Server Group#

AAA → SGServer Groups

A ServerGroup defines a list of AAA (authentication, authorization, and accounting) servers used for remote authentication and accounting and includes settings for RADIUS and TACACS+ servers. Each ServerGroup is limited to servers of a single type: either RADIUS or TACACS+.

Server type

The type field determines the protocol used by all servers in the group (RADIUS or TACACS). Type-specific options are configured under radius (e.g. authentication port, accounting port, retransmit attempts) or tacacs (e.g. port, privilege-level authorization).

The routerKind field specifies which router is used to reach the AAA servers (DefaultRouter or ManagementRouter). The node waits for a response from an AAA server according to timeoutSeconds before retrying or continuing to the next server in the group.

Deployment#

Each node can use multiple methods for the authentication of users. Some common scenarios are:

Attempt to authenticate using a local user first. If no local user is found, try authentication using RADIUS
Local authentication is used only when the TACACS+ authentication servers are unresponsive

A ServerGroup is deployed onto nodes where it is used for authentication. Those nodes are determined by AuthenticationPolicy resources via its nodeSelectors or nodes property: any AuthenticationPolicy that lists a ServerGroup by name in authenticationOrder.serverGroupOrder will ensure the ServerGroup is configured on those nodes.

The ServerGroup also specifies which NodeGroup resources must be deployed on the same set of nodes, using nodeGroupSelectors or nodeGroups (an explicit list of NodeGroup names).

flowchart LR
    AuthenticationPolicy -->|Selects| ServerGroup
    AuthenticationPolicy -->|Selects| TopoNodes
    ServerGroup -->|Selects| NodeGroup
    NodeGroup -->|Deployed on| TopoNodes

Referenced resources#

`NodeGroup`#

Part of the authentication process is assigning a role to a user. This role determines which services the user can use (SSH, gNMI, ...) and which resources the user can read / modify. These authorization rules are determined by a NodeGroup.

The ServerGroup allows the selection of NodeGroup resources through the nodeGroups or nodeGroupSelectors property, to ensure that those authorization rules are present on the node even if they are not used by a locally configured NodeUser.

Examples#

YAMLkubectl

apiVersion: aaa.eda.nokia.com/v1
kind: ServerGroup
metadata:
  name: my-radius-servers
  namespace: eda
spec:
  aaaServers:
    - address: 214.1.1.2
      secret: testing123
  nodeGroups:
    - cli-access
    - sudo
  radius:
    accountingPort: 1813
    authenticationPort: 1812
  routerKind: ManagementRouter
  type: RADIUS

cat << 'EOF' | kubectl apply -f -
apiVersion: aaa.eda.nokia.com/v1
kind: ServerGroup
metadata:
  name: my-radius-servers
  namespace: eda
spec:
  aaaServers:
    - address: 214.1.1.2
      secret: testing123
  nodeGroups:
    - cli-access
    - sudo
  radius:
    accountingPort: 1813
    authenticationPort: 1812
  routerKind: ManagementRouter
  type: RADIUS
EOF

Custom Resource Definition#

To browse the Custom Resource Definition go to crd.eda.dev.

SPEC

The ServerGroup defines a list of AAA servers to be used for authentication, authorization, and accounting. It includes settings for both Radius and Tacacs servers, although each ServerGroup is limited to servers of a single type. The ServerGroup is deployed onto nodes using the label selector.

#
The AAA servers that are part of this ServerGroup.
- #
#
#
#
RADIUS parameters.
- #
- #
- #
#
#
TACACS+ parameters.
- #
- #
#
#

STATUS

ServerGroupStatus defines the observed state of ServerGroup.

#
#
#
#
#