Cisco Nexus 7000 Series NX-OS Security Configuration Guide, Release 4.1
Configuring AAA
Downloads: This chapterpdf (PDF - 418.0KB) The complete bookPDF (PDF - 14.52MB) | Feedback

Configuring AAA

Table Of Contents

Configuring AAA

Information About AAA

AAA Security Services

Benefits of Using AAA

Remote AAA Services

AAA Server Groups

AAA Service Configuration Options

Authentication and Authorization Process for User Login

Virtualization Support

Licensing Requirements for AAA

Prerequisites for AAA

AAA Guidelines and Limitations

Configuring AAA

Process for Configuring AAA

Configuring Console Login Authentication Methods

Configuring Default Login Authentication Methods

Enabling the Default User Role for AAA Authentication

Enabling Login Authentication Failure Messages

Enabling MSCHAP Authentication

Configuring AAA Accounting Default Methods

Using AAA Server VSAs with Cisco NX-OS Devices

About VSAs

VSA Format

Specifying Cisco NX-OS User Roles and SMNPv3 Parameters on AAA Servers

Displaying and Clearing the Local AAA Accounting Log

Verifying AAA Configuration

Example AAA Configuration

Default Settings

Additional References

Related Documents

Standards

MIBs

Feature History for AAA


Configuring AAA


This chapter describes how to configure authentication, authorization, and accounting (AAA) on Cisco NX-OS devices.

This chapter includes the following sections:

Information About AAA

Licensing Requirements for AAA

Prerequisites for AAA

AAA Guidelines and Limitations

Configuring AAA

Displaying and Clearing the Local AAA Accounting Log

Verifying AAA Configuration

Example AAA Configuration

Default Settings

Additional References

Information About AAA

This section includes the following topics:

AAA Security Services

Benefits of Using AAA

Remote AAA Services

AAA Server Groups

AAA Service Configuration Options

Authentication and Authorization Process for User Login

Virtualization Support

AAA Security Services

The AAA feature allows you to verify the identity of, grant access to, and track the actions of users managing an Cisco NX-OS device. Cisco NX-OS devices support Remote Access Dial-In User Service (RADIUS) or Terminal Access Controller Access Control device Plus (TACACS+) protocols.

Based on the user ID and password combination that you provide, Cisco NX-OS devices perform local authentication or authorization using the local database or remote authentication or authorization using one or more AAA servers. A preshared secret key provides security for communication between the Cisco NX-OS device and AAA servers. You can configure a common secret key for all AAA servers or for only a specific AAA server.

AAA security provides the following services:

Authentication—Identifies users, including login and password dialog, challenge and response, messaging support, and, depending on the security protocol that you select, encryption.

Authentication is the process of verifying the identity of the person or device accessing the Cisco NX-OS device, which is based on the user ID and password combination provided by the entity trying to access the Cisco NX-OS device. Cisco NX-OS devices allow you to perform local authentication (using the local lookup database) or remote authentication (using one or more RADIUS or TACACS+ servers).

Authorization—Provides access control.

AAA authorization is the process of assembling a set of attributes that describe what the user is authorized to perform. Authorization in the Cisco NX-OS software is provided by attributes that are downloaded from AAA servers. Remote security servers, such as RADIUS and TACACS+, authorize users for specific rights by associating attribute-value (AV) pairs, which define those rights with the appropriate user.

Accounting—Provides the method for collecting information, logging the information locally, and sending the information to the AAA server for billing, auditing, and reporting.

The accounting feature tracks and maintains a log of every management session used to access the Cisco NX-OS device. You can use this information to generate reports for troubleshooting and auditing purposes. You can store accounting logs locally or send them to remote AAA servers.


Note The Cisco NX-OS software supports authentication, authorization, and accounting independently. For example, you can configure authentication and authorization without configuring accounting.


Benefits of Using AAA

AAA provides the following benefits:

Increased flexibility and control of access configuration

Scalability

Standardized authentication methods, such as RADIUS and TACACS+

Multiple backup devices

Remote AAA Services

Remote AAA services provided through RADIUS and TACACS+ protocols have the following advantages over local AAA services:

It is easier to manage user password lists for each Cisco NX-OS device in the fabric.

AAA servers are already deployed widely across enterprises and can be easily used for AAA services.

You can centrally manage the accounting log for all Cisco NX-OS devices in the fabric.

It is easier to manage user attributes for each Cisco NX-OS device in the fabric than using the local databases on the Cisco NX-OS devices.

AAA Server Groups

You can specify remote AAA servers for authentication, authorization, and accounting using server groups. A server group is a set of remote AAA servers that implement the same AAA protocol. The purpose of a server group is to provide for fail-over servers in case a remote AAA server fails to respond. If the first remote server in the group fails to respond, the next remote server in the group is tried until one of the servers sends a response. If all the AAA servers in the server group fail to respond, then that server group option is considered a failure. If required, you can specify multiple server groups. If the Cisco NX-OS device encounters errors from the servers in the first group, it tries the servers in the next server group.

AAA Service Configuration Options

AAA configuration in Cisco NX-OS devices is service based, which means that you can have separate AAA configurations for the following services:

User Telnet or Secure Shell (SSH) login authentication

Console login authentication

Cisco TrustSec authentication (see Chapter 10, "Configuring Cisco TrustSec")

802.1X authentication (see Chapter 8, "Configuring 802.1X")

Extensible Authentication Protocol over User Datagram Protocol (EAPoUDP) authentication for Network Admission Control (NAC) (see Chapter 9, "Configuring NAC")

User management session accounting

802.1X accounting (see Chapter 8, "Configuring 802.1X")

Table 2-1 provides the related CLI command for each AAA service configuration option.

.

Table 2-1 AAA Service Configuration Commands 

AAA Service Configuration Option
Related Command

Telnet or SSH login

aaa authentication login default

Console login

aaa authentication login console

Cisco TrustSec authentication

aaa authentication cts default

802.1X authentication

aaa authentication dot1x default

EAPoUDP authentication

aaa authentication eou default

User session accounting

aaa accounting default

802.1X accounting

aaa accounting dot1x default


You can specify the following authentication methods for the AAA services:

RADIUS server groups—Uses the global pool of RADIUS servers for authentication.

Specified server groups—Uses specified RADIUS or TACACS+ server groups for authentication.

Local—Uses the local username or password database for authentication.

None—Uses only the username.


Note If the method is all RADIUS servers, rather than a specific server group, the Cisco NX-OS device chooses the RADIUS server from the global pool of configured RADIUS servers, in the order of configuration. Servers from this global pool are the servers that can be selectively configured in a RADIUS server group on the Cisco NX-OS device.


Table 2-2 shows the AAA authentication methods that you can configure for the AAA services.

Table 2-2 AAA Authentication Methods for AAA Services 

AAA Service
AAA Methods

Console login authentication

Server groups, local, and none

User login authentication

Server groups, local, and none

Cisco TrustSec authentication

Server groups only

802.1X authentication

Server groups only

EAPoUDP authentication

Server groups only

User management session accounting

Server groups and local

802.1X accounting

Server groups and local



Note For console login authentication and user login authentication, and user management session accounting, the Cisco NX-OS device tries each option in the order specified. The local option is the default method when other configured options fail.


Authentication and Authorization Process for User Login

Figure 2-1 shows a flow chart of the authentication and authorization process for user login. The following list explain the process:

1. When you log in to the required Cisco NX-OS device, you can use the Telnet, SSH, or console login options.

2. When you have configured the AAA server groups using the server group authentication method, the Cisco NX-OS device sends an authentication request to the first AAA server in the group as follows:

If the AAA server fails to respond, then the next AAA server is tried and so on until the remote server responds to the authentication request.

If all AAA servers in the server group fail to respond, then the servers in the next server group are tried.

If all configured methods fail, then the local database is used for authentication.

3. If the Cisco NX-OS device successfully authenticates you through a remote AAA server, then the following possibilities apply:

If the AAA server protocol is RADIUS, then user roles specified in the cisco-av-pair attribute are downloaded with an authentication response.

If the AAA server protocol is TACACS+, then another request is sent to the same server to get the user roles specified as custom attributes for the shell.

If the user roles are not successfully retrieved from the remote AAA server, then the user is assigned with the vdc-operator role.

4. If your username and password are successfully authenticated locally, the Cisco NX-OS device logs you in and assigns you the roles configured in the local database.

Figure 2-1 Authorization and Authentication Flow for User Login


Note "No more server groups left" means that there is no response from any server in all server groups.
"No more servers left" means that there is no response from any server within this server group.


Virtualization Support

All AAA configuration and operations are local to the VDC, except the default console methods and the AAA accounting log. The configuration and operation of the AAA authentication methods for the console login apply only to the default VDC. The AAA accounting log is only in the default VDC. You can display the contents from any VDC but you must clear it in the default VDC.

For more information on VDCs, see the Cisco Nexus 7000 Series NX-OS Virtual Device Context Configuration Guide, Release 4.1.

Licensing Requirements for AAA

The following table shows the licensing requirements for this feature:

Product
License Requirement

Cisco NX-OS

AAA requires no license. Any feature not included in a license package is bundled with the Cisco NX-OS system images and is provided at no extra charge to you. For a complete explanation of the Cisco NX-OS licensing scheme, see the Cisco Nexus 7000 Series NX-OS Licensing Guide, Release 4.1.


Prerequisites for AAA

Remote AAA servers have the following prerequisites:

Ensure that at least one RADIUS or TACACS+ server is IP reachable (see the "Configuring RADIUS Server Hosts" section on page 3-8 and the "Configuring TACACS+ Server Hosts" section on page 4-10).

Ensure that the Cisco NX-OS device is configured as a client of the AAA servers.

Ensure that the preshared secret key is configured on the Cisco NX-OS device and the remote AAA servers.

Ensure that the remote server responds to AAA requests from the Cisco NX-OS device (see the "Manually Monitoring RADIUS Servers or Groups" section on page 3-26 and the "Manually Monitoring TACACS+ Servers or Groups" section on page 4-29).

AAA Guidelines and Limitations

RADIUS has the following guidelines and limitations:

The Cisco NX-OS software does not support all numeric usernames, whether created with TACACS+ or RADIUS, or created locally, and does not create local users with all numeric names. If an all numeric username exists on an AAA server and is entered during login, the Cisco NX-OS device does log in the user.

If you have a user account configured on the local Cisco NX-OS device that has the same name as a remote user account on an AAA server, the Cisco NX-OS software applies the user roles for the local user account to the remote user, not the user roles configured on the AAA server.

Configuring AAA

This section includes the following topics:

Process for Configuring AAA

Configuring Console Login Authentication Methods

Configuring Default Login Authentication Methods

Enabling the Default User Role for AAA Authentication

Enabling Login Authentication Failure Messages

Enabling MSCHAP Authentication

Configuring AAA Accounting Default Methods

Using AAA Server VSAs with Cisco NX-OS Devices


Note If you are familiar with the Cisco IOS CLI, be aware that the Cisco NX-OS commands for this feature might differ from the Cisco IOS commands that you would use.


Process for Configuring AAA

Follow these steps to configure AAA authentication and accounting:


Step 1 If you want to use remote RADIUS or TACACS+ servers for authentication, configure the hosts on your Cisco NX-OS device (see Chapter 3, "Configuring RADIUS" and Chapter 4, "Configuring TACACS+").

Step 2 Configure console login authentication methods (see the "Configuring Console Login Authentication Methods" section).

Step 3 Configure default login authentication methods for user logins (see the "Configuring Default Login Authentication Methods" section).

Step 4 Configure default AAA accounting default methods (see the "Configuring AAA Accounting Default Methods" section).



Note To configure authentication methods for 802.1X, see the "Configuring AAA Authentication Methods for 802.1X" section on page 8-11. To configure authentication methods for EAPoUDP, see the "Enabling the Default AAA Authenication Method for EAPoUDP" section on page 9-16.


Configuring Console Login Authentication Methods

This section describes how to configure the authentication methods for the console login.

The authentication methods include the following:

Global pool of RADIUS servers

Named subset of RADIUS or TACACS+ servers

Local database on the Cisco NX-OS device

Username only (none)

The default method is local.


Note The configuration and operation of the AAA for the console login apply only to the default VDC



Note The group radius and group server-name forms of the aaa authentication command refer to a set of previously defined RADIUS servers. Use the radius server-host command to configure the host servers. Use the aaa group server radius command to create a named group of servers.


BEFORE YOU BEGIN

Ensure that you are in the default VDC.

Configure RADIUS or TACACS+ server groups, as needed.

SUMMARY STEPS

1. configure terminal

2. aaa authentication login console {group group-list [none] | local | none}

3. exit

4. show aaa authentication

5. copy running-config start-config

DETAILED STEPS

 
Command
Purpose

Step 1 

configure terminal


Example:

switch# configure terminal

switch(config)#

Enters configuration mode.

Step 2 

aaa authentication login console {group group-list [none]| local | none}


Example:

switch(config)# aaa authentication login console group radius

Configures login authentication methods for the console.

The group-list argument consists of a space-delimited list of group names. The group names are the following:

radius—Uses the global pool of RADIUS servers for authentication.

named-group—Uses a named subset of TACACS+ or RADIUS servers for authentication.

The local method uses the local database for authentication. The none method uses the username only.

The default console login method is local, which is used when no methods are configured or when all the configured methods fail to respond.

Step 3 

exit


Example:

switch(config)# exit

switch#

Exits configuration mode.

Step 4 

show aaa authentication


Example:

switch# show aaa authentication

(Optional) Displays the configuration of the console login authentication methods.

Step 5 

copy running-config startup-config


Example:

switch# copy running-config startup-config

(Optional) Copies the running configuration to the startup configuration.

Configuring Default Login Authentication Methods

The authentication methods include the following:

Global pool of RADIUS servers

Named subset of RADIUS or TACACS+ servers

Local database on the Cisco NX-OS device

Username only

The default method is local.

BEFORE YOU BEGIN

Ensure that you are in the correct VDC (or use the switchto vdc command).

Configure RADIUS or TACACS+ server groups, as needed.

SUMMARY STEPS

1. configure terminal

2. aaa authentication login default {group group-list [none] | local | none}

3. exit

4. show aaa authentication

5. copy running-config start-config

DETAILED STEPS

 
Command
Purpose

Step 1 

configure terminal


Example:

switch# configure terminal

switch(config)#

Enters configuration mode.

Step 2 

aaa authentication login default {group group-list [none]| local | none}


Example:

switch(config)# aaa authentication login default group radius

Configures the default authentication methods.

The group-list argument consists of a space-delimited list of group names. The group names are the following:

radius—Uses the global pool of RADIUS servers for authentication.

named-group—Uses a named subset of TACACS+ or RADIUS servers for authentication.

The local method uses the local database for authentication. The none method uses the username only.

The default login method is local, which is used when no methods are configured or when all the configured methods fail to respond.

Step 3 

exit


Example:

switch(config)# exit

switch#

Exits configuration mode.

Step 4 

show aaa authentication


Example:

switch# show aaa authentication

(Optional) Displays the configuration of the default login authentication methods.

Step 5 

copy running-config startup-config


Example:

switch# copy running-config startup-config

(Optional) Copies the running configuration to the startup configuration.

Enabling the Default User Role for AAA Authentication

You can allow remote users who do not have a user role to log in to the device through RADIUS or TACACS+ using a default user role. You can enable or disable this feature for the VDC as needed. For the default VDC, the default role is network-operator. For nondefault VDCs, the default VDC is vdc-operator. When you disable the AAA default user role feature, remote users who do not have a user role cannot log in to the device.

BEFORE YOU BEGIN

Ensure that you are in the correct VDC (or use the switchto vdc command).

SUMMARY STEPS

1. configure terminal

2. aaa user default-role

3. exit

4. show aaa user default-role

5. copy running-config start-config

DETAILED STEPS

 
Command
Purpose

Step 1 

configure terminal


Example:

switch# configure terminal

switch(config)#

Enters configuration mode.

Step 2 

aaa user default-role


Example:

switch(config)# aaa user default-role

Enables the default user role for AAA authentication. The default is enabled.

You can disable the default user role feature by using the no form of this command.

Step 3 

exit


Example:

switch(config)# exit

switch#

Exits configuration mode.

Step 4 

show aaa user default-role


Example:

switch# show aaa user default-role

(Optional) Displays the AAA default user role configuration.

Step 5 

copy running-config startup-config


Example:

switch# copy running-config startup-config

(Optional) Copies the running configuration to the startup configuration.

Enabling Login Authentication Failure Messages

When you log in, the login is processed by rolling over to the local user database if the remote AAA servers do not respond. In such cases, the following message is displayed on the user's terminal—if you have enabled displaying login failure messages:

Remote AAA servers unreachable; local authentication done.
Remote AAA servers unreachable; local authentication failed.

BEFORE YOU BEGIN

Ensure that you are in the correct VDC (or use the switchto vdc command).

SUMMARY STEPS

1. configure terminal

2. aaa authentication login error-enable

3. exit

4. show aaa authentication

5. copy running-config start-config

DETAILED STEPS

 
Command
Purpose

Step 1 

configure terminal


Example:

switch# configure terminal

switch(config)#

Enters configuration mode.

Step 2 

aaa authentication login error-enable


Example:

switch(config)# aaa authentication login error-enable

Enables login authentication failure messages. The default is disabled.

Step 3 

exit


Example:

switch(config)# exit

switch#

Exits configuration mode.

Step 4 

show aaa authentication


Example:

switch# show aaa authentication

(Optional) Displays the login failure message configuration.

Step 5 

copy running-config startup-config


Example:

switch# copy running-config startup-config

(Optional) Copies the running configuration to the startup configuration.

Enabling MSCHAP Authentication

Microsoft Challenge Handshake Authentication Protocol (MSCHAP) is the Microsoft version of CHAP. You can use MSCHAP for user logins to an Cisco NX-OS device through a remote authentication server (RADIUS or TACACS+).

By default, the Cisco NX-OS device uses Password Authentication Protocol (PAP) authentication between the Cisco NX-OS device and the remote server. If you enable MSCHAP, you need to configure your RADIUS server to recognize the MSCHAP vendor-specific attributes (VSAs). See the "Using AAA Server VSAs with Cisco NX-OS Devices" section. Table 2-3 shows the RADIUS VSAs required for MSCHAP.

Table 2-3 MSCHAP RADIUS VSAs 

Vendor-ID Number
Vendor-Type Number
VSA
Description

311

11

MSCHAP-Challenge

Contains the challenge sent by an AAA server to an MSCHAP user. It can be used in both Access-Request and Access-Challenge packets.

211

11

MSCHAP-Response

Contains the response value provided by an MSCHAP user in response to the challenge. It is only used in Access-Request packets.


BEFORE YOU BEGIN

Ensure that you are in the correct VDC (or use the switchto vdc command).

SUMMARY STEPS

1. configure terminal

2. aaa authentication login mschap enable

3. exit

4. show aaa authentication login mschap

5. copy running-config start-config

DETAILED STEPS

 
Command
Purpose

Step 1 

configure terminal


Example:

switch# configure terminal

switch(config)#

Enters configuration mode.

Step 2 

aaa authentication login mschap enable


Example:

switch(config)# aaa authentication mschap enable

Enables MS-CHAP authentication. The default is disabled.

Step 3 

exit


Example:

switch(config)# exit

switch#

Exits configuration mode.

Step 4 

show aaa authentication login mschap


Example:

switch# show aaa authentication login mschap

(Optional) Displays the MS-CHAP configuration.

Step 5 

copy running-config startup-config


Example:

switch# copy running-config startup-config

(Optional) Copies the running configuration to the startup configuration.

Configuring AAA Accounting Default Methods

Cisco NX-OS software supports TACACS+ and RADIUS methods for accounting. Cisco NX-OS devices report user activity to TACACS+ or RADIUS security servers in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the AAA server.

When you activate AAA accounting, the Cisco NX-OS device reports these attributes as accounting records, which are then stored in an accounting log on the security server.

You can create default method lists defining specific accounting methods, which include the following:

RADIUS server group—Uses the global pool of RADIUS servers for accounting.

Specified server group—Uses a specified RADIUS or TACACS+ server group for accounting.

Local—Uses the local username or password database for accounting.


Note If you have configured server groups and the server groups do not respond, by default, the local database is used for authentication.


BEFORE YOU BEGIN

Ensure that you are in the correct VDC (or use the switchto vdc command).

Configure RADIUS or TACACS+ server groups, as needed.

SUMMARY STEPS

1. configure terminal

2. aaa accounting default {group group-list | local}

3. exit

4. show aaa accounting

5. copy running-config start-config

DETAILED STEPS

 
Command
Purpose

Step 1 

configure terminal


Example:

switch# configure terminal

switch(config)#

Enters configuration mode.

Step 2 

aaa accounting default {group group-list | local}


Example:

switch(config)# aaa accounting default group radius

Configures the default accounting method.

The group-list argument consists of a space-delimited list of group names. The group names are of the following:

radius—Uses the global pool of RADIUS servers for accounting.

named-group—Uses a named subset of TACACS+ or RADIUS servers for accounting.

The local method uses the local database for accounting.

The default method is local, which is used when no server groups are configured or when all the configured server groups fail to respond.

Step 3 

exit


Example:

switch(config)# exit

switch#

Exits configuration mode.

Step 4 

show aaa accounting


Example:

switch# show aaa accounting

(Optional) Displays the configuration AAA accounting default methods.

Step 5 

copy running-config startup-config


Example:

switch# copy running-config startup-config

(Optional) Copies the running configuration to the startup configuration.

Using AAA Server VSAs with Cisco NX-OS Devices

You can use vendor-specific attributes (VSAs) to specify Cisco NX-OS user roles and SNMPv3 parameters on AAA servers.

This section includes the following topics:

About VSAs

VSA Format

Specifying Cisco NX-OS User Roles and SMNPv3 Parameters on AAA Servers

About VSAs

The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating VSAs between the network access server and the RADIUS server. The IETF uses attribute 26. VSAs allow vendors to support their own extended attributes that are not suitable for general use. The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. The Cisco vendor ID is 9, and the supported option is vendor type 1, which is named cisco-av-pair. The value is a string with the following format:

protocol : attribute seperator value *

The protocol is a Cisco attribute for a particular type of authorization, the separator is = (equal sign) for mandatory attributes, and * (asterisk) indicates optional attributes.

When you use RADIUS servers for authentication on a Cisco NX-OS device, the RADIUS protocol directs the RADIUS server to return user attributes, such as authorization information, along with authentication results. This authorization information is specified through VSAs.

VSA Format

The following VSA protocol options are supported by the Cisco NX-OS software:

Shell—Protocol used in access-accept packets to provide user profile information.

Accounting—Protocol used in accounting-request packets. If a value contains any white spaces, put it within double quotation marks.

The following attributes are supported by the Cisco NX-OS software:

roles—Lists all the roles assigned to the user. The value field is a string that stores the list of group names delimited by white space. For example, if you belong to roles network-operator and vdc-admin, the value field would be "network-operator vdc-admin." This subattribute is sent in the VSA portion of the Access-Accept frames from the RADIUS server, and it can only be used with the shell protocol value. These examples use the roles attribute:

shell:roles="network-operator vdc-admin" 
shell:roles*"network-operator vdc-admin" 

The following examples show the roles attribute as supported by FreeRADIUS:

Cisco-AVPair = "shell:roles=\"network-operator vdc-admin\""
Cisco-AVPair = "shell:roles*\"network-operator vdc-admin\""


Note When you specify a VSA as shell:roles*"network-operator vdc-admin" or "shell:roles*\"network-operator vdc-admin\"", this VSA is flagged as an optional attribute and other Cisco devices ignore this attribute.


accountinginfo—Stores accounting information in addition to the attributes covered by a standard RADIUS accounting protocol. This attribute is sent only in the VSA portion of the Account-Request frames from the RADIUS client on the switch, and it can only be used with the accounting protocol-related PDUs.

