Security - AAA for RESTCONF
Enabling RESTCONF on a Cisco router requires the aaa new-model
command because RESTCONF uses HTTP-based methods that need AAA (Authentication, Authorization, and Accounting) services. This command essentially enables these services.
To configure AAA for HTTP Authentication and Authorization in Cisco IOS / IOS XE for RESTCONF, you need to perform the following steps:
- Enable the AAA new model.
- Create a local user database.
- Configure AAA authentication for the HTTP server.
- Configure the HTTP server for secure access.
Here is the step-by-step configuration:
-
Enable AAA new model:
aaa new-model -
Create a local user:
username admin privilege 15 password 0 admin_password -
Configure AAA authentication and authorization for HTTP:
aaa authentication login default local aaa authorization exec default local -
Enable the HTTP server and configure it to use secure access:
ip http secure-server ip http authentication local -
Enable RESTCONF (assuming RESTCONF is supported on the device):
restconf
The complete configuration would look like this:
! Enable AAA new model aaa new-model ! Create a local user username admin privilege 15 password 0 admin_password ! Configure AAA authentication and authorization aaa authentication login default local aaa authorization exec default local ! Enable secure HTTP server ip http secure-server ip http authentication local ! Enable RESTCONF restconf
Explanation:
aaa new-model
: Enables the AAA access control model.username admin privilege 15 password 0 admin_password
: Creates a local user with privilege level 15 (highest privilege).aaa authentication login default local
: Configures AAA to use the local user database for login authentication.aaa authorization exec default local
: Configures AAA to authorize exec sessions using the local user database.ip http secure-server
: Enables the secure HTTP server (HTTPS).ip http authentication local
: Configures the HTTP server to use local authentication.restconf
: Enables RESTCONF on the device.
This configuration ensures that RESTCONF uses the local user database for authentication and authorization.
Links:
https://forum.networklessons.com/t/restconf-http-server-configuration-with-aaa/48740/2?u=lagapidis
https://networklessons.com/cisco/evolving-technologies/device-programmability#RESTCONF