The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes the Cisco NX-OS Security commands that begin with A.
To configure authentication, authorization, and accounting (AAA) methods for accounting, use the aaa accounting default command. To revert to the default, use the no form of this command.
aaa accounting default { group group-list | local }
no aaa accounting default { group group-list | local }
Space-separated list of server groups that can include the following: |
|
|
|
The group group-list methods refer to a set of previously defined servers. Use the radius-server host and tacacs-server host commands to configure the host servers. Use the aaa group server command to create a named group of servers.
Use the show aaa groups command to display the RADIUS server groups on the device.
If you specify the group method, the local method, or both, and they fail, then the accounting authentication fails.
If you specify more that one server group, the Cisco NX-OS software checks each group in the order that you specify in the list.
This example shows how to configure any RADIUS server for AAA accounting:
|
|
---|---|
To configure authentication, authorization, and accounting (AAA) methods for accounting for 802.1X authentication, use the aaa accounting dot1x command. To revert to the default, use the no form of this command.
aaa accounting dot1x { group group-list | local }
no aaa accounting dot1x { group group-list | local }
Space-separated list of RADIUS server groups that can include the following: |
|
|
|
The group group-list methods refer to a set of previously defined RADIUS servers. Use the radius-server host command to configure the host servers. Use the aaa group server command to create a named group of servers.
Use the show aaa groups command to display the RADIUS server groups on the device.
If you specify the group method, the local method, or both, and they fail, then the accounting authentication fails.
If you specify more that one server group, the Cisco NX-OS software checks each group in the order that you specify in the list.
This example shows how to configure authentication, authorization, and accounting (AAA) methods for accounting for 802.1X authentication:
|
|
---|---|
To configure the default authentication, authorization, and accounting (AAA) RADIUS server groups for Cisco TrustSec authentication, use the aaa authentication cts default group command. To remove a server group from the default AAA authentication server group list, use the no form of this command.
aaa authentication cts default group group-list
no aaa authentication cts default group group-list
Space-separated list of RADIUS server groups that can include the following: |
|
|
To use this command, you must enable the Cisco TrustSec feature using the feature cts command.
The group-list refers to a set of previously defined RADIUS servers. Use the radius-server host command to configure the host servers. Use the aaa group server command to create a named group of servers.
Use the show aaa groups command to display the RADIUS server groups on the device.
If you specify more that one server group, the Cisco NX-OS software checks each group in the order that you specify in the list.
This example shows how to configure the default AAA authentication RADIUS server group for Cisco TrustSec:
|
|
---|---|
To configure AAA authentication methods for 802.1X, use the aaa authentication dot1x default group command. To revert to the default, use the no form of this command.
aaa authentication dot1x default group group-list
no aaa authentication dot1x default gro up group-list
Space-separated list of RADIUS server groups that can include the following: |
|
|
You must use the feature dot1x command before you configure 802.1X.
The group-list refers to a set of previously defined RADIUS servers. Use the radius-server host command to configure the host servers. Use the aaa group server command to create a named group of servers.
Use the show aaa groups command to display the RADIUS server groups on the device.
If you specify more that one server group, the Cisco NX-OS software checks each group in the order that you specify in the list.
This example shows how to configure methods for 802.1X authentication:
This example shows how to revert to the default methods for 802.1X authentication:
|
|
---|---|
To configure AAA authentication methods for EAP over UDP (EoU), use the aaa authentication eou default group command. To revert to the default, use the no form of this command.
aaa authentication eou default group group-list
no aaa authentication eou default group group-list
Space-separated list of RADIUS server groups that can include the following: |
|
|
Before configuring EAPoUDP default authentication methods, you must enable EAPoUDP using the feature eou command.
The group-list refers to a set of previously defined RADIUS servers. Use the radius-server host command to configure the host servers. Use the aaa group server command to create a named group of servers.
Use the show aaa groups command to display the RADIUS server groups on the device.
