The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter contains the following sections:
Information About AAA
The authentication, authorization, and accounting (AAA) features allows you to verify the identity of, grant access to, and track the actions of users who manage Cisco Nexus devices. The Cisco Nexus device supports Remote Access Dial-In User Service (RADIUS) or Terminal Access Controller Access Control device Plus (TACACS+) protocols.
Based on the user ID and password that you provide, the switches perform local authentication or authorization using the local database or remote authentication or authorization using one or more AAA servers. A preshared secret key provides security for communication between the switch and AAA servers. You can configure a common secret key for all AAA servers or for only a specific AAA server.
AAA security provides the following services:
Note |
The Cisco NX-OS software supports authentication, authorization, and accounting independently. For example, you can configure authentication and authorization without configuring accounting. |
AAA provides the following benefits:
Remote AAA services provided through RADIUS and TACACS+ protocols have the following advantages over local AAA services:
You can specify remote AAA servers for authentication, authorization, and accounting using server groups. A server group is a set of remote AAA servers that implement the same AAA protocol. A server group provides for failover servers if a remote AAA server fails to respond. If the first remote server in the group fails to respond, the next remote server in the group is tried until one of the servers sends a response. If all the AAA servers in the server group fail to respond, that server group option is considered a failure. If required, you can specify multiple server groups. If a switch encounters errors from the servers in the first group, it tries the servers in the next server group.
On Cisco Nexus devices, you can have separate AAA configurations for the following services:
The following table lists the CLI commands for each AAA service configuration option.
AAA Service Configuration Option |
Related Command |
---|---|
Telnet or SSH login |
aaa authentication login default |
Console login |
aaa authentication login console |
User session accounting |
aaa accounting default |
You can specify the following authentication methods for the AAA services:
Note |
If the method is for all RADIUS servers, instead of a specific server group, the Cisco Nexus devices choose the RADIUS server from the global pool of configured RADIUS servers in the order of configuration. Servers from this global pool are the servers that can be selectively configured in a RADIUS server group on the Cisco Nexus devices. |
The following table describes the AAA authentication methods that you can configure for the AAA services.
AAA Service |
AAA Methods |
---|---|
Console login authentication |
Server groups, local, and none |
User login authentication |
Server groups, local, and none |
User management session accounting |
Server groups and local |
Note |
For console login authentication, user login authentication, and user management session accounting, the Cisco Nexus devices try each option in the order specified. The local option is the default method when other configured options fail. |
The authentication and authorization process for user login is as occurs:
The following figure shows a flowchart of the authentication and authorization process.
Note |
"No more server groups left" means that there is no response from any server in all server groups. "No more servers left" means that there is no response from any server within this server group. |
Remote AAA servers have the following prerequisites:
The Cisco Nexus devices do not support all numeric usernames, whether created with TACACS+ or RADIUS, or created locally. If an all numeric username exists on an AAA server and is entered during a login, the Cisco Nexus device still logs in the user.
Caution |
You should not create user accounts with usernames that are all numeric. |
Configuring AAA
The authentication methods include the following:
The default method is local.
Note |
The group radius and group server-name forms of the aaa authentication command are used for a set of previously defined RADIUS servers. Use the radius server-host command to configure the host servers. Use the aaa group server radius command to create a named group of servers. |
Before you configure console login authentication methods, configure RADIUS or TACACS+ server groups as needed.
The following example shows how to configure authentication methods for the console login:
switch# configure terminal switch(config)# aaa authentication login console group radius switch(config)# exit switch# show aaa authentication switch# copy running-config startup-config
The default method is local.
Before you configure default login authentication methods, configure RADIUS or TACACS+ server groups as needed. To configure default login authentication methods, perform this task:
When you log in, the login is processed by the local user database if the remote AAA servers do not respond. If you have enabled the displaying of login failure messages, the following message is displayed:
Remote AAA servers unreachable; local authentication done. Remote AAA servers unreachable; local authentication failed.
When a TACACS+ server authorization method is configured, you can authorize every command that a user executes with the TACACS+ server which includes all EXEC mode commands and all configuration mode commands.
The authorization methods include the following:
The default method is Local.
Note |
There is no authorization on the console session. |
You must enable TACACS+ before configuring AAA command authorization.
The following example shows how to authorize EXEC mode commands with TACACS+ server group tac1:
switch# aaa authorization commands default group tac1
The following example shows how to authorize configuration mode commands with TACACS+ server group tac1:
switch(config)# aaa authorization config-commands default group tac1
The following example shows how to authorize configuration mode commands with TACACS+ server group tac1:
switch(config)# aaa authorization config-commands default group tac1 local
The followng example shows how to authorize configuration mode commands with TACACS+ server group tac1:
switch# aaa authorization commands default group tac1 none
The following example shows how to authorize EXEC mode commands regardless of the local role:
switch# aaa authorization commands default none
The following example shows how to authorize EXEC mode commands using the local role for authorization:
switch# aaa authorization commands default local
Microsoft Challenge Handshake Authentication Protocol (MSCHAP) is the Microsoft version of CHAP. You can use MSCHAP for user logins to a Cisco Nexus device through a remote authentication server (RADIUS or TACACS+).
By default, the Cisco Nexus device uses Password Authentication Protocol (PAP) authentication between the switch and the remote server. If you enable MSCHAP, you must configure your RADIUS server to recognize the MSCHAP vendor-specific attributes (VSAs).
The following table describes the RADIUS VSAs required for MSCHAP.
Vendor-ID Number |
Vendor-Type Number |
VSA |
Description |
---|---|---|---|
311 |
11 |
MSCHAP-Challenge |
Contains the challenge sent by an AAA server to an MSCHAP user. It can be used in both Access-Request and Access-Challenge packets. |
211 |
11 |
MSCHAP-Response |
Contains the response value provided by an MSCHAP user in response to the challenge. It is only used in Access-Request packets. |
The Cisco Nexus device supports TACACS+ and RADIUS methods for accounting. The switches report user activity to TACACS+ or RADIUS security servers in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the AAA server.
When you activate AAA accounting, the Cisco Nexus device reports these attributes as accounting records, which are then stored in an accounting log on the security server.
You can create default method lists defining specific accounting methods, which include the following:.
Note |
If you have configured server groups and the server groups do not respond, by default, the local database is used for authentication. |
Before you configure AAA accounting default methods, configure RADIUS or TACACS+ server groups as needed.
Using AAA Server VSAs
You can use vendor-specific attributes (VSAs) to specify the Cisco Nexus device user roles and SNMPv3 parameters on AAA servers.
The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating VSAs between the network access server and the RADIUS server. The IETF uses attribute 26. VSAs allow vendors to support their own extended attributes that are not suitable for general use. The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. The Cisco vendor ID is 9, and the supported option is vendor type 1, which is named cisco-av-pair. The value is a string with the following format:
protocol : attribute seperator value *
The protocol is a Cisco attribute for a particular type of authorization, separator is an equal sign (=) for mandatory attributes, and an asterisk (* ) indicates optional attributes.
When you use RADIUS servers for authentication on a Cisco Nexus device, the RADIUS protocol directs the RADIUS server to return user attributes, such as authorization information, with authentication results. This authorization information is specified through VSAs.
The following VSA protocol options are supported by the Cisco Nexus device:
The following attributes are supported by the Cisco Nexus device:
You can use the VSA cisco-av-pair on AAA servers to specify user role mapping for the Cisco Nexus device using this format:
shell:roles="roleA roleB …"
If you do not specify the role option in the cisco-av-pair attribute, the default user role is network-operator.
Note |
For information on Cisco Unified Wireless Network TACACS+ configurations and to change the user roles, see Cisco Unified Wireless Network TACACS+ Configuration. |
You can also specify your SNMPv3 authentication and privacy protocol attributes as follows:
shell:roles="roleA roleB..." snmpv3:auth=SHA priv=AES-128
The SNMPv3 authentication protocol options are SHA and MD5. The privacy protocol options are AES-128 and DES. If you do not specify these options in the cisco-av-pair attribute, MD5 and DES are the default authentication protocols.
For additional information, see the Configuring User Accounts and RBAC chapter in the System Management Configuration Guide for your Cisco Nexus device.
The Cisco Nexus device maintains a local log for the AAA accounting activity.
To display AAA configuration information, perform one of the following tasks:
The following example shows how to configure AAA:
switch(config)# aaa authentication login default group radius
switch(config)# aaa authentication login console group radius
switch(config)# aaa accounting default group radius
The following table lists the default settings for AAA parameters.
Parameters |
Default |
---|---|
Console authentication method |
local |
Default authentication method |
local |
Login authentication failure messages |
Disabled |
MSCHAP authentication |
Disabled |
Default accounting method |
local |
Accounting log display length |
250 KB |