The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes how to configure authentication, authorization, and accounting (AAA) and includes the following sections:
•AAA Guidelines and Limitations
This section includes the following topics:
Based on a user ID and password combination, AAA is used to authenticate and authorize users. A key secures communication with AAA servers.
In many circumstances, AAA uses protocols such as RADIUS or TACACS+, to administer its security functions. If your router or access server is acting as a network access server, AAA is the means through which you establish communication between your network access server and your RADIUS or TACACS+, security server.
Although AAA is the primary (and recommended) method for access control, additional features for simple access control areavailable outside the scope of AAA, such as local username authentication, line password authentication, and enable password authentication. However, these features do not provide the same degree of access control that is possible by using AAA.
Separate AAA configurations are made for the following services:
•User Telnet or Secure Shell (SSH) login authentication
•Console login authentication
•User management session accounting
Table 3-1 shows the related CLI command for configuring an AAA service.
.
|
|
---|---|
Telnet or SSH login |
aaa authentication login default |
Console login |
aaa authentication login console |
AAA secures the following:
Authentication identifies users with a login and password, messaging, and encryption.
Authentication is accomplished as follows:
Figure 3-1 Authenticating User Log In
Authorization restricts the actions that a user is allowed to perform.
Accounting tracks and maintains a log of every SVS management session. You can use this information to generate reports for troubleshooting and auditing purposes. You can store accounting logs locally or send them to remote AAA servers.
Remote AAA server groups can provide fail-over in case one remote AAA server fails to respond. If the first server in the group fails, the next server in the group is tried until a server responds. Multiple server groups can provide fail-over for each other in this same way.
If all remote server groups fail, the local database is used for authentication.
Authentication using remote AAA servers requires that the following be in place:
•At least one TACACS+ server is IP reachable
See the "Configuring a TACACS+ Server Host" section.
•The SVS is configured as an AAA server client.
•A shared secret key is configured on the SVS and the remote AAA server.
See the "Configuring Shared Keys" procedure.
The Nexus 1000V does not support usernames made up of all numeric characters and does not create local usernames made up of all numeric characters. If a username made up of all numeric characters exists on an AAA server and is entered during login, the SVS does authenticate the user.
This section includes the following topics:
•Configuring a Login Authentication Method
•Enabling Login Authentication Failure Messages
Use the following flow chart to configure AAA.
Flow Chart: Configuring AAA
Use this procedure to configure the login authentication method.
Before beginning this procedure, you must know or do the following:
•You are logged in to the CLI in EXEC mode.
•If authentication is to be done with TACACS+ server group(s), you have already added the group(s). For more information, see the "Configuring a TACACS+ Server Group" procedure.
1. config t
2. aaa authentication login {console | default} {group group-list [none] | local | none}
3. exit
4. show aaa authentication
5. copy running-config start-config
Use this procedure to enable the login authentication failure message to displays if the remote AAA servers do not respond.
Before beginning this procedure, you must know or do the following:
•You are logged in to the CLI in EXEC mode.
•The following is the Login Authentication Failure message:
Remote AAA servers unreachable; local authentication done.
Remote AAA servers unreachable; local authentication failed.
1. config t
2. aaa authentication login error-enable
3. exit
4. show aaa authentication login error-enable
5. copy running-config start-config
To display AAA configuration information, perform one of the following tasks:
|
|
---|---|
show aaa authentication [login {error-enable | mschap}] |
Displays AAA authentication information. See Example 3-1 |
show aaa groups |
Displays the AAA server group configuration. |
show running-config aaa [all] |
Displays the AAA configuration in the running configuration. See Example 3-2 |
show startup-config aaa |
Displays the AAA configuration in the startup configuration. See Example 3-3 |
Example 3-1 show aaa authentication
n1000v# show aaa authentication login error-enable
disabled
Example 3-2 show running config aaa
n1000v# show running-config aaa all
version 4.0(1)
aaa authentication login default local
aaa accounting default local
no aaa authentication login error-enable
no aaa authentication login mschap enable
no radius-server directed-request
no snmp-server enable traps aaa server-state-change
no tacacs-server directed-request
n1000v#
Example 3-3 show startup-config aaa
n1000v# show startup-config aaa
version 4.0(1)svs#
The following is an AAA configuration example:
aaa authentication login default group tacacs
aaa authentication login console group tacacs
The following table lists the AAA defaults.
|
|
---|---|
Console authentication method |
local |
Default authentication method |
local |
Login authentication failure messages |
Disabled |
For additional information related to implementing AAA, see the following sections:
|
|
---|---|
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. |
— |
This section provides the AAA release history.
|
|
|
---|---|---|
AAA |
4.0 |
This feature was introduced. |