If you specify more that one server group, the Cisco NX-OS software checks each group in the order that you specify in the list.
This example shows how to configure methods for EAPoUDP authentication:
This example shows how to revert to the default methods for EAPoUDP authentication:
|
|
---|---|
To enable ASCII authentication for passwords on a TACACS+ server, use the aaa authentication login ascii-authentication command. To revert to the default, use the no form of this command.
aaa authentication login ascii-authentication
no aaa authentication login ascii-authentication
|
|
---|---|
This example shows how to enable ASCII authentication for passwords on TACACS+ servers:
This example shows how to disable ASCII authentication for passwords on TACACS+ servers:
|
|
---|---|
Displays the status of the ASCII authentication for passwords. |
To enable Challenge Handshake Authentication Protocol (CHAP) authentication at login, use the aaa authentication login chap enable command. To revert to the default, use the no form of this command.
aaa authentication login chap enable
no aaa authentication login chap enable
|
|
You cannot enable both CHAP and MSCHAP or MSCHAP V2 on your Cisco NX-OS device.
This example shows how to enable CHAP authentication:
This example shows how to disable CHAP authentication:
|
|
---|---|
To configure AAA authentication methods for console logins, use the aaa authentication login console command. To revert to the default, use the no form of this command.
aaa authentication login console { fallback error local | group group-list [ none ] | local | none }
no aaa authentication login console { fallback error local | group group-list [ none ] | local | none }
|
|
The group radius, group tacacs+, group ldap, and group group-list methods refer to a set of previously defined RADIUS, TACACS+, or LDAP servers. Use the radius-server host, tacacs-server host, or ldap-server host command to configure the host servers. Use the aaa group server command to create a named group of servers.
Use the show aaa groups command to display the server groups on the device.
If you specify more that one server group, the Cisco NX-OS software checks each group in the order that you specify in the list.
If you specify the group method or local method and they fail, the authentication can fail. If you specify the none method alone or after the group method, the authentication always succeeds.
This example shows how to configure the AAA authentication console login methods:
This example shows how to revert to the default AAA authentication console login method:
|
|
---|---|
To configure the default AAA authentication methods, use the aaa authentication login default command. To revert to the default, use the no form of this command.
aaa authentication login default { fallback error local | group group-list [ none ] | local | none }
no aaa authentication login default { fallback error local | group group-list [ none ] | local | none }
|
|
The group radius, group tacacs+, group ldap, and group group-list methods refer to a set of previously defined RADIUS, TACACS+, or LDAP servers. Use the radius-server host, tacacs-server host, or ldap-server host command to configure the host servers. Use the aaa group server command to create a named group of servers.
Use the show aaa groups command to display the server groups on the device.
If you specify more that one server group, the Cisco NX-OS software checks each group in the order that you specify in the list.
If you specify the group method or local method and they fail, the authentication fails. If you specify the none method alone or after the group method, the authentication always succeeds.
This example shows how to configure the AAA authentication default login method:
This example shows how to revert to the default AAA authentication default login method:
|
|
---|---|
To configure that the AAA authentication failure message displays on the console, use the aaa authentication login error-enable command. To revert to the default, use the no form of this command.
aaa authentication login error-enable
no aaa authentication login error-enable
|
|
When you log in, the login is processed by rolling over to the local user database if the remote AAA servers do not respond. In such cases, the following message is displayed on the user’s terminal—if you have enabled the displaying of login failure messages:
This example shows how to enable the display of AAA authentication failure messages to the console:
This example shows how to disable the display of AAA authentication failure messages to the console:
|
|
---|---|
Displays the status of the AAA authentication failure message display. |
To include the username in authentication failed messages for all failure reasons, use the aaa authentication login invalid-username-log command. To revert to the default, use the no form of this command. This applies to both local and remote authentication.
aaa authentication login invalid-username-log
show aaa authentication login invalid-username-log
no aaa authentication login invalid-username-log
It is a Configuration Mode Command
|
|
---|---|
The above command will cause the username to be included in authentication failed messages for all failure reasons. This is irrespective of whether the username is valid or not since under some conditions the switch cannot determine a username's validity. This applies to both local and remote authentication.
This example shows how to include the username in authentication failed messages for all failure reasons:
This example shows how to exclude the username in authentication failed messages for all failure reasons:
To enable Microsoft Challenge Handshake Authentication Protocol (MSCHAP) authentication at login, use the aaa authentication login mschap enable command. To revert to the default, use the no form of this command.
aaa authentication login mschap enable
no aaa authentication login mschap enable
|
|
You cannot enable both MSCHAP and CHAP or MSCHAP V2 on your Cisco NX-OS device.
This example shows how to enable MSCHAP authentication:
This example shows how to disable MSCHAP authentication:
|
|
---|---|
To enable Microsoft Challenge Handshake Authentication Protocol Version 2 (MSCHAP V2) authentication at login, use the aaa authentication login mschapv2 enable command. To revert to the default, use the no form of this command.
aaa authentication login mschapv2 enable
no aaa authentication login mschapv2 enable
|
|
You cannot enable both MSCHAP V2 and CHAP or MSCHAP on your Cisco NX-OS device.
This example shows how to enable MSCHAP V2 authentication:
This example shows how to disable MSCHAP V2 authentication:
|
|
---|---|
To configure the login block per user, use the aaa authentication rejected command. To remove the login block per user, use the no form of this command.
aaa authentication rejected attempts in seconds ban block-seconds
no aaa authentication rejected
Time period in which the user is blocked after a failed login attempt. |
|
|
The following example shows how to configure the login parameters to block a user for 300 seconds when 5 login attempts fail within a period of 60 seconds.
|
|
---|---|
To configure default AAA authorization methods for all EXEC commands, use the aaa authorization commands default command. To revert to the default, use the no form of this command.
aaa authorization commands default [ group group-list [ local ] | local ]
no aaa authorization commands default [ group group-list [ local ] | local ]
|
|
To use this command, you must enable the TACACS+ feature using the feature tacacs+ command.
The group tacacs+ and group group-list methods refer to a set of previously defined TACACS+ servers. Use the tacacs-server host command to configure the host servers. Use the aaa group server command to create a named group of servers. Use the show aaa groups command to display the server groups on the device.
If you specify more than one server group, the Cisco NX-OS software checks each group in the order that you specify in the list. The local method is used only if all the configured server groups fail to respond and you have configured local as the fallback method.
If you specify the group method or local method and it fails, then the authorization can fail. If you have not configured a fallback method after the TACACS+ server group method, authorization fails if all server groups fail to respond.
Note Command authorization is available only to non-console sessions. If you use a console to login to the server, command authorization is disabled.
Note By default, context sensitive help and command tab completion show only the commands supported for a user as defined by the assigned roles. When you enable command authorization, the Cisco NX-OS software displays all commands in the context sensitive help and in tab completion, regardless of the role assigned to the user.
This example shows how to configure the default AAA authorization methods for EXEC commands:
Note If you press Enter at the confirmation prompt, the default response is n.
This example shows how to revert to the default AAA authorization methods for EXEC commands:
|
|
---|---|
Configures default AAA authorization methods for configuration commands. |
|
Tests the command authorization using the AAA command authorization methods. |
To configure default AAA authorization methods for all configuration commands, use the aaa authorization config-commands default command. To revert to the default, use the no form of this command.
aaa authorization config-commands default [ group group-list [ local ] | local ]
no aaa authorization config-commands default [ group group-list [ local ] | local ]
|
|
To use this command, you must enable the TACACS+ feature using the feature tacacs+ command.
The group tacacs+ and group group-list methods refer to a set of previously defined TACACS+ servers. Use the tacacs-server host command to configure the host servers. Use the aaa group server command to create a named group of servers. Use the show aaa groups command to display the server groups on the device.
If you specify more than one server group, the Cisco NX-OS software checks each group in the order that you specify in the list. The local method is used only if all the configured server groups fail to respond and you have configured local as the fallback method.
If you specify the group method or local method and it fails, then the authorization can fail. If you have not configured a fallback method after the TACACS+ server group method, authorization fails if all server groups fail to respond.
Note Command authorization is available only to non-console sessions. If you use a console to login to the server, command authorization is disabled.
Note By default, context sensitive help and command tab completion show only the commands supported for a user as defined by the assigned roles. When you enable command authorization, the Cisco NX-OS software displays all commands in the context sensitive help and in tab completion, regardless of the role assigned to the user.
This example shows how to configure the default AAA authorization methods for configuration commands:
This example shows how to revert to the default AAA authorization methods for configuration commands:
|
|
---|---|
Configures default AAA authorization methods for EXEC commands. |
|
Tests the command authorization using the AAA command authorization methods. |
To configure the default authentication, authorization, and accounting (AAA) RADIUS server groups for Cisco TrustSec authorization, use the aaa authorization cts default group command. To remove a server group from the default AAA authorization server group list, use the no form of this command.
aaa authorization cts default group group-list
no aaa authorization cts default group group-list
Space-separated list of RADIUS server groups that can include the following: |
|
|
To use the aaa authorization cts default group command, you must enable the Cisco TrustSec feature using the feature cts command.
The group-list refers to a set of previously defined RADIUS servers. Use the radius-server host command to configure the host servers. Use the aaa group server command to create a named group of servers.
Use the show aaa groups command to display the RADIUS server groups on the device.
If you specify more that one server group, the Cisco NX-OS software checks each group in the order that you specify in the list.
This example shows how to configure the default AAA authorization RADIUS server group for Cisco TrustSec:
|
|
---|---|
To configure the default AAA authorization method for TACACS+ or Lightweight Directory Access Protocol (LDAP) servers, use the aaa authorization ssh-certificate command. To disable this configuration, use the no form of this command.
aaa authorization ssh-certificate default { group group-list | local }
no aaa authorization ssh-certificate default { group group-list | local }
Space-separated list of server groups. The list can include the following: |
|
|
|
To use this command, you must enable the TACACS+ feature using the feature tacacs+ command or the LDAP feature using the feature ldap command.
The group tacacs+, group ldap, and group group-list methods refer to a set of previously defined TACACS+ and LDAP servers. Use the tacacs-server host command or ldap-server host command to configure the host servers. Use the aaa group server command to create a named group of servers. Use the show aaa groups command to display the server groups on the device.
If you specify more than one server group, the Cisco NX-OS software checks each group in the order that you specify in the list. The local method is used only if all the configured server groups fail to respond and you have configured local as the fallback method.
If you specify the group method or local method and it fails, the authorization can fail. If you have not configured a fallback method after the TACACS+ or LDAP server group method, authorization fails if all server groups fail to respond.
This example shows how to configure LDAP authorization with certificate authentication as the default AAA authorization method for LDAP servers:
|
|
---|---|
Configures LDAP or local authorization with the SSH public key as the default AAA authorization method for LDAP servers. |
|
To configure Lightweight Directory Access Protocol (LDAP) or local authorization with the Secure Shell (SSH) public key as the default AAA authorization method for LDAP servers, use the aaa authorization ssh-publickey command. To revert to the default, use the no form of this command.
aaa authorization ssh-publickey default { group group-list | local }
no aaa authorization ssh-publickey default { group group-list | local }
Space-separated list of server groups. The list can include the following: |
|
|
|
To use this command, you must enable the LDAP feature using the feature ldap command.
The group ldap and group group-list methods refer to a set of previously defined LDAP servers. Use the ldap-server host command to configure the host servers. Use the aaa group server command to create a named group of servers. Use the show aaa groups command to display the server groups on the device.
If you specify more than one server group, the Cisco NX-OS software checks each group in the order that you specify in the list. The local method is used only if all the configured server groups fail to respond and you have configured local as the fallback method.
If you specify the group method or local method and it fails, the authorization can fail. If you have not configured a fallback method after the LDAP server group method, authorization fails if all server groups fail to respond.
This example shows how to configure LDAP authorization with the SSH public key as the default AAA authorization method for LDAP servers:
|
|
---|---|
Configures LDAP or local authorization with certificate authentication as the default AAA authorization method for LDAP servers. |
|
To create a Lightweight Directory Access Protocol (LDAP) server group and enter LDAP server group configuration mode, use the aaa group server ldap command. To delete an LDAP server group, use the no form of this command.
aaa group server ldap group-name
no aaa group server ldap group-name
LDAP server group name. The name is alphanumeric and case-sensitive. The maximum length is 64 characters. |
|
|
You must use the feature ldap command before you configure LDAP.
This example shows how to create an LDAP server group and enter LDAP server configuration mode:
This example shows how to delete an LDAP server group:
|
|
---|---|
To create a RADIUS server group and enter RADIUS server group configuration mode, use the aaa group server radius command. To delete a RADIUS server group, use the no form of this command.
aaa group server radius group-name
no aaa group server radius group-name
RADIUS server group name.The name is alphanumeric and case-sensitive. The maximum length is 64 characters. |
|
|
This example shows how to create a RADIUS server group and enter RADIUS server configuration mode:
This example shows how to delete a RADIUS server group:
|
|
---|---|
To create a TACACS+ server group and enter TACACS+ server group configuration mode, use the aaa group server tacacs+ command. To delete a TACACS+ server group, use the no form of this command.
aaa group server tacacs+ group-name
no aaa group server tacacs+ group-name
TACACS+ server group name. The name is alphanumeric and case-sensitive. The maximum length is 64 characters. |
|
|
You must use the feature tacacs+ command before you configure TACACS+.
This example shows how to create a TACACS+ server group and enter TACACS+ server configuration mode:
This example shows how to delete a TACACS+ server group:
|
|
---|---|
To allow remote users who do not have a user role to log in to the device through RADIUS or TACACS+ using a default user role, use the aaa user default-role command. To disable default user roles for remote users, use the no form of this command.
|
|
You can enable or disable this feature for the virtual device context (VDC) as needed. For the default VDC, the default role is network-operator. For nondefault VDCs, the default VDC is vdc-operator. When you disable the AAA default user role feature, remote users who do not have a user role cannot log in to the device.
This example shows how to enable default user roles for AAA authentication of remote users:
This example shows how to disable default user roles for AAA authentication of remote users:
|
|
---|---|
To specify a time range that has a specific start date and time, a specific end date and time, or both, use the absolute command. To remove an absolute time range, use the no form of this command.
[ sequence-number ] absolute [ start time date ] [ end time date ]
no { sequence-number | absolute [ start time date ] [ end time date ]}
|
|
The device interprets all time range rules as local time.
If you omit both the start and the end keywords, the device considers the absolute time range to be always active.
You specify time arguments in 24-hour notation, in the form of hours : minutes or hours : minutes : seconds. For example, in 24-hour notation, 8:00 a.m. is 8:00 and 8:00 p.m. is 20:00.
You specify date arguments in the day month year format. The minimum valid start time and date is 00:00:00 1 January 1970, and the maximum valid start time is 23:59:59 31 December 2037.
This example shows how to create an absolute time rule that begins at 7:00 a.m. on September 17, 2007, and ends at 11:59:59 p.m. on September 19, 2007:
|
|
---|---|
To specify the time interval within which the device accepts a key during a key exchange with another device, use the accept-lifetime command. To remove the time interval, use the no form of this command.
accept-lifetime [ local ] start-time [ duration duration-value | infinite | end-time ]
no accept-lifetime [ local ] start-time [ duration duration-value | infinite | end-time ]
|
|
By default, the device interprets all time range rules as UTC.
By default, the time interval within which the device accepts a key during a key exchange with another device—the accept lifetime—is infinite, which means that the key is always valid.
The start-time and end-time arguments both require time and date components, in the following format:
hour [: minute [: second ]] month day year
You specify the hour in 24-hour notation. For example, in 24-hour notation, 8:00 a.m. is 8:00 and 8:00 p.m. is 20:00. The minimum valid start-time is 00:00:00 Jan 1 1970, and the maximum valid start-time is 23:59:59 Dec 31 2037.
This example shows how to create an accept lifetime that begins at midnight on June 13, 2008, and ends at 11:59:59 p.m. on August 12, 2008:
|
|
---|---|
To apply an IPv4 access control list (ACL) to a virtual terminal (VTY) line, use the access-class command. To remove an IPv4 ACL from a VTY line, use the no form of this command.
access-class access-list-name { in | out }
no access-class access-list-name { in | out }
(Optional) Specifies that the device applies the ACL to inbound traffic. |
|
(Optional) Specifies that the device applies the ACL to outbound traffic. |
|
|
Because a user can connect to any VTY line, you should set identical restrictions on all virtual terminal lines.
This example shows how to remove dynamically learned, secure MAC addresses from the Ethernet 2/1 interface:
This example shows how to remove the dynamically learned, secure MAC addresses 0019.D2D0.00AE:
|
|
---|---|
To specify what the device does when a packet matches a permit command in a VLAN access control list (VACL), use the action command. To remove an action command, use the no form of this command.
action redirect { ethernet slot / port | port-channel channel-number. subinterface-number }
no action redirect { ethernet slot / port | port-channel channel-number. subinterface-number }
|
|
The action command specifies the action that the device takes when a packet matches the conditions in an ACL specified by a match command in the same access map entry as the action command.
This example shows how to create a VLAN access map named vlan-map-01 and add two entries that each have two match commands and one action command:
To create an Address Resolution Protocol (ARP) access control list (ACL) or to enter ARP access list configuration mode for a specific ARP ACL, use the arp access-list command. To remove an ARP ACL, use the no form of this command.
arp access-list access-list-name
no arp access-list access-list-name
Name of the ARP ACL. The name can be up to 64 alphanumeric, case-sensitive characters. Names cannot contain a space or quotation mark. |
|
|
Use ARP ACLs to filter ARP traffic when you cannot use DCHP snooping.
No ARP ACLs are defined by default.
When you use the arp access-list command, the device enters ARP access list configuration mode, where you can use the ARP deny and permit commands to configure rules for the ACL. If the ACL specified does not exist, the device creates it when you enter this command.
Use the ip arp inspection filter command to apply the ARP ACL to a VLAN.
This example shows how to enter ARP access list configuration mode for an ARP ACL named arp-acl-01:
|
|
---|---|
To configure Lightweight Directory Access Protocol (LDAP) authentication to use the bind or compare method, use the authentication command. To disable this configuration, use the no form of this command.
authentication { bind-first [ append-with-baseDN DNstring ] | compare [ password-attribute password ]}
no authentication { bind-first [ append-with-baseDN DNstring ] | compare [ password-attribute password ]}
(Optional) Specifies the designated name (DN) string. You can enter up to 63 alphanumeric characters. |
|
(Optional) Specifies the user password. You can enter up to 63 alphanumeric characters. |
LDAP server group configuration
|
|
This example shows how to configure LDAP authentication to use the compare method:
|
|
---|---|
Creates an LDAP server group and enters the LDAP server group configuration mode for that group. |
|
Configures the LDAP server as a member of the LDAP server group. |
|