Skip to content

AAA

ANTA catalog for interfaces tests

Test functions related to the EOS various AAA settings

VerifyAcctConsoleMethods

Bases: AntaTest

Verifies the AAA accounting console method lists for different accounting types (system, exec, commands, dot1x).

Expected Results
  • success: The test will pass if the provided AAA accounting console method list is matching in the configured accounting types.
  • failure: The test will fail if the provided AAA accounting console method list is NOT matching in the configured accounting types.
Source code in anta/tests/aaa.py 
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
class VerifyAcctConsoleMethods(AntaTest):
    """
    Verifies the AAA accounting console method lists for different accounting types (system, exec, commands, dot1x).

    Expected Results:
        * success: The test will pass if the provided AAA accounting console method list is matching in the configured accounting types.
        * failure: The test will fail if the provided AAA accounting console method list is NOT matching in the configured accounting types.
    """

    name = "VerifyAcctConsoleMethods"
    description = "Verifies the AAA accounting console method lists for different accounting types (system, exec, commands, dot1x)."
    categories = ["aaa"]
    commands = [AntaCommand(command="show aaa methods accounting")]

    class Input(AntaTest.Input):  # pylint: disable=missing-class-docstring
        methods: List[AAAAuthMethod]
        """List of AAA accounting console methods. Methods should be in the right order"""
        types: Set[Literal["commands", "exec", "system", "dot1x"]]
        """List of accounting console types to verify"""

    @AntaTest.anta_test
    def test(self) -> None:
        command_output = self.instance_commands[0].json_output
        not_matching = []
        not_configured = []
        for k, v in command_output.items():
            acct_type = k.replace("AcctMethods", "")
            if acct_type not in self.inputs.types:
                # We do not need to verify this accounting type
                continue
            for methods in v.values():
                if "consoleAction" not in methods:
                    not_configured.append(acct_type)
                if methods["consoleMethods"] != self.inputs.methods:
                    not_matching.append(acct_type)
        if not_configured:
            self.result.is_failure(f"AAA console accounting is not configured for {not_configured}")
            return
        if not not_matching:
            self.result.is_success()
        else:
            self.result.is_failure(f"AAA accounting console methods {self.inputs.methods} are not matching for {not_matching}")

Input

Bases: Input

Source code in anta/tests/aaa.py 
265
266
267
268
269
class Input(AntaTest.Input):  # pylint: disable=missing-class-docstring
    methods: List[AAAAuthMethod]
    """List of AAA accounting console methods. Methods should be in the right order"""
    types: Set[Literal["commands", "exec", "system", "dot1x"]]
    """List of accounting console types to verify"""

methods instance-attribute 

methods: List[AAAAuthMethod]

List of AAA accounting console methods. Methods should be in the right order

types instance-attribute 

types: Set[Literal['commands', 'exec', 'system', 'dot1x']]

List of accounting console types to verify

VerifyAcctDefaultMethods

Bases: AntaTest

Verifies the AAA accounting default method lists for different accounting types (system, exec, commands, dot1x).

Expected Results
  • success: The test will pass if the provided AAA accounting default method list is matching in the configured accounting types.
  • failure: The test will fail if the provided AAA accounting default method list is NOT matching in the configured accounting types.
Source code in anta/tests/aaa.py 
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
class VerifyAcctDefaultMethods(AntaTest):
    """
    Verifies the AAA accounting default method lists for different accounting types (system, exec, commands, dot1x).

    Expected Results:
        * success: The test will pass if the provided AAA accounting default method list is matching in the configured accounting types.
        * failure: The test will fail if the provided AAA accounting default method list is NOT matching in the configured accounting types.
    """

    name = "VerifyAcctDefaultMethods"
    description = "Verifies the AAA accounting default method lists for different accounting types (system, exec, commands, dot1x)."
    categories = ["aaa"]
    commands = [AntaCommand(command="show aaa methods accounting")]

    class Input(AntaTest.Input):  # pylint: disable=missing-class-docstring
        methods: List[AAAAuthMethod]
        """List of AAA accounting methods. Methods should be in the right order"""
        types: Set[Literal["commands", "exec", "system", "dot1x"]]
        """List of accounting types to verify"""

    @AntaTest.anta_test
    def test(self) -> None:
        command_output = self.instance_commands[0].json_output
        not_matching = []
        not_configured = []
        for k, v in command_output.items():
            acct_type = k.replace("AcctMethods", "")
            if acct_type not in self.inputs.types:
                # We do not need to verify this accounting type
                continue
            for methods in v.values():
                if "defaultAction" not in methods:
                    not_configured.append(acct_type)
                if methods["defaultMethods"] != self.inputs.methods:
                    not_matching.append(acct_type)
        if not_configured:
            self.result.is_failure(f"AAA default accounting is not configured for {not_configured}")
            return
        if not not_matching:
            self.result.is_success()
        else:
            self.result.is_failure(f"AAA accounting default methods {self.inputs.methods} are not matching for {not_matching}")

Input

Bases: Input

Source code in anta/tests/aaa.py 
221
222
223
224
225
class Input(AntaTest.Input):  # pylint: disable=missing-class-docstring
    methods: List[AAAAuthMethod]
    """List of AAA accounting methods. Methods should be in the right order"""
    types: Set[Literal["commands", "exec", "system", "dot1x"]]
    """List of accounting types to verify"""

methods instance-attribute 

methods: List[AAAAuthMethod]

List of AAA accounting methods. Methods should be in the right order

types instance-attribute 

types: Set[Literal['commands', 'exec', 'system', 'dot1x']]

List of accounting types to verify

VerifyAuthenMethods

Bases: AntaTest

Verifies the AAA authentication method lists for different authentication types (login, enable, dot1x).

Expected Results
  • success: The test will pass if the provided AAA authentication method list is matching in the configured authentication types.
  • failure: The test will fail if the provided AAA authentication method list is NOT matching in the configured authentication types.
Source code in anta/tests/aaa.py 
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
class VerifyAuthenMethods(AntaTest):
    """
    Verifies the AAA authentication method lists for different authentication types (login, enable, dot1x).

    Expected Results:
        * success: The test will pass if the provided AAA authentication method list is matching in the configured authentication types.
        * failure: The test will fail if the provided AAA authentication method list is NOT matching in the configured authentication types.
    """

    name = "VerifyAuthenMethods"
    description = "Verifies the AAA authentication method lists for different authentication types (login, enable, dot1x)."
    categories = ["aaa"]
    commands = [AntaCommand(command="show aaa methods authentication")]

    class Input(AntaTest.Input):  # pylint: disable=missing-class-docstring
        methods: List[AAAAuthMethod]
        """List of AAA authentication methods. Methods should be in the right order"""
        types: Set[Literal["login", "enable", "dot1x"]]
        """List of authentication types to verify"""

    @AntaTest.anta_test
    def test(self) -> None:
        command_output = self.instance_commands[0].json_output
        not_matching = []
        for k, v in command_output.items():
            auth_type = k.replace("AuthenMethods", "")
            if auth_type not in self.inputs.types:
                # We do not need to verify this accounting type
                continue
            if auth_type == "login":
                if "login" not in v:
                    self.result.is_failure("AAA authentication methods are not configured for login console")
                    return
                if v["login"]["methods"] != self.inputs.methods:
                    self.result.is_failure(f"AAA authentication methods {self.inputs.methods} are not matching for login console")
                    return
            for methods in v.values():
                if methods["methods"] != self.inputs.methods:
                    not_matching.append(auth_type)
        if not not_matching:
            self.result.is_success()
        else:
            self.result.is_failure(f"AAA authentication methods {self.inputs.methods} are not matching for {not_matching}")

Input

Bases: Input

Source code in anta/tests/aaa.py 
138
139
140
141
142
class Input(AntaTest.Input):  # pylint: disable=missing-class-docstring
    methods: List[AAAAuthMethod]
    """List of AAA authentication methods. Methods should be in the right order"""
    types: Set[Literal["login", "enable", "dot1x"]]
    """List of authentication types to verify"""

methods instance-attribute 

methods: List[AAAAuthMethod]

List of AAA authentication methods. Methods should be in the right order

types instance-attribute 

types: Set[Literal['login', 'enable', 'dot1x']]

List of authentication types to verify

VerifyAuthzMethods

Bases: AntaTest

Verifies the AAA authorization method lists for different authorization types (commands, exec).

Expected Results
  • success: The test will pass if the provided AAA authorization method list is matching in the configured authorization types.
  • failure: The test will fail if the provided AAA authorization method list is NOT matching in the configured authorization types.
Source code in anta/tests/aaa.py 
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
class VerifyAuthzMethods(AntaTest):
    """
    Verifies the AAA authorization method lists for different authorization types (commands, exec).

    Expected Results:
        * success: The test will pass if the provided AAA authorization method list is matching in the configured authorization types.
        * failure: The test will fail if the provided AAA authorization method list is NOT matching in the configured authorization types.
    """

    name = "VerifyAuthzMethods"
    description = "Verifies the AAA authorization method lists for different authorization types (commands, exec)."
    categories = ["aaa"]
    commands = [AntaCommand(command="show aaa methods authorization")]

    class Input(AntaTest.Input):  # pylint: disable=missing-class-docstring
        methods: List[AAAAuthMethod]
        """List of AAA authorization methods. Methods should be in the right order"""
        types: Set[Literal["commands", "exec"]]
        """List of authorization types to verify"""

    @AntaTest.anta_test
    def test(self) -> None:
        command_output = self.instance_commands[0].json_output
        not_matching = []
        for k, v in command_output.items():
            authz_type = k.replace("AuthzMethods", "")
            if authz_type not in self.inputs.types:
                # We do not need to verify this accounting type
                continue
            for methods in v.values():
                if methods["methods"] != self.inputs.methods:
                    not_matching.append(authz_type)
        if not not_matching:
            self.result.is_success()
        else:
            self.result.is_failure(f"AAA authorization methods {self.inputs.methods} are not matching for {not_matching}")

Input

Bases: Input

Source code in anta/tests/aaa.py 
183
184
185
186
187
class Input(AntaTest.Input):  # pylint: disable=missing-class-docstring
    methods: List[AAAAuthMethod]
    """List of AAA authorization methods. Methods should be in the right order"""
    types: Set[Literal["commands", "exec"]]
    """List of authorization types to verify"""

methods instance-attribute 

methods: List[AAAAuthMethod]

List of AAA authorization methods. Methods should be in the right order

types instance-attribute 

types: Set[Literal['commands', 'exec']]

List of authorization types to verify

VerifyTacacsServerGroups

Bases: AntaTest

Verifies if the provided TACACS server group(s) are configured.

Expected Results
  • success: The test will pass if the provided TACACS server group(s) are configured.
  • failure: The test will fail if one or all the provided TACACS server group(s) are NOT configured.
Source code in anta/tests/aaa.py 
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
class VerifyTacacsServerGroups(AntaTest):
    """
    Verifies if the provided TACACS server group(s) are configured.

    Expected Results:
        * success: The test will pass if the provided TACACS server group(s) are configured.
        * failure: The test will fail if one or all the provided TACACS server group(s) are NOT configured.
    """

    name = "VerifyTacacsServerGroups"
    description = "Verifies if the provided TACACS server group(s) are configured."
    categories = ["aaa"]
    commands = [AntaCommand(command="show tacacs")]

    class Input(AntaTest.Input):  # pylint: disable=missing-class-docstring
        groups: List[str]
        """List of TACACS server group"""

    @AntaTest.anta_test
    def test(self) -> None:
        command_output = self.instance_commands[0].json_output
        tacacs_groups = command_output["groups"]
        if not tacacs_groups:
            self.result.is_failure("No TACACS server group(s) are configured")
            return
        not_configured = [group for group in self.inputs.groups if group not in tacacs_groups]
        if not not_configured:
            self.result.is_success()
        else:
            self.result.is_failure(f"TACACS server group(s) {not_configured} are not configured")

Input

Bases: Input

Source code in anta/tests/aaa.py 
106
107
108
class Input(AntaTest.Input):  # pylint: disable=missing-class-docstring
    groups: List[str]
    """List of TACACS server group"""

groups instance-attribute 

groups: List[str]

List of TACACS server group

VerifyTacacsServers

Bases: AntaTest

Verifies TACACS servers are configured for a specified VRF.

