15.2 Managing AAA Servers
The system uses the following functionalities to manage AAA servers:
15.2.1 Adding AAA Servers
Step 1 Navigate to the Access Control Page.
Step 2 Click the Authentication source drop-down menu and select either RADIUS or TACACS.
The Access Control page lists all current servers. See Figure 15-3.
Step 3 Click + New Server at the upper right corner of the Servers section. See Figure 15-4.
Figure 15-4: + New Server in Access Control Page
The system pops-up the New Server window. See Figure 15-5.
Figure 15-5: New Server Pop-Up Window
Step 4 Provide the required Information in corresponding fields.
Step 5 If required, click Test for testing the new configuration. Else, skip to step 8.
Step 6 Enter your credentials when the Test Server pop-up prompts for it. See Figure 15-6.
Figure 15-6: Test Server Pop-Up Window
Step 7 Click Run Test.
The system displays test results. If required, modify the configuration based on the test result.
Step 8 Click Save.
The server is added to the list of servers in the AAA grid.
Related topics:
15.2.2 Modifying AAA Servers
Step 1 Navigate to the Access Control Page.
Step 2 Select desired modes from Authentication source and Authorization source drop-down menus.
The system lists all registered servers of the selected AAA server type. See Figure 15-3.
Step 3 Click the edit icon available next to IP address of the corresponding server.
The system pops-up the Edit Server window. See Figure 15-7.
Figure 15-7: Edit Server Pop-Up Window
Step 4 Modify the required information.
Step 5 If required, click Test to verify latest changes.
Step 6 Click Save.
Note To apply external authentication, there should be at least one enabled server listed in the page. Adding Vendor Specific Codes to AAA Servers
You can add vendor specific codes to AAA servers for the following:
Arista Vendor Specific Code: add it to the RADIUS dictionary.
VENDOR Arista 30065
ATTRIBUTE Arista-AVPair 1 string
To specify role for a user
"bob"     Cleartext-Password := "Pa$sW04d"
                Arista-AVPair = "shell:cvp-roles=network-admin",
                Service-Type = NAS-Prompt-User
For TACACS+ there is no vendor specific code, just different strings.
Note CloudVision support for TACACS+ servers can be affected with the setting of the “service” parameter. Some TACACS servers may require "service = shell" instead of "service = exec" in the TACACS+ configuration (tacacs.conf).
This example configures user “bob” in the admin group and specifies certain attributes. It specifies a "cvp-roles" attribute for the CloudVision role name (it can also be a list of roles).
A. tacacs.conf
group = admingroup {
   default service = deny
   service = exec {
      default attribute = permit
      priv-lvl = 15
      cvp-roles = network-admin
enable = nopassword
user = bob {
   login = cleartext "secret"
member = admingroup
B. CVP AAA settings
C. Switch AAA configlet
To ensure that authentication and authorization work properly, complete the following procedures.
Creating Identity Groups and Users
Step 1 Select Users and Identity Stores, and then select Identity Groups.
Step 2 Make sure a group named <user-group> exists. If this group does not exist, add it.
Step 3 Add new users under the group named <user-group>.
Creating a Shell Profile using ACS
Step 1 Go to the Policy Elements page.
Step 2 Select Device Administration > Shell Profiles.
Step 3 Click the Create button to create a new shell profile.
Step 4 Select the Custom Attributes tab, and then add a new mandatory attribute named “cvp-roles”.
Step 5 Specify one or more of the following values to the new “cvp-roles” attribute:
Note If you have created custom role(s) under CVP Account Management, you can use them.
Step 6 Check to make sure that under the “Common Tasks Attributes” table, “Assigned Privilege Level” and “Max Privilege Level” are added by default with and the specified value is 15. Also, verify that requirement is set “Mandatory.”
Creating and Modifying Access Policy
Step 1 Go to the Access Policies section and select the Default Device Admin policy.
Step 2 Make sure that “Allow PAP/ASCII” option in the Authorization section is enabled (selected).
Step 3 In the Authorization section, create a new rule named “Rule-1”.
Step 4 Make sure that the status of the new rule (“Rule-1”) is Enabled, and set the identity group as “<user-group>”.
Step 5 Select the shell profile that outlines the cvp-roles for all users under the group named <user-group>.
Note Alternatively, you can set add shell profile in the “default rule” section.
Step 6 Make sure that “Service Selection Rules” (under the “Access Policies” section), is using the policy named “Default Device Admin”. The policy should be listed in the “Results” column of “Service Selection Policy” table, and the “status” column should be green, indicating that the policy is enabled.
The shell profile should be automatically applied to all users under the ground named <user-group>. Supported TACACS Types
CloudVision Portal (CVP) supports different types of TACACS. Table 15-2 lists the supported types of TACACS, including the following information for each TACACS type:
Supported version
Service shell (whether it is supported for each type)
Service exec (only the following attributes are supported):
Table 15-2  Supported TACACS Types 
Supported Version
Service Shell
Service Exec
tac_plus (Shruberry)
Not Applicable
tac_plus (Probono)
Not Applicable
Related topics:
15.2.3 Removing AAA Servers
Complete these steps to remove AAA servers:
Step 1 Navigate to the Access Control page.
Step 2 Select required options from Authentication source and Authorization source drop-down menus.
The systems lists all current servers.
Step 3 Select required servers for removal.
Step 4 Click Remove Server(s) at the upper right corner of the Servers section. See Figure 15-8.
The system prompts to confirm deletion.
Figure 15-8: Remove AAA Servers
Step 5 Click Delete.
The system deletes selected AAA servers.
Related Topics: