The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes the Cisco NX-OS security commands that begin with A.
To configure authentication, authorization, and accounting (AAA) methods for accounting, use the aaa accounting default command. To revert to the default, use the no form of this command.
aaa accounting default { group { group-list } | local }
no aaa accounting default { group { group-list } | local }
Space-delimited list that specifies one or more configured RADIUS server groups. |
|
|
|
The group group-list method refers to a set of previously defined RADIUS or TACACS+ servers. Use the radius-server host command to configure the host servers. Use the aaa group server command to create a named group of servers.
If you specify the group method, or local method and they fail, then the accounting authentication can fail.
This example shows how to configure any RADIUS server for AAA accounting:
|
|
---|---|
To configure authentication, authorization, and accounting (AAA) authentication methods for console logins, use the aaa authentication login console command. To revert to the default, use the no form of this command.
aaa authentication login console { group group-list } [ none ] | local | none }
no aaa authentication login console { group group-list [ none ] | local | none }
|
|
The group radius, group tacacs+, and group group-list methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the radius-server host or tacacs-server host command to configure the host servers. Use the aaa group server command to create a named group of servers.
If you specify the group method or local method and they fail, then the authentication can fail. If you specify the none method alone or after the group method, then the authentication always succeeds.
This example shows how to configure the AAA authentication console login method:
This example shows how to revert to the default AAA authentication console login method:
|
|
---|---|
To configure the default authentication, authorization, and accounting (AAA) authentication methods, use the aaa authentication login default command. To revert to the default, use the no form of this command.
aaa authentication login default { group group-list } [ none ] | local | none }
no aaa authentication login default { group group-list } [ none ] | local | none }
|
|
The group radius, group tacacs+, and group group-list methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the radius-server host or tacacs-server host command to configure the host servers. Use the aaa group server command to create a named group of servers.
If you specify the group method or local method and they fail, then the authentication fails. If you specify the none method alone or after the group method, then the authentication always succeeds.
This example shows how to configure the AAA authentication console login method:
This example shows how to revert to the default AAA authentication console login method:
|
|
---|---|
To configure that the authentication, authorization, and accounting (AAA) authentication failure message displays on the console, use the aaa authentication login error-enable command. To revert to the default, use the no form of this command.
aaa authentication login error-enable
no aaa authentication login error-enable
|
|
When you log in, the login is processed by rolling over to the local user database if the remote AAA servers do not respond. In this situation, the following message is displayed if you have enabled the displaying of login failure messages:
This example shows how to enable the display of AAA authentication failure messages to the console:
This example shows how to disable the display of AAA authentication failure messages to the console:
|
|
---|---|
Displays the status of the AAA authentication failure message display. |
To enable Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) authentication at login, use the aaa authentication login mschap enable command. To revert to the default, use the no form of this command.
aaa authentication login mschap enable
no aaa authentication login mschap enable
|
|
This example shows how to enable MS-CHAP authentication:
This example shows how to disable MS-CHAP authentication:
|
|
---|---|
To configure the login block per user, use the aaa authentication rejected command. To remove the login block per user, use the no form of this command.
aaa authentication rejected attempts in seconds ban block-seconds
no aaa authentication rejected
Time period in which the user is blocked after a failed login attempt. |
|
|
The login block per user feature is applicable only for local users.
The following example shows how to configure the login parameters to block a user for 300 seconds when 5 login attempts fail within a period of 60 seconds.
|
|
---|---|
To configure default authentication, authorization, and accounting (AAA) authorization methods for all EXEC commands, use the aaa authorization commands default command. To revert to the default, use the no form of this command.
aaa authorization commands default [ group group-list ] [ local | none ]
no aaa authorization commands default [ group group-list ] [ local | none ]
|
|
---|---|
To use this command, you must enable the TACACS+ feature by using the feature tacacs+ command.
The group tacacs+ and group group-list methods refer to a set of previously defined TACACS+ servers. Use the tacacs-server host command to configure the host servers. Use the aaa group server command to create a named group of servers. Use the show aaa groups command to display the server groups on the device.
If you specify more than one server group, the Cisco NX-OS software checks each group in the order that you specify in the list. The local method or the none method is used only if all the configured server groups fail to respond and you have configured local or none as the fallback method.
If you specify the group method or local method and it fails, then the authorization can fail. If you specify the none method alone or after the group method, then the authorization always succeeds.
This example shows how to configure the default AAA authorization methods for EXEC commands:
This example shows how to revert to the default AAA authorization methods for EXEC commands:
|
|
---|---|
Configures default AAA authorization methods for configuration commands. |
|
To configure the default authentication, authorization, and accounting (AAA) authorization methods for all configuration commands, use the aaa authorization config-commands default command. To revert to the default, use the no form of this command.
aaa authorization config-commands default [ group group-list ] [ local | none ]
no aaa authorization config-commands default [ group group-list ] [ local | none ]
|
|
---|---|
To use this command, you must enable the TACACS+ feature by using the feature tacacs+ command.
