Support for AAA settings via eos_designs

[dgonzalez85]

Enhancement summary

As discussed with @carlbuchmann, it would be a nice addition to be able to set AAA configuration via eos_designs, so it facilitates the configuration of the MGMT/inband VRF etc (as we do today with ntp_settings or snmp_settings).

Similar to this but for AAA:

• use_mgmt_interface_vrf will configure the NTP server(s) under the VRF set with mgmt_interface_vrf and set the mgmt_interface as NTP local-interface.
  An error will be raised if mgmt_ip or ipv6_mgmt_ip are not configured for the device.
• use_inband_mgmt_vrf will configure the NTP server(s) under the VRF set with inband_mgmt_vrf and set the inband_mgmt_interface as NTP local-interface.
  An error will be raised if inband management is not configured for the device.

Some EOS configuration commands that are affected:

tacacs-server host <tacacs-srv-1> vrf <vrf_name> key 7 <key-1>
tacacs-server host <tacacs-srv-2> vrf <vrf_name> key 7 <key-2>

radius-server host <radius-srv-1> vrf <vrf_name> key 7 <key-1>
radius-server host <radius-srv-2> vrf <vrf_name> key 7 <key-2>

aaa group server tacacs+ tac-servers 
 server <srv-1> vrf <vrf_name> 
 server <srv-2> vrf <vrf_name>

aaa group server radius radius-servers
 server <srv-1> vrf <vrf_name> 
 server <srv-2> vrf <vrf_name>

ip tacacs vrf <vrf_name> source-interface <interface>
ip radius vrf <vrf_name> source-interface <interface>

Which component of AVD is impacted

eos_designs

Use case example

Using AAA for Campus and inband connectivity only (no OOB network).

Example of inband config required via eos_cli_config_gen:

custom_structured_configuration_aaa_authentication:
  login:
    default: group tacacs_login local
    console: local
  dot1x:
    default: group ISE
  policies:
    on_failure_log: true
    on_success_log: true

custom_structured_configuration_aaa_authorization:
  exec:
    default: group tacacs_login local
  config_commands: true
  serial_console: true
  commands:
    all_default: local

custom_structured_configuration_aaa_accounting:
   exec:
     default:
       type: start-stop
       group: tacacs_login
   commands:
     default:
       - commands: 0-15
         type: start-stop
         group: tacacs_login
   dot1x:
     default:
       type: start-stop
       group: ISE

custom_structured_configuration_radius_server:
  hosts:
    - host: 1.2.3.4
      key: "{{ vault.radius.key1 }}"
    - host: 1.2.3.5
      key: "{{ vault.radius.key2 }}"

custom_structured_configuration_tacacs_servers:
  hosts:
    - host: 1.2.3.6
      key: "{{ vault.tacacs.key1 }}"
    - host: 1.2.3.7
      key: "{{ vault.tacacs.key2 }}"

custom_structured_configuration_aaa_server_groups:
  - name: tacacs_login
    type: "tacacs+"
    servers:
      - server: 1.2.3.6
      - server: 1.2.3.7
  - name: ISE
    type: "radius"
    servers:
      - server: 1.2.3.4
      - server: 1.2.3.5

Describe the solution you would like

Try to simplify the configuration via eos_designs managing the VRF configuration and maybe reducing the number of inputs required.

Describe alternatives you have considered

No response

Additional context

No response

Contributing Guide

• I agree to follow this project's Code of Conduct