Expected Results
  • success: The test will pass if the provided TACACS servers are configured in the specified VRF.
  • failure: The test will fail if the provided TACACS servers are NOT configured in the specified VRF.
Source code in anta/tests/aaa.py 
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
class VerifyTacacsServers(AntaTest):
    """
    Verifies TACACS servers are configured for a specified VRF.

    Expected Results:
        * success: The test will pass if the provided TACACS servers are configured in the specified VRF.
        * failure: The test will fail if the provided TACACS servers are NOT configured in the specified VRF.
    """

    name = "VerifyTacacsServers"
    description = "Verifies TACACS servers are configured for a specified VRF."
    categories = ["aaa"]
    commands = [AntaCommand(command="show tacacs")]

    class Input(AntaTest.Input):  # pylint: disable=missing-class-docstring
        servers: List[IPv4Address]
        """List of TACACS servers"""
        vrf: str = "default"
        """The name of the VRF to transport TACACS messages"""

    @AntaTest.anta_test
    def test(self) -> None:
        command_output = self.instance_commands[0].json_output
        tacacs_servers = command_output["tacacsServers"]
        if not tacacs_servers:
            self.result.is_failure("No TACACS servers are configured")
            return
        not_configured = [
            str(server)
            for server in self.inputs.servers
            if not any(
                str(server) == tacacs_server["serverInfo"]["hostname"] and self.inputs.vrf == tacacs_server["serverInfo"]["vrf"] for tacacs_server in tacacs_servers
            )
        ]
        if not not_configured:
            self.result.is_success()
        else:
            self.result.is_failure(f"TACACS servers {not_configured} are not configured in VRF {self.inputs.vrf}")

Input

Bases: Input

Source code in anta/tests/aaa.py 
66
67
68
69
70
class Input(AntaTest.Input):  # pylint: disable=missing-class-docstring
    servers: List[IPv4Address]
    """List of TACACS servers"""
    vrf: str = "default"
    """The name of the VRF to transport TACACS messages"""

servers instance-attribute 

servers: List[IPv4Address]

List of TACACS servers

vrf class-attribute instance-attribute 

vrf: str = 'default'

The name of the VRF to transport TACACS messages

VerifyTacacsSourceIntf

Bases: AntaTest

Verifies TACACS source-interface for a specified VRF.

Expected Results
  • success: The test will pass if the provided TACACS source-interface is configured in the specified VRF.
  • failure: The test will fail if the provided TACACS source-interface is NOT configured in the specified VRF.
Source code in anta/tests/aaa.py 
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
class VerifyTacacsSourceIntf(AntaTest):
    """
    Verifies TACACS source-interface for a specified VRF.

    Expected Results:
        * success: The test will pass if the provided TACACS source-interface is configured in the specified VRF.
        * failure: The test will fail if the provided TACACS source-interface is NOT configured in the specified VRF.
    """

    name = "VerifyTacacsSourceIntf"
    description = "Verifies TACACS source-interface for a specified VRF."
    categories = ["aaa"]
    commands = [AntaCommand(command="show tacacs")]

    class Input(AntaTest.Input):  # pylint: disable=missing-class-docstring
        intf: str
        """Source-interface to use as source IP of TACACS messages"""
        vrf: str = "default"
        """The name of the VRF to transport TACACS messages"""

    @AntaTest.anta_test
    def test(self) -> None:
        command_output = self.instance_commands[0].json_output
        try:
            if command_output["srcIntf"][self.inputs.vrf] == self.inputs.intf:
                self.result.is_success()
            else:
                self.result.is_failure(f"Wrong source-interface configured in VRF {self.inputs.vrf}")
        except KeyError:
            self.result.is_failure(f"Source-interface {self.inputs.intf} is not configured in VRF {self.inputs.vrf}")

Input

Bases: Input

Source code in anta/tests/aaa.py 
34
35
36
37
38
class Input(AntaTest.Input):  # pylint: disable=missing-class-docstring
    intf: str
    """Source-interface to use as source IP of TACACS messages"""
    vrf: str = "default"
    """The name of the VRF to transport TACACS messages"""

intf instance-attribute 

intf: str

Source-interface to use as source IP of TACACS messages

vrf class-attribute instance-attribute 

vrf: str = 'default'

The name of the VRF to transport TACACS messages