The AAA feature allows you to verify the identity of, grant access to, and track the actions of users managing a Cisco NX-OS device. Cisco NX-OS devices support Remote Access Dial-In User Service (RADIUS) or Terminal Access Controller Access Control device Plus (TACACS+) protocols.
Based on the user ID and password combination that you provide, Cisco NX-OS devices perform local authentication or authorization using the local database or remote authentication or authorization using one or more AAA servers. A preshared secret key provides security for communication between the Cisco NX-OS device and AAA servers. You can configure a common secret key for all AAA servers or for only a specific AAA server.
AAA security provides the following services:
Identifies users, including login and password dialog, challenge and response, messaging support, and, depending on the security protocol that you select, encryption.
Authentication is the process of verifying the identity of the person or device accessing the Cisco NX-OS device, which is based on the user ID and password combination provided by the entity trying to access the Cisco NX-OS device. Cisco NX-OS devices allow you to perform local authentication (using the local lookup database) or remote authentication (using one or more RADIUS or TACACS+ servers).
Provides access control.
AAA authorization is the process of assembling a set of attributes that describe what the user is authorized to perform. Authorization in the Cisco NX-OS software is provided by attributes that are downloaded from AAA servers. Remote security servers, such as RADIUS and TACACS+, authorize users for specific rights by associating attribute-value (AV) pairs, which define those rights with the appropriate user.
Provides the method for collecting information, logging the information locally, and sending the information to the AAA server for billing, auditing, and reporting.
The accounting feature tracks and maintains a log of every management session used to access the Cisco NX-OS device. You can use this information to generate reports for troubleshooting and auditing purposes. You can store accounting logs locally or send them to remote AAA servers.
The Cisco NX-OS software supports authentication, authorization, and accounting independently. For example, you can configure authentication and authorization without configuring accounting.
Benefits of Using AAA
AAA provides the following benefits:
Increased flexibility and control of access configuration
Standardized authentication methods, such as RADIUS and TACACS+
Multiple backup devices
Remote AAA Services
Remote AAA services provided through RADIUS and TACACS+ protocols have the following advantages over local AAA services:
It is easier to manage user password lists for each Cisco NX-OS device in the fabric.
AAA servers are already deployed widely across enterprises and can be easily used for AAA services.
You can centrally manage the accounting log for all Cisco NX-OS devices in the fabric.
It is easier to manage user attributes for each Cisco NX-OS device in the fabric than using the local databases on the Cisco NX-OS devices.
AAA Server Groups
You can specify remote AAA servers for authentication, authorization, and accounting using server groups. A server group is a set of remote AAA servers that implement the same AAA protocol. The purpose of a server group is to provide for fail-over servers in case a remote AAA server fails to respond. If the first remote server in the group fails to respond, the next remote server in the group is tried until one of the servers sends a response. If all the AAA servers in the server group fail to respond, then that server group option is considered a failure. If required, you can specify multiple server groups. If the Cisco NX-OS device encounters errors from the servers in the first group, it tries the servers in the next server group.
AAA Service Configuration Options
The AAA configuration in Cisco NX-OS devices is service based, which means that you can have separate AAA configurations for the following services:
Console login authentication
User management session accounting
You can specify the following authentication methods for the AAA services:
All RADIUS servers
Uses the global pool of RADIUS servers for authentication.
Specified server groups
Uses specified RADIUS or TACACS+ server groups you have configured for authentication.
Uses the local username or password database for authentication.
Uses only the username.
If you specify the all RADIUS servers method, rather than a specified server group method, the Cisco NX-OS device chooses the RADIUS server from the global pool of configured RADIUS servers, in the order of configuration. Servers from this global pool are the servers that can be selectively configured in a RADIUS server group on the Cisco NX-OS device.
This table shows the AAA authentication methods that you can configure for the AAA services. Table 1 AAA Authentication Methods for AAA Services
Console login authentication
Server groups, local, and none
User login authentication
Server groups, local, and none
Server groups only
User management session accounting
Server groups and local
Server groups and local
For console login authentication, user login authentication, and user management session accounting, the Cisco NX-OS device tries each option in the order specified. The local option is the default method when other configured options fail.
Authentication and Authorization Process for User Login
This figure shows a flow chart of the authentication and authorization process for user login. Figure 1. Authorization and Authentication Flow for User Login
The following list explains the process:
When you log in to the required Cisco NX-OS device, you can use the Telnet, SSH, or console login options.
When you have configured the AAA server groups using the server group authentication method, the Cisco NX-OS device sends an authentication request to the first AAA server in the group as follows:
If the AAA server fails to respond, then the next AAA server is tried and so on until the remote server responds to the authentication request.
If all AAA servers in the server group fail to respond, then the servers in the next server group are tried.
If all configured methods fail, then the local database is used for authentication.
If the Cisco NX-OS device successfully authenticates you through a remote AAA server, then the following possibilities apply:
If the AAA server protocol is RADIUS, then user roles specified in the cisco-av-pair attribute are downloaded with an authentication response.
If the AAA server protocol is TACACS+, then another request is sent to the same server to get the user roles specified as custom attributes for the shell.
If the user roles are not successfully retrieved from the remote AAA server, then the user is assigned with the vdc-operator role.
If your username and password are successfully authenticated locally, the Cisco NX-OS device logs you in and assigns you the roles configured in the local database.
"No more server groups left" means that there is no response from any server in all server groups. "No more servers left" means that there is no response from any server within this server group.
Virtualization Support for AAA
All AAA configuration and operations are local to the virtual device context (VDC), except the default console methods and the AAA accounting log. The configuration and operation of the AAA authentication methods for the console login apply only to the default VDC. The AAA accounting log is only in the default VDC. You can display the contents from any VDC but you must clear it in the default VDC.
AAA requires no license. Any feature not included in a license package is bundled with the Cisco NX-OS system images and is provided at no extra charge to you. For a complete explanation of the Cisco NX-OS licensing scheme, see the Cisco Nexus 7000 Series NX-OS Licensing Guide, Release 4.2.
AAA Guidelines and Limitations
AAA has the following guidelines and limitations:
The Cisco NX-OS software does not support all numeric usernames, whether created with TACACS+ or RADIUS, or created locally, and does not create local users with all numeric names. If an all-numeric username exists on an AAA server and is entered during login, the Cisco NX-OS device does log in the user.
If you have a user account configured on the local Cisco NX-OS device that has the same name as a remote user account on an AAA server, the Cisco NX-OS software applies the user roles for the local user account to the remote user, not the user roles configured on the AAA server.
This section describes the tasks for configuring AAA on Cisco NX-OS devices.
This figure shows the AAA Rules pane. Figure 2. AAA Rules Pane
You can change an AAA accounting rule method. The device supports TACACS+ and RADIUS methods for accounting, which report user activity to TACACS+ or RADIUS security servers in the form of accounting records.
You can specify the following accounting methods:
Uses a specified RADIUS or TACACS+ server group for accounting.
Uses the local username or password database for accounting.
The default method is local.
If you have configured server groups and the server groups do not respond, by default, the local database is used for authentication.
Before You Begin
Configure RADIUS or TACACS+ server groups, as needed.
From the Feature Selector pane, choose Security > AAA > Rules.
From the Summary pane, double-click the device.
Double-click Accounting Rules to display the list of accounting rules.
Click the rule to change.
The Accounting Rules tab appears in the Details pane.
From the Accounting Rules tab, click the method to change.
Double-click the method cell under Type and choose the method type from the drop-down list.
If you chose the Group method type, double-click the method cell under Server Group Name and choose a server group name from the drop-down list. Click OK.
From the menu bar, choose File > Deploy to apply your changes to the device.
The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating VSAs between the network access server and the RADIUS server. The IETF uses attribute 26. VSAs allow vendors to support their own extended attributes that are not suitable for general use. The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. The Cisco vendor ID is 9, and the supported option is vendor type 1, which is named cisco-av-pair. The value is a string with the following format:
protocol : attribute seperator value *
The protocol is a Cisco attribute for a particular type of authorization, the separator is = (equal sign) for mandatory attributes, and * (asterisk) indicates optional attributes.
When you use RADIUS servers for authentication on a Cisco NX-OS device, the RADIUS protocol directs the RADIUS server to return user attributes, such as authorization information, along with authentication results. This authorization information is specified through VSAs.
The following VSA protocol options are supported by the Cisco NX-OS software:
Protocol used in access-accept packets to provide user profile information.
Protocol used in accounting-request packets. If a value contains any white spaces, put it within double quotation marks.
The following attributes are supported by the Cisco NX-OS software:
Lists all the roles assigned to the user. The value field is a string that stores the list of group names delimited by white space. For example, if you belong to roles network-operator and vdc-admin, the value field would be network-operator vdc-admin. This subattribute is sent in the VSA portion of the Access-Accept frames from the RADIUS server, and it can only be used with the shell protocol value. These examples use the roles attribute:
The following examples show the roles attribute as supported by FreeRADIUS:
When you specify a VSA as shell:roles*"network-operator vdc-admin" or "shell:roles*\"network-operator vdc-admin\"", this VSA is flagged as an optional attribute and other Cisco devices ignore this attribute.
Stores accounting information in addition to the attributes covered by a standard RADIUS accounting protocol. This attribute is sent only in the VSA portion of the Account-Request frames from the RADIUS client on the switch, and it can only be used with the accounting protocol-related PDUs.
Specifying Cisco NX-OS User Roles and SMNPv3 Parameters on AAA Servers
You can use the VSA cisco-av-pair on AAA servers to specify user role mapping for the Cisco NX-OS device using this format:
shell:roles="roleA roleB …"
If you do not specify the role option in the cisco-av-pair attribute, the default user role is network-operator.
You can also specify your SNMPv3 authentication and privacy protocol attributes as follows:
The SNMPv3 authentication protocol options are SHA and MD5. The privacy protocol options are AES-128 and DES. If you do not specify these options in the cisco-av-pair attribute, MD5 and DES are the default authentication protocols.
Field Descriptions for AAA
This section describes the fields for configuring AAA in the Cisco Data Center Network Manager (DCNM).