- Index
- Preface
- Product Overview
-
- Configuring Ethernet Interfaces
- Configuring VLANs
- Configuring Private VLANs
- Configuring Rapid PVST+
- Configuring Multiple Spanning Tree
- Configuring STP Extensions
- Configuring Port Channels
- Configuring Access and Trunk Interfaces
- Configuring the MAC Address Table
- Configuring IGMP Snooping
- Configuring Traffic Storm Control
-
- Configuring Fibre Channel Interfaces
- Configuring Domain Parameters
- Configuring N-Port Virtualization
- Configuring VSAN Trunking
- Configuring SAN PortChannels
- Configuring and Managing VSANs
- Configuring and Managing Zones
- Distributing Device Alias Services
- Configuring Fibre Channel Routing Services and Protocols
- Managing FLOGI, Name Server, FDMI, and RSCN Databases
- Discovering SCSI Targets
- Advanced Features and Concepts
- Configuring FC-SP and DHCHAP
- Configuring Port Security
- Configuring Fabric Binding
- Configuring Fabric Configuration Servers
- Configuring Port Tracking
- Information About AAA
- Prerequisites for Remote AAA
- AAA Guidelines and Limitations
- Configuring AAA
Configuring AAA
This chapter describes how to configure authentication, authorization, and accounting (AAA) on Cisco Nexus 5000 Series switches.
Information About AAA
This section includes the following topics:
- AAA Security Services
- Benefits of Using AAA
- Remote AAA Services
- AAA Server Groups
- AAA Service Configuration Options
- Authentication and Authorization Process for User Login
AAA Security Services
The AAA feature allows you to verify the identity of, grant access to, and track the actions of users managing Nexus 5000 Series switches. The Nexus 5000 Series switches support Remote Access Dial-In User Service (RADIUS) or Terminal Access Controller Access Control device Plus (TACACS+) protocols.
Based on the user ID and password combination that you provide, the Nexus 5000 Series switches perform local authentication or authorization using the local database or remote authentication or authorization using one or more AAA servers. A preshared secret key provides security for communication between the Nexus 5000 switch and AAA servers. You can configure a common secret key for all AAA servers or for only a specific AAA server.
AAA security provides the following services:
- Authentication—Identifies users, including login and password dialog, challenge and response, messaging support, and, encryption depending on the security protocol that you select.
Authentication is the process of verifying the identity of the person or device accessing the Nexus 5000 Series switches. This process is based on the user ID and password combination provided by the entity trying to access the Nexus 5000 switch. The Nexus 5000 Series switches allow you to perform local authentication (using the local lookup database) or remote authentication (using one or more RADIUS or TACACS+ servers).
AAA authorization is the process of assembling a set of attributes that describe what the user is authorized to perform. Authorization in Nexus 5000 Series switches is provided by attributes that are downloaded from AAA servers. Remote security servers, such as RADIUS and TACACS+, authorize users for specific rights by associating attribute-value (AV) pairs, which define those rights with the appropriate user.
- Accounting—Provides the method for collecting information, logging the information locally, and sending the information to the AAA server for billing, auditing, and reporting.
The accounting feature tracks and maintains a log of every management session used to access the Nexus 5000 Series switches. You can use this information to generate reports for troubleshooting and auditing purposes. You can store accounting logs locally or send them to remote AAA servers.
The accounting log feature does not log the show commands. For example, the feature does not log the show version or show module commands.
Note
The Cisco NX-OS software supports authentication, authorization, and accounting independently. For example, you can configure authentication and authorization without configuring accounting.
Benefits of Using AAA
Remote AAA Services
Remote AAA services provided through RADIUS and TACACS+ protocols have the following advantages over local AAA services:
- User password lists for each Nexus 5000 Series switch in the fabric are easier to manage.
- AAA servers are already deployed widely across enterprises and can be easily used for AAA services.
- The accounting log for all switches in the fabric can be centrally managed.
- User attributes for each switch in the fabric than using the local databases on the switches are easier to manage.
AAA Server Groups
You can specify remote AAA servers for authentication, authorization, and accounting using server groups. A server group is a set of remote AAA servers that implement the same AAA protocol. The purpose of a server group is to provide for failover servers in case a remote AAA server fails to respond. If the first remote server in the group fails to respond, the next remote server in the group is tried until one of the servers sends a response. If all the AAA servers in the server group fail to respond, then that server group option is considered a failure. If required, you can specify multiple server groups. If a Nexus 5000 Series switch encounters errors from the servers in the first group, it tries the servers in the next server group.
AAA Service Configuration Options
On Nexus 5000 Series switches, you can have separate AAA configurations for the following services:
- User Telnet or Secure Shell (SSH) login authentication
- Console login authentication
- User management session accounting
Table 1-1 lists the CLI commands for each AAA service configuration option.
|
|
|
|---|---|
You can specify the following authentication methods for the AAA services:
- RADIUS server groups—Uses the global pool of RADIUS servers for authentication.
