Security - AAA for RESTCONF

Enabling RESTCONF on a Cisco router requires the aaa new-model command because RESTCONF uses HTTP-based methods that need AAA (Authentication, Authorization, and Accounting) services. This command essentially enables these services.

To configure AAA for HTTP Authentication and Authorization in Cisco IOS / IOS XE for RESTCONF, you need to perform the following steps:

  1. Enable the AAA new model.
  2. Create a local user database.
  3. Configure AAA authentication for the HTTP server.
  4. Configure the HTTP server for secure access.

Here is the step-by-step configuration:

  1. Enable AAA new model:

    aaa new-model
  2. Create a local user:

    username admin privilege 15 password 0 admin_password
  3. Configure AAA authentication and authorization for HTTP:

    aaa authentication login default local aaa authorization exec default local
  4. Enable the HTTP server and configure it to use secure access:

    ip http secure-server ip http authentication local
  5. Enable RESTCONF (assuming RESTCONF is supported on the device):

    restconf

The complete configuration would look like this:

! Enable AAA new model aaa new-model ! Create a local user username admin privilege 15 password 0 admin_password ! Configure AAA authentication and authorization aaa authentication login default local aaa authorization exec default local ! Enable secure HTTP server ip http secure-server ip http authentication local ! Enable RESTCONF restconf

Explanation:

  • aaa new-model: Enables the AAA access control model.
  • username admin privilege 15 password 0 admin_password: Creates a local user with privilege level 15 (highest privilege).
  • aaa authentication login default local: Configures AAA to use the local user database for login authentication.
  • aaa authorization exec default local: Configures AAA to authorize exec sessions using the local user database.
  • ip http secure-server: Enables the secure HTTP server (HTTPS).
  • ip http authentication local: Configures the HTTP server to use local authentication.
  • restconf: Enables RESTCONF on the device.

This configuration ensures that RESTCONF uses the local user database for authentication and authorization.

Links:

https://forum.networklessons.com/t/restconf-http-server-configuration-with-aaa/48740/2?u=lagapidis

https://networklessons.com/cisco/evolving-technologies/device-programmability#RESTCONF