Specifying Cisco NX-OS User Roles and SMNPv3 Parameters on AAA Servers

You can use the VSA cisco-av-pair on AAA servers to specify user role mapping for the Cisco NX-OS device using this format:

shell:roles="roleA roleB ..."

If you do not specify the role option in the cisco-av-pair attribute, the default user role is network-operator.

You can also specify your SNMPv3 authentication and privacy protocol attributes as follows:

shell:roles="roleA roleB..." snmpv3:auth=SHA priv=AES-128 

The SNMPv3 authentication protocol options are SHA and MD5. The privacy protocol options are AES-128 and DES. If you do not specify these options in the cisco-av-pair attribute, MD5 and DES are the default authentication protocols.

For more information on user roles, see Chapter 7, "Configuring User Accounts and RBAC."

Displaying and Clearing the Local AAA Accounting Log

The Cisco NX-OS device maintains a local log for the AAA accounting activity. You can display this log and clear it.


Note The AAA accounting log is local to the default VDC. You can display the contents from any VDC but you must clear it in the default VDC.


BEFORE YOU BEGIN

Ensure that you are in the correct VDC before clearing the AAA accounting log.

SUMMARY STEPS

1. show accounting log [size | start-time year month day hh:mm:ss]

2. clear accounting log

DETAILED STEPS

 
Command
Purpose

Step 1 

show accounting log [size | start-time year month day hh:mm:ss]


Example:

switch# show accounting log

Displays the accounting log contents. By default, the command output contains up to 250,000 bytes of the accounting log.

You can use the size argument to limit command output. The range is from 0 to 250000 bytes. You can also filter the output specifying the start time for the log output.

Step 2 

clear accounting log

Example:

switch# clear accounting log

(Optional) Clears the accounting log contents.

Verifying AAA Configuration

To display AAA configuration information, perform one of the following tasks:

Command
Purpose

show aaa accounting

Displays AAA accounting configuration.

show aaa authentication [login {error-enable | mschap}]

Displays AAA authentication information.

show aaa groups

Displays the AAA server group configuration.

show running-config aaa [all]

Displays the AAA configuration in the running configuration.

show startup-config aaa

Displays the AAA configuration in the startup configuration.


For detailed information about the fields in the output from these commands, see the Cisco Nexus 7000 Series NX-OS Security Command Reference, Release 4.1.

Example AAA Configuration

The following example shows how to configure AAA:

aaa authentication login default group radius
aaa authentication login console group radius
aaa accounting default group radius

Default Settings

Table 2-4 lists the default settings for AAA parameters.

Table 2-4 Default AAA Parameters 

Parameters
Default

Console authentication method

local

Default authentication method

local

Login authentication failure messages

Disabled

MSCHAP authentication

Disabled

Default accounting method

local

Accounting log display length

250 KB


Additional References

For additional information related to implementing AAA, see the following sections:

Related Documents

Standards

MIBs

Related Documents

Related Topic
Document Title

Cisco NX-OS Licensing

Cisco Nexus 7000 Series NX-OS Licensing Guide, Release 4.1

Command reference

Cisco Nexus 7000 Series NX-OS Security Command Reference, Release 4.1

RADIUS security protocol

Chapter 3, "Configuring RADIUS"

TACACS+ Security protocol

Chapter 4, "Configuring TACACS+"


Standards

Standards
Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.


MIBs

MIBs
MIBs Link

CISCO-AAA-SERVER-MIB

CISCO-AAA-SERVER-EXT-MIB

To locate and download MIBs, go to the following URL:

http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml


Feature History for AAA

Table 2-5 lists the release history for this feature.

Table 2-5 Feature History for AAA 

Feature Name
Releases
Feature Information

AAA

4.0(1)

This feature was introduced.