Skip to main content
Viptela is now part of Cisco.
Support
Product Documentation
Viptela Documentation

Role-Based Access with AAA

The Viptela AAA software implements role-based access to control the authorization permissions for users on Viptela devices. Role-based access consists of three components:

  • Users are those who are allowed to log in to a Viptela device.
  • User groups are collections of users.
  • Privileges are associated with each group. They define the commands that the group's users are authorized to issue.

Users and User Groups

All users who are permitted to perform operations on a Viptela device must have a login account. For the login account, you configure a username and a password on the device itself. These allow the user to log in to that device. A username and password must be configured on each device that a user is allowed to access.
S00066.png

The Viptela software provides one standard username, admin, which is a user who has full administrative privileges, similar to a UNIX superuser. By default, the admin username password is admin. You cannot delete or modify this username, but you can and should change the default password.

User groups pool together users who have common roles, or privileges, on the Viptela device. As part of configuring the login account information, you specify which user group or groups that user is a member of. You do not need to specify a group for the admin user, because this user is automatically in the user group netadmin​ and is permitted to perform all operations on the Viptela device.

S00067.png

The user group itself is where you configure the privileges associated with that group. These privileges correspond to the specific commands that the user is permitted to execute, effectively defining the role-based access to the Viptela software elements.

S00068.png

The Viptela software provides three standard user groups. The two groups basic and operator are configurable. While you can use these two groups for any users and privilege levels, the basic group is designed to include users who have permission to both view and modify information on the device, while the operator group is designed to include users who have permission only to view information. The third group is netadmin, which is non-configurable. By default, it includes the admin user. You can add other users to this group. Users in this group are permitted to perform all operations on the device.

Privileges for Role-Based Access

Role-based access privileges are arranged into five categories, which are called tasks:

  • Interface—Privileges for controlling the interfaces on the Viptela device.
  • Policy—Privileges for controlling control plane policy, OMP, and data plane policy.
  • Routing—Privileges for controlling the routing protocols, including BFD, BGP, OMP, and OSPF.
  • Security—Privileges for controlling the security of the device, including installing software and certificates. Only users belonging to the netadmin group can install software on the system.
  • System—General systemwide privileges.

The tables in the following sections detail the AAA authorization rules for users and user groups. These authorization rules apply to commands issued from the CLI and to those issued from Netconf.

User Authorization Rules for Operational Commands

The user authorization rules for operational commands are based simply on the username. Any user who is allowed to log in to the Viptela device can execute most operational commands. However, only the admin user can issue commands that affect the fundamental operation of the device, such as installing and upgrading the software and shutting down the device.

Note that any user can issue the config command to enter configuration mode, and once in configuration mode, they are allowed to issue any general configuration command. Also, any user is allowed to configure their password by issuing the system aaa user self password password command and then committing that configuration change. For the actual commands that configure device operation, authorization is defined according to user group membership. See User Group Authorization Rules for Configuration Commands.

The following tables lists the AAA authorization rules for general CLI commands. All the commands are operational commands except as noted. Also, some commands available to the "admin" user are available only if that user is in the "netadmin" user group.

CLI Command Any User Admin User
clear history X X
commit confirm X X

complete-on-space

X X

config

X

X

exit

X

X

file

X

X

help

X

X

[no] history

X

X

idle-timeout

X

X

job X X

logout

X
(users in netadmin group only)

monitor X X

nslookup

X

X

paginate

X

X

ping

X

X

poweroff

X
(users in netadmin group only)

prompt1

X

X

prompt2

X

X

quit

X

X

reboot

X
(users in netadmin group only)

request aaa
request admin-tech
request firmware
request interface-reset
request nms
request reset
request software

X
(users in netadmin group only)

request execute
request download
request upload
X

X

*request (everything else)

X

rollback (configuration mode command)

X
(users in netadmin group only)

screen-length

X

X

screen-width

X

X

show cli

X

X

show configuration commit list

X

X

show history

X

X

show jobs X X

show parser dump

X

X

show running-config

X

X

show users

X

X

system aaa user self password password (configuration mode command)
(Note: A user cannot delete themselves)
   

tcpdump

X

X

timestamp

X

X

tools ip-route

X

X

tools netstat X X
tools nping X X

traceroute

X

X

vshell

X

X
(users in netadmin group only)

User Group Authorization Rules for Operational Commands

The following table lists the user group authorization roles for operational commands.

Operational Command

Interface

Policy

Routing

Security

System

clear app   X      
clear app-route   X      

clear arp

 

 

 

 

clear bfd     X   X

clear bgp

 

 

X

  X
clear bridge X        
clear cellular X        
clear control       X  
clear crash         X

clear dhcp

       

X

clear dns         X
clear igmp     X    

clear installed-certificates

 

 

 

X

 

clear interface

X

 

 

 

 

clear ip     X    

clear notification

 

 

 

 

X

clear omp

   

X

   
clear orchestrator       X  

clear ospf

   

X

   
clear pim     X    

clear policy

 

X

     
clear pppoe X        

clear system

 

 

 

 

X

clear tunnel

 

 

 

X

 

clear wlan X        
clear ztp       X X
clock         X

debug bgp

   

X

   
debug cellular X        
debug cflowd   X      

debug chmgr

 

     

X

debug config-mgr

 

     

X

debug dhcp-client

       

X

debug dhcp-helper

       

X

debug dhcp-server         X

debug fpm

 

X

 

 

 

debug ftm

       

X

debug igmp     X    
debug netconf         X

debug omp

   

X

   

debug ospf

 

 

X

 

 

debug pim     X    
debug resolver     X    
debug snmp         X

debug sysmgr

       

X

debug transport

       

X

debug ttm

       

X

debug vdaemon

     

X

X

debug vrrp

     

X

 
debug wlan X        

request certificate

     

X

 
request control-tunnel       X  
request controller       X  
request controller-upload       X  

request csr

     

X

 
request device       X  
request device-upload       X  

request on-vbond-controller

 

 

 

X

 

request port-hop       X  

request root-cert-chain

     

X

 
request security       X  

request vedge

     

X

 

request vedge-upload

     

X

 

request vsmart-upload

     

X

 

show aaa

 

 

 

 

X

show app   X      
show app-route   X      

show arp

X

       

show bfd

   

X

 

X

show bgp

   

X

   

show boot-partition

       

X

show bridge X        
show cellular X        

show certificate

 

 

 

X

 

show clock

       

X

show control

     

X

X

show crash

 

 

 

 

X

show debugs—same as debug commands

         

show dhcp

       

X

show external-nat

     

X

X

show hardware

       

X

show igmp     X    

show interface

X

       

show ip

   

X

 

X

show ipsec       X  
show licenses         X

show logging

       

X

show multicast     X    
show nms-server         X

show notification

       

X

show ntp

 

 

   

X

show omp

 

X

X

 

X

show orchestrator       X  

show ospf

   

X

   
show pim     X    

show policer

 

X

     

show policy

 

X

     
show ppp X        
show pppoe X        

show reboot

       

X

show security-info       X  
show software         X

show system

 

 

 

 

X

show transport

       

X

show tunnel

     

X

 

show uptime

       

X

show users         X

show version

       

X

show vrrp

X

       
show wlan X        
show ztp       X  

User Group Authorization Rules for Configuration Commands

The following table lists the user group authorization rules for configuration commands.

Configuration Command

Interface

Policy

Routing

Security

System

apply-policy

 

X

 

 

 

banner

 

 

 

 

X

bfd

 

 

X

 

X

bridge X        

omp

 

X

X

 

X

policy

 

X

 

   

security

   

 

X

X

snmp

 

 

   

X

system

 

   

 

X

vpn interface

X

       

vpn ip 

   

X

   

vpn router

 

 

X

   

vpn service

 

 

X

 

 

vpn (everything else, including creating,
deleting, and naming)

       

X

wlan X        
  • Was this article helpful?