Privilege level for Cisco SD-WAN (Viptela)

For authenticated compliance scans of Cisco SD-WAN (Viptela) devices, you'll use a Cisco authentication record and you'll need to provide a user account in the netadmin user group. 

Privilege levels

The Viptela software provides three standard user groups and each user group has its own set of privileges:

- basic
- operator
- netadmin

To run a complete compliance scan, the user account you provide for authenticated scanning must be added into the "netadmin" user group. This is the only group that has the privileges to be able to execute all commands required for scanning. 

Create a scan user account on the system to scan

Create a user account on the target system you want to scan, and add the user to the "netadmin" user group. In this sample, the user is "john", the target system is 10.11.12.13 and the Operating System is Viptela vedge version 18.4.4. 

vsvedge1844(config)# system aaa user john password **** group netadmin
vsvedge1844(config-user-john)# commit
Commit complete.
vsvedge1844(config-user-john)# end
vsvedge1844# show aaa usergroup
 
GROUP        USERS                                           TASK       PERMISSION
------------------------------------------------------------------------------------
basic        -                                               system     read write
                                                             interface  read write
                                                             routing    read write
                                                             security   read write
netadmin     admin john pc-test-user                         system     read write
                                                             interface  read write
                                                             policy     read write
                                                             routing    read write
                                                             security   read write
operator     viptela-reserved-cloudops viptela-reserved-tac  system     read
                                                             interface  read
                                                             policy     read
                                                             routing    read
                                                             security   read
tenantadmin  -
 
 
$ ssh john@10.11.12.13
john@10.11.12.13's password:
john connected from 10.10.10.10 using ssh on vsvedge1844
vsvedge1844#
vsvedge1844# show running-config system aaa auth-order
system
 aaa
  auth-order local radius tacacs
 !
!
vsvedge1844#