Adding AAA TACACS Support by weneghawi · Pull Request #176 · ironcore-dev/network-operator

weneghawi · 2026-02-04T16:43:46Z

Summary

Restructured the core AAA API to align with the OpenConfig system/aaa YANG model, making it vendor-agnostic and suitable for multi-vendor support (Nokia, Juniper, Arista, etc.). All Cisco NX-OS specific configuration has been moved to a dedicated AAAConfig provider CRD. RADIUS server group support has been added alongside the existing TACACS+ implementation.

Core API Changes (`api/core/v1alpha1/aaa_types.go`)

Server Groups: Replaced flat TACACSServers + TACACSGroup with ServerGroups []AAAServerGroup — protocol-agnostic containers with nested servers, following OpenConfig /system/aaa/server-groups/server-group. Supports both TACACS and RADIUS group types.
RADIUS Support: Added AAAServerRADIUS struct with authPort (default 1812), acctPort (default 1813), and keySecretRef
Method Lists: Flattened Authentication, Authorization, and Accounting to simple method lists (removed NX-OS specific nesting like Login.Default/Console and ConfigCommands)
Field Renames: VRF -> VrfName, SourceInterface -> SourceInterfaceName (leaves room for future object references)
Removed Cisco-specific fields: KeyEncryption, LoginErrorEnable moved to Cisco AAAConfig CRD
Added XValidation rules:
- At least one of serverGroups, authentication, authorization, or accounting must be set
- Servers in a TACACS group must have tacacs config
- Servers in a RADIUS group must have radius config
- groupName is required when method type is Group
- deviceRef is immutable

Cisco AAAConfig CRD (`api/cisco/nx/v1alpha1/aaaconfig_types.go`)

Added ConsoleAuthentication *NXOSMethodList — NX-OS: aaa authentication login console
Added ConfigCommandsAuthorization *NXOSMethodList — NX-OS: aaa authorization config-commands default
Added RADIUSKeyEncryption type (Type6/Type7/Clear) with radiusKeyEncryption field (default Type7)
Retains KeyEncryption (Type6/Type7/Clear) and LoginErrorEnable

Controller (`internal/controller/core/aaa_controller.go`)

Updated secret loading to iterate nested ServerGroups[].Servers[].TACACS.KeySecretRef and ServerGroups[].Servers[].RADIUS.KeySecretRef
Updated secretToAAA watch mapping to trigger reconciliation on changes to both TACACS and RADIUS key secrets

NX-OS Provider (`internal/provider/cisco/nxos/`)

aaa.go: Added RadiusProvider, RadiusProviderGroup, RadiusProviderRef NX-OS DME structs. Added MapRADIUSKeyEncryption helper. Added groupTypeByName and MapRealmFromGroup to correctly resolve realm as "radius" or "tacacs" based on the referenced server group type. Removed read-only Name and Realm fields from AAADefaultAuthor (NX-OS rejects writes to these). Added MapNXOSRealm, MapNXOSLocal, MapNXOSFallback helpers. Note: RADIUS on NX-OS requires no feature flag (unlike TACACS+ which requires feature tacacs+).
provider.go: Rewrote EnsureAAA to iterate ServerGroups with a switch on group type covering both TACACS and RADIUS. Rewrote DeleteAAA with batched resets and RADIUS group/server cleanup. Changed from Patch to Update (netconf replace).

Sample YAML (`config/samples/networking_v1alpha1_aaa.yaml`)

Updated to demonstrate the new structure with serverGroups, nested servers, flat method lists, and separate Cisco AAAConfig with console/config-commands authorization.

Test Plan

go build ./... — compiles cleanly
go test ./api/... ./internal/provider/... ./internal/clientutil/... — all pass
make run-golangci-lint — 0 issues
make generate — CRDs and deepcopy regenerated
Verified full AAA lifecycle on NX-OS switch via gNMI (gnmic):
- Enable TACACS+ feature, create servers + server group with VRF, source interface, server refs
- Set default authentication, console authentication, config-commands authorization, accounting
- Read back and verify all TACACS+ configuration
- Reset all auth/authz/acct to local, delete group and servers, disable feature, verify clean state
- Create RADIUS server + server group, set default auth realm to radius
- Read back and verify all RADIUS configuration (confirmed: no feature flag needed on NX-OS)
- Delete RADIUS group and server, verify clean state

felix-kaestner

@weneghawi Please have a look at the openconfig-system:system/aaa yang model. Only configurations that are part of this or are otherwise commonly found on all vendors (Nokia, Juniper, Arista & Co.) should be part of the core api. All Cisco NX-OS specific configuration should be refactored into a vendor specific provider config, see e.g. the ManagementAccess resource on how this is done. There is a separate api package for cisco specific CRDs.

weneghawi · 2026-02-17T23:30:17Z

@weneghawi Please have a look at the openconfig-system:system/aaa yang model. Only configurations that are part of this or are otherwise commonly found on all vendors (Nokia, Juniper, Arista & Co.) should be part of the core api. All Cisco NX-OS specific configuration should be refactored into a vendor specific provider config, see e.g. the ManagementAccess resource on how this is done. There is a separate api package for cisco specific CRDs.

Done. The core API (api/core/v1alpha1/aaa_types.go) has been completely restructured to follow the OpenConfig system/aaa YANG model:

ServerGroups with nested Servers maps to /system/aaa/server-groups/server-group
AAAServerGroupType (TACACS/RADIUS) maps to server-group/config/type
Flat Authentication, Authorization, Accounting method lists map to /system/aaa/authentication, /authorization, /accounting

All Cisco NX-OS specific config has been moved to the AAAConfig CRD in api/cisco/nx/v1alpha1/, including: KeyEncryption, LoginErrorEnable, ConsoleAuthentication, and ConfigCommandsAuthorization.

Enable or disable the DHCP feature based on AdminState. When enabled, configure DHCP relay on each referenced interface with the specified server addresses. The provider uses the VRF context from VrfRef (or the NXOS default "!unspecified" if no VRF is specified) when configuring server addresses. The implementation uses the Update operation to ensure stale DHCP relay entries are removed when the configuration changes. This also affects entries referencing interfaces not managed by the operator. The entire tree is removed on deletion, affecting non-managed interfaces., It leaves the DHCP feature in its current state. GetDHCPRelayStatus queries the device for all interfaces with DHCP relay configured and returns their names.

weneghawi · 2026-04-06T14:49:20Z

AAA TACACS/RADIUS gNMI Testing

Note: AAA default authentication (defaultauth-items), full end-to-end authentication flows, and controller reconciliation were tested previously on a local VM setup. The tests below cover the remaining gNMI paths validated directly on a QA device.

Device: 10.114.235.140 — Cisco Nexus 9332D-GX2B, NX-OS 10.6(2)
Access: SSH tunnel via netsec-admincluster-int.wdf.sap.corp, gNMI on localhost:9339

Baseline Read

gnmic -a localhost:9339 -u mooapi -p '***' --skip-verify \
  get --path 'System/fm-items/tacacsplus-items' \
      --path 'System/userext-items/authrealm-items/defaultauth-items' \
      --path 'System/userext-items/authrealm-items/consoleauth-items' \
      --path 'System/userext-items/tacacsext-items'

Result: TACACS disabled, all auth realm: local.

TACACS

Enable feature

gnmic -a localhost:9339 -u mooapi -p '***' --skip-verify \
  set --update-path 'System/fm-items/tacacsplus-items/adminSt' \
      --update-value '"enabled"'

Add server

gnmic -a localhost:9339 -u mooapi -p '***' --skip-verify \
  set --update-path 'System/userext-items/tacacsext-items/tacacsplusprovider-items/TacacsPlusProvider-list[name=192.0.2.1]' \
      --update-value '{"name":"192.0.2.1","port":49,"keyEnc":"7","key":"testkey","timeout":5}'

Create server group

gnmic -a localhost:9339 -u mooapi -p '***' --skip-verify \
  set --update-path 'System/userext-items/tacacsext-items/tacacsplusprovidergroup-items/TacacsPlusProviderGroup-list[name=test-group]' \
      --update-value '{"name":"test-group","providerref-items":{"ProviderRef-list":[{"name":"192.0.2.1"}]}}'

Cleanup

# Clear providerGroup reference first (required before group delete)
gnmic -a localhost:9339 -u mooapi -p '***' --skip-verify \
  set --update-path 'System/userext-items/authrealm-items/defaultauth-items' \
      --update-value '{"realm":"local","providerGroup":"","fallback":"yes","local":"yes"}'

gnmic -a localhost:9339 -u mooapi -p '***' --skip-verify \
  set --delete 'System/userext-items/tacacsext-items/tacacsplusprovidergroup-items/TacacsPlusProviderGroup-list[name=test-group]' \
      --delete 'System/userext-items/tacacsext-items/tacacsplusprovider-items/TacacsPlusProvider-list[name=192.0.2.1]'

gnmic -a localhost:9339 -u mooapi -p '***' --skip-verify \
  set --update-path 'System/fm-items/tacacsplus-items/adminSt' \
      --update-value '"disabled"'

All operations: ✅

RADIUS

Add server

gnmic -a localhost:9339 -u mooapi -p '***' --skip-verify \
  set --update-path 'System/userext-items/radiusext-items/radiusprovider-items/RadiusProvider-list[name=192.0.2.2]' \
      --update-value '{"name":"192.0.2.2","authPort":1812,"acctPort":1813,"keyEnc":"7","key":"testkey","timeout":5}'

Create server group

gnmic -a localhost:9339 -u mooapi -p '***' --skip-verify \
  set --update-path 'System/userext-items/radiusext-items/radiusprovidergroup-items/RadiusProviderGroup-list[name=test-radius-group]' \
      --update-value '{"name":"test-radius-group","providerref-items":{"ProviderRef-list":[{"name":"192.0.2.2"}]}}'

Cleanup

gnmic -a localhost:9339 -u mooapi -p '***' --skip-verify \
  set --delete 'System/userext-items/radiusext-items/radiusprovidergroup-items/RadiusProviderGroup-list[name=test-radius-group]' \
      --delete 'System/userext-items/radiusext-items/radiusprovider-items/RadiusProvider-list[name=192.0.2.2]'

All operations: ✅

AAA Authorization

gnmic -a localhost:9339 -u mooapi -p '***' --skip-verify \
  set --update-path 'System/userext-items/authrealm-items/defaultauthor-items/DefaultAuthor-list[cmdType=config]' \
      --update-value '{"cmdType":"config","localRbac":true}'

Result: ✅ — NX-OS correctly populates read-only name and realm fields server-side; confirmed these must not be sent in write requests.

AAA Accounting

gnmic -a localhost:9339 -u mooapi -p '***' --skip-verify \
  set --update-path 'System/userext-items/authrealm-items/defaultacc-items' \
      --update-value '{"realm":"local","localRbac":true}'

Result: ✅

AAA Console Auth

gnmic -a localhost:9339 -u mooapi -p '***' --skip-verify \
  set --update-path 'System/userext-items/authrealm-items/consoleauth-items' \
      --update-value '{"realm":"local","fallback":"yes","local":"yes"}'

Result: ✅

Notes

TACACS group delete fails if still referenced by defaultauth-items — must clear providerGroup first.
RADIUS requires no feature flag (unlike TACACS which needs feature tacacs+).
AAADefaultAuthor name and realm fields are read-only on NX-OS — sending them causes a write error.
AAA default auth (defaultauth-items) was intentionally not tested to avoid risk of lockout.

felix-kaestner · 2026-04-15T08:41:56Z

+	Port         int32  `json:"port,omitempty"`
+	Key          string `json:"key,omitempty"`
+	KeyEnc       string `json:"keyEnc,omitempty"`
+	Timeout      int32  `json:"timeout,omitempty"`
+	Retries      int32  `json:"retries,omitempty"`
+	AuthProtocol string `json:"authProtocol,omitempty"`


When using omitempty, please be sure that this value is really not present by default in the YANG payload. Otherwise, this can cause the diff of gnmiext to fail and thus trigger a gnmi call on every reconcilation. So when these fields have a default value, the omitempty should be omitted. Please check the YANG model for this.

…pport

…307)

github-actions · 2026-04-17T12:44:00Z

Merging this branch will decrease overall coverage

Impacted Packages	Coverage Δ	🤖
github.com/ironcore-dev/network-operator/api/cisco/nx/v1alpha1	0.00% (ø)
github.com/ironcore-dev/network-operator/api/core/v1alpha1	0.00% (ø)
github.com/ironcore-dev/network-operator/cmd	0.00% (ø)
github.com/ironcore-dev/network-operator/hack/provider	0.00% (ø)
github.com/ironcore-dev/network-operator/internal/controller/core	61.62% (-1.82%)	👎
github.com/ironcore-dev/network-operator/internal/deviceutil	59.62% (ø)
github.com/ironcore-dev/network-operator/internal/provider	52.00% (ø)
github.com/ironcore-dev/network-operator/internal/provider/cisco/nxos	9.94% (-0.23%)	👎
github.com/ironcore-dev/network-operator/test/e2e	0.00% (ø)
github.com/ironcore-dev/network-operator/test/lab	0.00% (ø)

Coverage by file

Changed files (no unit tests)

Changed File	Coverage Δ	Total	Covered	Missed	🤖
github.com/ironcore-dev/network-operator/api/cisco/nx/v1alpha1/aaaconfig_types.go	0.00% (ø)	0	0	0
github.com/ironcore-dev/network-operator/api/cisco/nx/v1alpha1/zz_generated.deepcopy.go	0.00% (ø)	0	0	0
github.com/ironcore-dev/network-operator/api/core/v1alpha1/aaa_types.go	0.00% (ø)	0	0	0
github.com/ironcore-dev/network-operator/api/core/v1alpha1/zz_generated.deepcopy.go	0.00% (ø)	0	0	0
github.com/ironcore-dev/network-operator/cmd/main.go	0.00% (ø)	0	0	0
github.com/ironcore-dev/network-operator/hack/provider/main.go	0.00% (ø)	0	0	0
github.com/ironcore-dev/network-operator/internal/controller/core/aaa_controller.go	0.00% (ø)	139 (+139)	0	139 (+139)
github.com/ironcore-dev/network-operator/internal/deviceutil/deviceutil.go	59.62% (ø)	52	31	21
github.com/ironcore-dev/network-operator/internal/provider/cisco/nxos/aaa.go	12.73% (+12.73%)	55 (+55)	7 (+7)	48 (+48)	🎉
github.com/ironcore-dev/network-operator/internal/provider/cisco/nxos/ascii.go	100.00% (ø)	7	7	0
github.com/ironcore-dev/network-operator/internal/provider/cisco/nxos/provider.go	0.06% (-0.00%)	1709 (+70)	1	1708 (+70)	👎
github.com/ironcore-dev/network-operator/internal/provider/cisco/nxos/user.go	40.00% (ø)	40	16	24
github.com/ironcore-dev/network-operator/internal/provider/provider.go	52.00% (ø)	25	13	12
github.com/ironcore-dev/network-operator/test/e2e/util.go	0.00% (ø)	0	0	0

Please note that the "Total", "Covered", and "Missed" counts above refer to code statements instead of lines of code. The value in brackets refers to the test coverage of that file in the old version of the code.

Changed unit test files

github.com/ironcore-dev/network-operator/internal/provider/cisco/nxos/aaa_test.go
github.com/ironcore-dev/network-operator/test/lab/main_test.go

weneghawi requested a review from a team as a code owner February 4, 2026 16:43

weneghawi requested review from felix-kaestner and swagner-de February 4, 2026 16:43

hardikdr added the area/metal-automation Automation processes within the Metal project. label Feb 5, 2026

hardikdr added this to Roadmap Feb 5, 2026

felix-kaestner requested changes Feb 6, 2026

View reviewed changes

weneghawi force-pushed the feature/aaa-tacacs-support branch from 14c783c to c4937c1 Compare February 17, 2026 23:35

weneghawi requested a review from felix-kaestner February 17, 2026 23:36

weneghawi force-pushed the feature/aaa-tacacs-support branch 3 times, most recently from ce3748b to 9b58290 Compare February 18, 2026 15:53

felix-kaestner requested changes Mar 16, 2026

View reviewed changes

hardikdr added area/switch-automation Automation processes for network switch management and operations. and removed area/metal-automation Automation processes within the Metal project. labels Mar 23, 2026

weneghawi force-pushed the feature/aaa-tacacs-support branch from 98588a4 to b202cf6 Compare March 26, 2026 11:09

weneghawi requested a review from felix-kaestner March 27, 2026 13:39

weneghawi force-pushed the feature/aaa-tacacs-support branch from 5c5f3d9 to 3fb343d Compare March 27, 2026 13:40

weneghawi and others added 8 commits April 6, 2026 10:31

Adding AAA TACACS Support

40486d8

Fix golangci-lint issues

68cc159

Restructure AAA API to OpenConfig system/aaa model

9937120

[NX-OS] Add RADIUS support to AAA

e7a6a97

Fix unused nolint:gosec directives

6390402

fix: address felix review comments on AAA

c2ac463

fix: address felix review comments

07b48ab

fix: remove embedded Duration field from selector

f8e6673

weneghawi force-pushed the feature/aaa-tacacs-support branch from f177bb2 to cc8c8bd Compare April 6, 2026 14:32

weneghawi force-pushed the feature/aaa-tacacs-support branch from cc8c8bd to 9e64d28 Compare April 6, 2026 14:38

felix-kaestner requested changes Apr 9, 2026

View reviewed changes

weneghawi force-pushed the feature/aaa-tacacs-support branch from 28c67ae to a0af584 Compare April 9, 2026 14:46

weneghawi and others added 2 commits April 13, 2026 08:32

Merge branch 'main' into feature/aaa-tacacs-support

eef0aef

fix: address AAA PR review comments

9847dac

weneghawi force-pushed the feature/aaa-tacacs-support branch from a0af584 to 9847dac Compare April 13, 2026 13:09

weneghawi requested a review from felix-kaestner April 13, 2026 13:10

Merge branch 'main' into feature/aaa-tacacs-support

74322f1

github-actions bot added the size/XXL label Apr 13, 2026

Merge branch 'main' into feature/aaa-tacacs-support

f191a82

felix-kaestner reviewed Apr 15, 2026

View reviewed changes

weneghawi and others added 7 commits April 15, 2026 10:57

Merge branch 'main' into feature/aaa-tacacs-support

d7bf5f4

Regenerate CRDs, RBAC, and API docs for AAA/TACACS support

c20bb65

Rename NXOSMethodList to AAAMethodList per review feedback

d8ec269

Simplify DeleteAAA: delete container nodes instead of individual entries

cdd93b7

Fix TACACS+/RADIUS struct fields to avoid perpetual reconcile drift

5629c28

Address remaining review comments from felix

daef660

Merge remote-tracking branch 'origin/main' into feature/aaa-tacacs-su…

b76cab4

…pport

weneghawi requested a review from felix-kaestner April 16, 2026 14:43

Fix RBAC drift after main merge

f571ed7

felix-kaestner force-pushed the main branch from 85b7a17 to 0a7c625 Compare April 17, 2026 11:58

elinalin and others added 5 commits April 17, 2026 08:23

Update overview page and architecture runtime flow/sequence diagrams (#…

9be8b07

…307)

Ignore shorthands in mermaid diagrams inside documentation

7aeea49

Merge branch 'main' into feature/aaa-tacacs-support

3a62355

Merge branch 'main' into feature/aaa-tacacs-support

d75d8f4

Merge branch 'main' into feature/aaa-tacacs-support

1f8f646

weneghawi force-pushed the feature/aaa-tacacs-support branch from 2d9df38 to 1f8f646 Compare April 17, 2026 12:24

Conversation

weneghawi commented Feb 4, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Core API Changes (api/core/v1alpha1/aaa_types.go)

Cisco AAAConfig CRD (api/cisco/nx/v1alpha1/aaaconfig_types.go)

Controller (internal/controller/core/aaa_controller.go)

NX-OS Provider (internal/provider/cisco/nxos/)

Sample YAML (config/samples/networking_v1alpha1_aaa.yaml)

Test Plan

Uh oh!

felix-kaestner left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

weneghawi commented Feb 17, 2026

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

weneghawi commented Apr 6, 2026

AAA TACACS/RADIUS gNMI Testing

Baseline Read

TACACS

Enable feature

Add server

Create server group

Cleanup

RADIUS

Add server

Create server group

Cleanup

AAA Authorization

AAA Accounting

AAA Console Auth

Notes

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

felix-kaestner Apr 15, 2026

Choose a reason for hiding this comment

Uh oh!

github-actions bot commented Apr 17, 2026

Merging this branch will decrease overall coverage

Changed files (no unit tests)

Changed unit test files

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

weneghawi commented Feb 4, 2026 •

edited

Loading

Core API Changes (`api/core/v1alpha1/aaa_types.go`)

Cisco AAAConfig CRD (`api/cisco/nx/v1alpha1/aaaconfig_types.go`)

Controller (`internal/controller/core/aaa_controller.go`)

NX-OS Provider (`internal/provider/cisco/nxos/`)

Sample YAML (`config/samples/networking_v1alpha1_aaa.yaml`)