password

priority number

authport port-number

sourceinterface interface-name

vpn vpn-id

Viptela device use TACACS+ servers for user authentication.

 

Configuring the Authentication Order

Commands

Description

auth-order (local | radius | tacacs) Configuring the order of authentication.

Verification Commands

Commands

Description

show running-config system aaa It shows the running configuration of AAA.
show aaa usergroup It shows the usergroup configured.

Conclusion

In CISCO SD-WAN Viptela security, local authentication is secured by AAA configuration and remote authentication secured by RADIUS and TACACS.

Continue Reading:

TACACS vs TACACS+

Understanding AAA Authentication Login & Configuration

Introduction to AAA – Authorization, Authentication and Accounting

Advertisements

Tags:

Related Posts

About The Author

Add Comment

Social Media Auto Publish Powered By : XYZScripts.com
Select your currency
USD United States (US) dollar