The SR Linux is able to secure access to the device for users connecting via SSH or the console port, as well as for applications and FTP access. Authentication can be performed for users configured within the underlying Linux OS, and for administrative users configured within the SR Linux itself.
Depending on the user type, users are authenticated locally on the device or through interaction with the SR Linux aaa_mgr application and an authentication server group (for example, TACACS+).
The SR Linux supports three user types: local Linux users, SR Linux users, and remote users. Each user type is authenticated differently, as described in the following sections.
Local Linux users are those configured in the underlying Linux OS, not in the SR Linux CLI. Information about local Linux users is stored in /etc/passwd in the underlying Linux OS.
By default, the SR Linux has a single local Linux user (username linuxadmin, password linuxadmin) who has access to sudo to root and can run the SR Linux CLI with admin permissions. Other local Linux users can be added with the useradd command in the underlying Linux OS.
Local Linux users are authenticated via the underlying Linux OS, not through the SR Linux aaa_mgr application. This means that local Linux users are not subject to authentication settings configured within the SR Linux CLI, such as authentication by a TACACS+ server group.
SR Linux users are users configured within the SR Linux itself. In Release R19.11R1, SR Linux supports a single SR Linux user, named admin; no other SR Linux users can be added.SR Linux users are authenticated via a gRPC interface to the aaa_mgr application, which can be configured on the SR Linux to authenticate the admin user, using one or more authentication methods, including a local password and a TACACS+ server group. See Configuring authentication for the SR Linux admin user for an example configuration.
Remote users are users that are not configured either in /etc/passwd or within the SR Linux configuration. Remote users are configured on a remote server, which is queried when the user attempts to log in to the SR Linux device.
The SR Linux performs authentication, authorization, and accounting (AAA) functions for each user type, as described in the following sections.
For local Linux users, the SR Linux authenticates via the authentication mechanism built into the underlying Linux OS.
For the SR Linux admin user, the SR Linux uses its gRPC interface to the aaa_mgr application for authentication. Authentication settings that apply to the SR Linux admin user, including a local password and TACACS+ server group, can be configured using the SR Linux CLI.
For remote users, authentication is performed using the aaa_mgr application.
The SR Linux validates each command executed by a user connected to the device. Authenticated users of all types are considered to be priv-lvl=15, with full admin permissions.
The SR Linux supports command accounting. Accounting records generated by the SR Linux include the entire CLI string that a user enters on the command line, including any pipes or output redirects specified in the command.
The following is an example of accounting records generated by the SR Linux device:
You can configure the SR Linux device to send accounting records to a destination specified in an accounting-method list, such as a TACACS+ server group or the local system.
For each user type, the SR Linux device generates accounting records as follows:
See Configuring accounting for an example configuration.
The SR Linux supports the following server group types for AAA functions:
Users whose AAA functions are handled by the aaa_mgr application (that is, the SR Linux admin user) can use one of these server groups for authentication and accounting.
The TACACS+ server group can have up to five servers. When authenticating a user or writing an accounting record, the SR Linux tries each server in the group in a round-robin fashion until a response is received. If no response is received within a specified timeout period, the SR Linux tries the next server in the group.
If no response is received from any of the servers in the group, the SR Linux moves to the next specified authentication or accounting method. If no other method is specified, or the TACACS+ server group is the last method in the list, then the authentication or accounting request is rejected.
Example:
The following example shows settings for a TACACS+ and a local server group to be used for AAA functions. TACACS+ requests are sourced from the mgmt network-instance.
The TACACS+ server group consists of three TACACS+ servers. The timeout period specifies that the SR Linux wait 30 seconds for a response from a server before trying the next server in the group.
For the server group of type local, no external servers can be specified. The local server group uses /etc/passwd and /etc/group for authentication, and syslog for accounting. The timeout period specifies that the SR Linux wait a maximum of 60 seconds for an AAA function to complete.
To authenticate the SR Linux admin user, you can specify one or more authentication methods, including local authentication or a TACACS+ server group.
Example:
The following example configures a local password for the SR Linux admin user and specifies authentication methods for the user. When the SR Linux admin user attempts to log in, the user is authenticated using local authentication first.
If authentication with the local password fails, the SR Linux tries the servers in TACACS+ server group tacacs-all. If the user cannot be authenticated through either method, the authentication attempt is rejected.
When accounting is enabled, the SR Linux device generates command accounting records as described in Accounting.
Example:
The following example configures accounting records to be sent to the tacacs-all server group. The SR Linux generates an accounting record when a command is started and when it is stopped.
To display information about users currently logged in to the SR Linux device, use the show system aaa authentication session command.
Example:
To disconnect a user currently logged in to the SR Linux device, use the tools system aaa authentication session clear command and specify the session ID of the user. To list the session IDs of active users, enter the show system aaa authentication session command.
Example:
You can configure the idle-timeout for user sessions, which disconnects a user session after a specified period of inactivity. By default, user sessions are disconnected after 15 minutes of inactivity.
The idle-timeout setting applies to SR Linux users and remote users. It does not apply to local Linux users or to JSON-RPC or gNMI client sessions.
After a user session has been inactive for one-half of the idle-timeout period, a notification is displayed indicating that the user will be logged out if the session remains idle for the remainder of the idle-timeout period.
Example:
The following example configures the idle-timeout so that SR Linux user sessions and remote user sessions are disconnected after 20 minutes of inactivity: