For authenticated compliance scans of Cisco SD-WAN (Viptela) devices, you'll use a Cisco authentication record and you'll need to provide a user account in the netadmin user group.
The Viptela software provides three standard user groups and each user group has its own set of privileges:
- basic
- operator
- netadmin
To run a complete compliance scan, the user account you provide for authenticated scanning must be added into the "netadmin" user group. This is the only group that has the privileges to be able to execute all commands required for scanning.
Create a user account on the target system you want to scan, and add the user to the "netadmin" user group. In this sample, the user is "john", the target system is 10.11.12.13 and the Operating System is Viptela vedge version 18.4.4.
vsvedge1844(config)# system aaa user john password **** group netadmin
vsvedge1844(config-user-john)# commit
Commit complete.
vsvedge1844(config-user-john)# end
vsvedge1844# show aaa usergroup
GROUP USERS TASK PERMISSION
------------------------------------------------------------------------------------
basic - system read write
interface read write
routing read write
security read write
netadmin admin john pc-test-user system read write
interface read write
policy read write
routing read write
security read write
operator viptela-reserved-cloudops viptela-reserved-tac system read
interface read
policy read
routing read
security read
tenantadmin -
$ ssh john@10.11.12.13
john@10.11.12.13's password:
john connected from 10.10.10.10 using ssh on vsvedge1844
vsvedge1844#
vsvedge1844# show running-config system aaa auth-order
system
aaa
auth-order local radius tacacs
!
!
vsvedge1844#