- Specified server groups—Uses specified RADIUS or TACACS+ server groups for authentication.
- Local—Uses the local username or password database for authentication.
- None—Uses only the user name.
Note If the method is for all RADIUS servers, instead of a specific server group, the Nexus 5000 Series switches choose the RADIUS server from the global pool of configured RADIUS servers in the order of configuration. Servers from this global pool are the servers that can be selectively configured in a RADIUS server group on the Nexus 5000 Series switches.
Table 1-2 describes the AAA authentication methods that you can configure for the AAA services.
|
|
|
|---|---|
Note For console login authentication, user login authentication, and user management session accounting, the Nexus 5000 Series switches try each option in the order specified. The local option is the default method when other configured options fail.
Authentication and Authorization Process for User Login
Figure 1-1 shows a flowchart of the authentication and authorization process for user login. The following process occurs:
1. When you log in to the required Nexus 5000 Series switch, you can use the Telnet, SSH, Fabric Manager or Device Manager, or console login options.
2. When you have configured the AAA server groups using the server group authentication method, the Nexus 5000 Series switch sends an authentication request to the first AAA server in the group as follows:
a. If the AAA server fails to respond, then the next AAA server is tried and so on until the remote server responds to the authentication request.
b. If all AAA servers in the server group fail to respond, then the servers in the next server group are tried.
c. If all configured methods fail, then the local database is used for authentication.
3. If the Nexus 5000 Series switches successfully authenticate you through a remote AAA server, then the following possibilities apply:
a. If the AAA server protocol is RADIUS, then user roles specified in the cisco-av-pair attribute are downloaded with an authentication response.
b. If the AAA server protocol is TACACS+, then another request is sent to the same server to get the user roles specified as custom attributes for the shell.
4. If your username and password are successfully authenticated locally, the Nexus 5000 Series switch logs you in and assigns you the roles configured in the local database.
Figure 1-1 Authorization and Authentication Flow for User Login
Note “No more server groups left” means that there is no response from any server in all server groups.
“No more servers left” means that there is no response from any server within this server group.
Prerequisites for Remote AAA
Remote AAA servers have the following prerequisites:
- At least one RADIUS or TACACS+ server must be IP reachable (see the “Configuring RADIUS Server Hosts” section and the “Configuring TACACS+ Server Hosts” section)
- The Nexus 5000 Series switch is configured as a client of the AAA servers.
- The preshared secret key is configured on the Nexus 5000 Series switch and on the remote AAA servers.
- The remote server responds to AAA requests from the Nexus 5000 Series switch (see the “Manually Monitoring RADIUS Servers or Groups” section and the “Manually Monitoring TACACS+ Servers or Groups” section).
AAA Guidelines and Limitations
The Nexus 5000 Series switches do not support all numeric usernames, whether created with TACACS+ or RADIUS, or created locally, and do not create local users with all numeric names. If an all numeric username exists on an AAA server and is entered during login, the Nexus 5000 Series switch will log in the user.
Configuring AAA
To configure AAA authentication and accounting, perform this task:
Step 1 If you want to use remote RADIUS or TACACS+ servers for authentication, configure the hosts on your Nexus 5000 Series switch. See Chapter 1, “Configuring RADIUS” and Chapter1, “Configuring TACACS+”
Step 2 Configure console login authentication methods. See the “Configuring Console Login Authentication Methods” section.
Step 3 Configure default login authentication methods for user logins. See the “Configuring Default Login Authentication Methods” section
Step 4 Configure default AAA accounting default methods. See the “Configuring AAA Accounting Default Methods” section.
The following topics describe the AAA configuration procedure in more details:
- Configuring Console Login Authentication Methods
- Configuring Default Login Authentication Methods
- Enabling Login Authentication Failure Messages
- Enabling MSCHAP Authentication
- Configuring AAA Accounting Default Methods
- Using AAA Server VSAs with Nexus 5000 Series Switches
Note If you are familiar with the Cisco IOS CLI, be aware that the Nexus 5000 Series commands for this feature might differ from the Cisco IOS commands that you would use.
Configuring Console Login Authentication Methods
This section describes how to configure the authentication methods for the console login.
The authentication methods include the following:
- Global pool of RADIUS servers
- Named subset of RADIUS or TACACS+ servers
- Local database on the Nexus 5000 Series switch
- Username only (none)
Note The group radius and group server-name forms of the aaa authentication command are used for a set of previously defined RADIUS servers. Use the radius server-host command to configure the host servers. Use the aaa group server radius command to create a named group of servers.
Before you configure console login authentication methods, configure RADIUS or TACACS+ server groups as needed. To configure console login authentication methods, perform this task:
The following example shows how to configure authentication methods for the console login:
switch(config)# aaa authentication login console group radius
Configuring Default Login Authentication Methods
The authentication methods include the following:
- Global pool of RADIUS servers
- Named subset of RADIUS or TACACS+ servers
- Local database on the Nexus 5000 Series switch
- Username only
Before you configure default login authentication methods, configure RADIUS or TACACS+ server groups as needed. To configure default login authentication methods, perform this task:
Enabling Login Authentication Failure Messages
When you log in, the login is processed by the local user database if the remote AAA servers do not respond. If you have enabled the displaying of login failure messages, the following message is displayed :
To enable login authentication failure messages, perform this task:
Enabling MSCHAP Authentication
Microsoft Challenge Handshake Authentication Protocol (MSCHAP) is the Microsoft version of CHAP. You can use MSCHAP for user logins to a Nexus 5000 Series switch through a remote authentication server (RADIUS or TACACS+).
By default, the Nexus 5000 Series switch uses Password Authentication Protocol (PAP) authentication between the Nexus 5000 Series switch and the remote server. If you enable MSCHAP, you need to configure your RADIUS server to recognize the MSCHAP vendor-specific attributes (VSAs). See the “Using AAA Server VSAs with Nexus 5000 Series Switches” section. Table 1-3 describes the RADIUS VSAs required for MSCHAP.
To enable MSCHAP authentication, perform this task:
|
|
|
|
|---|---|---|
(Optional) Copies the running configuration to the startup configuration. |
Configuring AAA Accounting Default Methods
The Nexus 5000 Series switch supports TACACS+ and RADIUS methods for accounting. The switches report user activity to TACACS+ or RADIUS security servers in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the AAA server.
When you activate AAA accounting, the Nexus 5000 Series switch reports these attributes as accounting records, which are then stored in an accounting log on the security server.
You can create default method lists defining specific accounting methods, which include the following:.
- RADIUS server group—Uses the global pool of RADIUS servers for accounting.
- Specified server group—Uses a specified RADIUS or TACACS+ server group for accounting.
- Local—Uses the local username or password database for accounting.
Note If you have configured server groups and the server groups do not respond, by default the local database is used for authentication.
Before you configure AAA accounting default methods, configure RADIUS or TACACS+ server groups as needed.
To configure AAA accounting default methods, perform this task:
Using AAA Server VSAs with Nexus 5000 Series Switches
You can use vendor-specific attributes (VSAs) to specify the Nexus 5000 Series user roles and SNMPv3 parameters on AAA servers.
About VSAs
The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating VSAs between the network access server and the RADIUS server. The IETF uses attribute 26. VSAs allow vendors to support their own extended attributes that are not suitable for general use. The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. The Cisco vendor ID is 9, and the supported option is vendor type 1, which is named cisco-av-pair. The value is a string with the following format:
The protocol is a Cisco attribute for a particular type of authorization, separator is an equal sign (=) for mandatory attributes, and an asterisk ( *) indicates optional attributes.
When you use RADIUS servers for authentication on a Nexus 5000 Series switch, the RADIUS protocol directs the RADIUS server to return user attributes, such as authorization information, along with authentication results. This authorization information is specified through VSAs.
VSA Format
The following VSA protocol options are supported by the Nexus 5000 Series switches:
- Shell— Used in access-accept packets to provide user profile information.
- Accounting—Used in accounting-request packets. If a value contains any white spaces, put it within double quotation marks.
The following attributes are supported by the Nexus 5000 Series switches:
- roles—Lists all the roles assigned to the user. The value field is a string that stores the list of group names delimited by white space.
- accountinginfo—Stores additional accounting information in addition to the attributes covered by a standard RADIUS accounting protocol. This attribute is sent only in the VSA portion of the Account-Request frames from the RADIUS client on the switch, and it can only be used with the accounting protocol-related PDUs.
Specifying Nexus 5000 Series switch User Roles and SMNPv3 Parameters on AAA Servers
You can use the VSA cisco-av-pair on AAA servers to specify user role mapping for the Nexus 5000 Series switch using this format:
If you do not specify the role option in the cisco-av-pair attribute, the default user role is network-operator.
You can also specify your SNMPv3 authentication and privacy protocol attributes as follows:
The SNMPv3 authentication protocol options are SHA and MD5. The privacy protocol options are AES-128 and DES. If you do not specify these options in the cisco-av-pair attribute, MD5 and DES are the default authentication protocols.
For more information on user roles, see Chapter1, “Configuring User Accounts and RBAC”
Displaying and Clearing the Local AAA Accounting Log
The Nexus 5000 Series switch maintains a local log for the AAA accounting activity. To display this log and clear it, perform this task:
Note The accounting log feature does not log the show commands, For example, the feature does not log the show version or show module commands.
Verifying AAA Configuration
To display AAA configuration information, perform one of the following tasks:
|
|
|
|---|---|
Displays the AAA configuration in the running configuration. |
|
Displays the AAA configuration in the startup configuration. |
Example AAA Configuration
The following example shows how to configure AAA:
Default Settings
Table 1-4 lists the default settings for AAA parameters.
|
|
|
|---|---|
Feedback