The group tacacs+ and group group-list methods refer to a set of previously defined TACACS+ servers. Use the tacacs-server host command to configure the host servers. Use the aaa group server command to create a named group of servers. Use the show aaa groups command to display the server groups on the device.
If you specify more than one server group, the Cisco NX-OS software checks each group in the order that you specify in the list. The local method or the none method is used only if all the configured server groups fail to respond and you have configured local or none as the fallback method.
If you specify the group method or local method and it fails, then the authorization can fail. If you specify the none method alone or after the group method, then the authorization always succeeds.
This example shows how to configure the default AAA authorization methods for configuration commands:
This example shows how to revert to the default AAA authorization methods for configuration commands:
|
|
---|---|
Configures default AAA authorization methods for EXEC commands. |
|
To configure the default authentication, authorization, and accounting (AAA) authorization method for TACACS+ servers, use the aaa authorization ssh-certificate command. To disable this configuration, use the no form of this command.
aaa authorization ssh-certificate default { group group-list | local }
no aaa authorization ssh-certificate default { group group-list | local }
Space-separated list of server groups. The list can include the following: |
|
|
|
To use this command, you must enable the TACACS+ feature using the feature tacacs+ command.
The group tacacs+ and group group-list methods refer to a set of previously defined TACACS+ and LDAP servers. Use the tacacs-server host command to configure the host servers. Use the aaa group server command to create a named group of servers. Use the show aaa groups command to display the server groups on the device.
If you specify more than one server group, the Cisco NX-OS software checks each group in the order that you specify in the list. The local method is used only if all the configured server groups fail to respond and you have configured local as the fallback method.
If you specify the group method or local method and it fails, the authorization can fail. If you have not configured a fallback method after the TACACS+ or LDAP server group method, authorization fails if all server groups fail to respond.
This example shows how to configure the local database with certificate authentication as the default AAA authorization method:
|
|
---|---|
Configures local authorization with the SSH public key as the default AAA authorization method. |
|
To configure local authorization with the Secure Shell (SSH) public key as the default AAA authorization method for TACACS+ servers, use the aaa authorization ssh-publickey command. To revert to the default, use the no form of this command.
aaa authorization ssh-publickey default { group group-list | local }
no aaa authorization ssh-publickey default { group group-list | local }
Space-separated list of server groups. The server group name can be a maximum of 127 characters. |
|
|
|
If you specify more than one server group, the Cisco NX-OS software checks each group in the order that you specify in the list. The local method is used only if all the configured server groups fail to respond and you have configured local as the fallback method.
If you specify the group method or local method and it fails, the authorization can fail. If you have not configured a fallback method after the server group method, authorization fails if all server groups fail to respond.
This example shows how to configure local authorization with the SSH public key as the default AAA authorization method:
|
|
---|---|
Configures local authorization with certificate authentication as the default AAA authorization method. |
|
To create a RADIUS server group and enter RADIUS server group configuration mode, use the aaa group server radius command. To delete a RADIUS server group, use the no form of this command.
aaa group server radius group-name
no aaa group server radius group-name
|
|
This example shows how to create a RADIUS server group and enter RADIUS server configuration mode:
This example shows how to delete a RADIUS server group:
|
|
---|---|
To enable the default role assigned by the authentication, authorization, and accounting (AAA) server administrator for remote authentication, use the aaa user default-role command. To disable the default role, use the no form of this command.
|
|
---|---|
This example shows how to enable the default role assigned by the AAA server administrator for remote authentication:
This example shows how to disable the default role assigned by the AAA server administrator for remote authentication:
|
|
---|---|
Displays the status of the default user for remote authentication. |
|
To restrict incoming and outgoing connections between a particular VTY and the addresses in an access list, use the access-class command. To remove access restrictions, use the no form of this command.
access-class access-list-name { in | out }
no access-class access-list-name { in | out }
|
|
---|---|
When you allow telnet or SSH to a Cisco device, you can secure access to the device by binding an access class to the VTYs.
To display the access lists for a particular terminal line, use the show line command.
When you use the access-class command to restrict traffic on VTY, the FTP, TFTP, Secure Copy Protocol (SCP), and Secure FTP (SFTP) traffic are also affected.
This example shows how to configure an access class on a VTY line to restrict inbound packets:
This example shows how to remove an access class that restricts inbound packets:
|
|
---|---|
To specify what the switch does when a packet matches a permit command in a VLAN access control list (VACL), use the action command. To remove an action command, use the no form of this command.
Specifies that the switch forwards the packet to its destination port. |
VLAN access-map configuration mode
|
|
The action command specifies the action that the device takes when a packet matches the conditions in the ACL specified by the match command.
This example shows how to create a VLAN access map named vlan-map-01, assign an IPv4 ACL named ip-acl-01 to the map, specify that the switch forwards packets matching the ACL, and enable statistics for traffic matching the map: