The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter contains the following sections:
Your software release might not support all the features documented in this module. For the latest caveats and feature information, see the Bug Search Tool at https://tools.cisco.com/bugsearch/ and the release notes for your software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "New and Changed Information"chapter or the Feature History table in this chapter.
This section includes information about AAA on Cisco NX-OS devices.
The AAA feature allows you to verify the identity of, grant access to, and track the actions of users managing a Cisco NX-OS device. Cisco NX-OS devices support Remote Access Dial-In User Service (RADIUS) or Terminal Access Controller Access Control System Plus (TACACS+) protocols.
Based on the user ID and password combination that you provide, Cisco NX-OS devices perform local authentication or authorization using the local database or remote authentication or authorization using one or more AAA servers. A preshared secret key provides security for communication between the Cisco NX-OS device and AAA servers. You can configure a common secret key for all AAA servers or for only a specific AAA server.
AAA security provides the following services:
Authentication is the process of verifying the identity of the person or device accessing the Cisco NX-OS device, which is based on the user ID and password combination provided by the entity trying to access the Cisco NX-OS device. Cisco NX-OS devices allow you to perform local authentication (using the local lookup database) or remote authentication (using one or more RADIUS or TACACS+ servers).
The accounting feature tracks and maintains a log of every management session used to access the Cisco NX-OS device. You can use this information to generate reports for troubleshooting and auditing purposes. You can store accounting logs locally or send them to remote AAA servers.
 Note |
The Cisco NX-OS software supports authentication, authorization, and accounting independently. For example, you can configure authentication and authorization without configuring accounting. |
AAA provides the following benefits:
Increased flexibility and control of access configuration
Scalability
Standardized authentication methods, such as RADIUS and TACACS+
Multiple backup devices
Remote AAA services provided through RADIUS and TACACS+ protocols have the following advantages over local AAA services:
It is easier to manage user password lists for each Cisco NX-OS device in the fabric.
AAA servers are already deployed widely across enterprises and can be easily used for AAA services.
You can centrally manage the accounting log for all Cisco NX-OS devices in the fabric.
It is easier to manage user attributes for each Cisco NX-OS device in the fabric than using the local databases on the Cisco NX-OS devices.
You can specify remote AAA servers for authentication, authorization, and accounting using server groups. A server group is a set of remote AAA servers that implement the same AAA protocol. The purpose of a server group is to provide for failover servers in case a remote AAA server fails to respond. If the first remote server in the group fails to respond, the next remote server in the group is tried until one of the servers sends a response. If all the AAA servers in the server group fail to respond, then that server group option is considered a failure. If required, you can specify multiple server groups. If the Cisco NX-OS device encounters errors from the servers in the first group, it tries the servers in the next server group.
The AAA configuration in Cisco NX-OS devices is service based, which means that you can have separate AAA configurations for the following services:
User Telnet or Secure Shell (SSH) login authentication
Console login authentication
Cisco TrustSec authentication
802.1X authentication
Extensible Authentication Protocol over User Datagram Protocol (EAPoUDP) authentication for Network Admission Control (NAC)
User management session accounting
802.1X accounting
This table provides the related CLI command for each AAA service configuration option.
|
AAA Service Configuration Option |
Related Command |
|---|---|
|
Telnet or SSH login |
aaa authentication login default |
|
Fallback to local authentication for the default login. |
aaa authentication login default fallback error local |
|
Console login |
aaa authentication login console |
|
Cisco TrustSec authentication |
aaa authentication cts default |
|
802.1X authentication |
aaa authentication dot1x default |
|
EAPoUDP authentication |
aaa authentication eou default |
|
User session accounting |
aaa accounting default |
|
802.1X accounting |
aaa accounting dot1x default |
You can specify the following authentication methods for the AAA services:
Uses the global pool of RADIUS servers for authentication.
Uses the local username or password database for authentication.
Specifies that no AAA authentication be used.
Note |
If you specify the all RADIUS servers method, rather than a specified server group method, the Cisco NX-OS device chooses the RADIUS server from the global pool of configured RADIUS servers, in the order of configuration. Servers from this global pool are the servers that can be selectively configured in a RADIUS server group on the Cisco NX-OS device. |
This table shows the AAA authentication methods that you can configure for the AAA services.
|
AAA Service |
AAA Methods |
|---|---|
|
Console login authentication |
Server groups, local, and none |
|
User login authentication |
Server groups, local, and none |
|
Cisco TrustSec authentication |
Server groups only |
|
802.1X authentication |
Server groups only |
|
EAPoUDP authentication |
Server groups only |
|
User management session accounting |
Server groups and local |
|
802.1X accounting |
Server groups and local |
Note |
For console login authentication, user login authentication, and user management session accounting, the Cisco NX-OS device tries each option in the order specified. The local option is the default method when other configured options fail. |
Note |
This diagram is applicable only to username password SSH authentication. It does not apply to public key SSH authentication. All username password SSH authentication goes through AAA. |
The following list explains the process:
When you log in to the required Cisco NX-OS device, you can use the Telnet, SSH, or console login options.
When you have configured the AAA server groups using the server group authentication method, the Cisco NX-OS device sends an authentication request to the first AAA server in the group as follows:
If the AAA server fails to respond, the next AAA server is tried and so on until the remote server responds to the authentication request.
If all AAA servers in the server group fail to respond, the servers in the next server group are tried.
If all configured methods fail, the local database is used for authentication.
If the Cisco NX-OS device successfully authenticates you through a remote AAA server, then the following possibilities apply:
If the AAA server protocol is RADIUS, then user roles specified in the cisco-av-pair attribute are downloaded with an authentication response.
If the AAA server protocol is TACACS+, then another request is sent to the same server to get the user roles specified as custom attributes for the shell.
If the user roles are not successfully retrieved from the remote AAA server, then the user is assigned with the vdc-operator role.
If your username and password are successfully authenticated locally, the Cisco NX-OS device logs you in and assigns you the roles configured in the local database.
Note |
"No more server groups left" means that there is no response from any server in all server groups. "No more servers left" means that there is no response from any server within this server group. |
All AAA configuration and operations are local to the virtual device context (VDC), except the default console methods and the AAA accounting log. The configuration and operation of the AAA authentication methods for the console login apply only to the default VDC. The AAA accounting log is only in the default VDC. You can display the contents from any VDC, but you must clear it in the default VDC.
For more information on VDCs, see the Cisco Nexus 7000 Series NX-OS Virtual Device Context Configuration Guide.
Remote AAA servers have the following prerequisites:
Ensure that the Cisco NX-OS device is configured as a client of the AAA servers.
Ensure that the secret key is configured on the Cisco NX-OS device and the remote AAA servers.
Ensure that the remote server responds to AAA requests from the Cisco NX-OS device.
AAA has the following guidelines and limitations:
If you have a user account configured on the local Cisco NX-OS device that has the same name as a remote user account on an AAA server, the Cisco NX-OS software applies the user roles for the local user account to the remote user, not the user roles configured on the AAA server.
This table lists the default settings for AAA parameters.
|
Parameters |
Default |
|---|---|
|
Console authentication method |
local |
|
Default authentication method |
local |
|
Login authentication failure messages |
Disabled |
|
MSCHAP authentication |
Disabled |
|
Default accounting method |
local |
|
Accounting log display length |
250 KB |
This section describes the tasks for configuring AAA on Cisco NX-OS devices.
Note |
If you are familiar with the Cisco IOS CLI, be aware that the Cisco NX-OS commands for this feature might differ from the Cisco IOS commands that you would use. |
Follow these steps to configure AAA authentication and accounting:
Configure console login authentication methods.
Configure default login authentication methods for user logins.
Configure default AAA accounting default methods.
This section describes how to configure the authentication methods for the console login.
The authentication methods include the following:
Global pool of RADIUS servers
Local database on the Cisco NX-OS device
Username only (none)
The default method is local.
Note |
The configuration and operation of AAA for the console login apply only to the default VDC. |
Note |
The group radius and group server-name forms of the aaa authentication command refer to a set of previously defined RADIUS servers. Use the radius-server host command to configure the host servers. Use the aaa group server radius command to create a named group of servers. |
Ensure that you are in the default VDC.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
configure terminal Example: |
Enters configuration mode. |
|
Step 2 |
aaa authentication login console {group group-list [none] | local | none} Example: |
Configures login authentication methods for the console. The group-list argument consists of a space-delimited list of group names. The group names are the following:
The local method uses the local database for authentication, and the none method specifies that no AAA authentication be used. The default console login method is local , which is used when no methods are configured or when all the configured methods fail to respond. |
|
Step 3 |
exit Example: |
Exits configuration mode. |
|
Step 4 |
(Optional) show aaa authentication Example: |
(Optional)
Displays the configuration of the console login authentication methods. |
|
Step 5 |
(Optional) copy running-config startup-config Example: |
(Optional)
Copies the running configuration to the startup configuration. |
The authentication methods include the following:
Global pool of RADIUS servers
Local database on the Cisco NX-OS device
Username only
The default method is local.
| Command or Action | Purpose | |||||
|---|---|---|---|---|---|---|
|
Step 1 |
configure terminal Example: |
Enters configuration mode. |
||||
|
Step 2 |
aaa authentication login default { fallback error local |group group-list [none] | local | none} Example: |
Configures the default authentication methods. The fallback error local enables fallback to local authentication for the default login if remote authentication is configured and all AAA servers are unreachable. Fallback to local authentication is enabled by default.
The group-list argument consists of a space-delimited list of group names. The group names are the following:
The local method uses the local database for authentication, and the none method specifies that no AAA authentication be used. The default login method is local , which is used when no methods are configured or when all the configured methods fail to respond.
|
||||
|
Step 3 |
exit Example: |
Exits configuration mode. |
||||
|
Step 4 |
(Optional) show aaa authentication Example: |
(Optional)
Displays the configuration of the default login authentication methods. |
||||
|
Step 5 |
(Optional) copy running-config startup-config Example: |
(Optional)
Copies the running configuration to the startup configuration. |
You can allow remote users who do not have a user role to log in to the Cisco NX-OS device through a RADIUS or TACACS+ remote authentication server using a default user role. When you disable the AAA default user role feature, remote users who do not have a user role cannot log in to the device.
You can enable or disable this feature for the VDC as needed. For the default VDC, the default role is network-operator. For nondefault VDCs, the default VDC is vdc-operator.
Make sure that you are in the correct VDC. To switch VDCs, use the switchto vdc command.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
configure terminal Example: |
Enters configuration mode. |
|
Step 2 |
aaa user default-role Example: |
Enables the default user role for AAA authentication. The default is enabled. You can disable the default user role feature by using the no form of this command. |
|
Step 3 |
exit Example: |
Exits configuration mode. |
|
Step 4 |
(Optional) show aaa user default-role Example: |
(Optional)
Displays the AAA default user role configuration. |
|
Step 5 |
(Optional) copy running-config startup-config Example: |
(Optional)
Copies the running configuration to the startup configuration. |
When you log in, the login is processed by rolling over to the local user database if the remote AAA servers do not respond. In such cases, the following messages display on the user’s terminal if you have enabled login failure messages:
Remote AAA servers unreachable; local authentication done.Remote AAA servers unreachable; local authentication failed.Make sure that you are in the correct VDC. To switch VDCs, use the switchto vdc command.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
configure terminal Example: |
Enters configuration mode. |
|
Step 2 |
aaa authentication login error-enable Example: |
Enables login authentication failure messages. The default is disabled. |
|
Step 3 |
exit Example: |
Exits configuration mode. |
|
Step 4 |
(Optional) show aaa authentication Example: |
(Optional)
Displays the login failure message configuration. |
|
Step 5 |
(Optional) copy running-config startup-config Example: |
(Optional)
Copies the running configuration to the startup configuration. |
Microsoft Challenge Handshake Authentication Protocol (MSCHAP) is the Microsoft version of CHAP. The Cisco NX-OS software also supports MSCHAP Version 2 (MSCHAP V2). You can use MSCHAP for user logins to a Cisco NX-OS device through a remote authentication server (RADIUS or TACACS+). MSCHAP V2 only supports user logins to a Cisco NX-OS device through remote authentication RADIUS servers. If you configure a TACACS+ group with MSCHAP V2, the AAA default login authentication uses the next configured method, or the local method, if no other server group is configured.
Note |
The Cisco NX-OS software may display the following message: “ Warning: MSCHAP V2 is supported only with Radius.” This warning message is informational only and does not affect MSCHAP V2 operation with RADIUS. |
By default, the Cisco NX-OS device uses Password Authentication Protocol (PAP) authentication between the Cisco NX-OS device and the remote server. If you enable MSCHAP or MSCHAP V2, you need to configure your RADIUS server to recognize the MSCHAP and MSCHAP V2 vendor-specific attributes (VSAs).
This table shows the RADIUS VSAs required for MSCHAP.
|
Vendor-ID Number |
Vendor-Type Number |
VSA |
Description |
|---|---|---|---|
|
311 |
11 |
MSCHAP-Challenge |
Contains the challenge sent by an AAA server to an MSCHAP or MSCHAP V2 user. It can be used in both Access-Request and Access-Challenge packets. |
|
211 |
11 |
MSCHAP-Response |
Contains the response value provided by an MSCHAP or MSCHAP V2 user in response to the challenge. It is only used in Access-Request packets. |
Disable AAA ASCII authentication for logins.
| Command or Action | Purpose | |||
|---|---|---|---|---|
|
Step 1 |
configure terminal Example: |
Enters configuration mode. |
||
|
Step 2 |
no aaa authentication login ascii-authentication Example: |
Disables ASCII authentication. |
||
|
Step 3 |
aaa authentication login {mschap | mschapv2} enable Example: |
Enables MSCHAP or MSCHAP V2 authentication. The default is disabled.
|
||
|
Step 4 |
exit Example: |
Exits configuration mode. |
||
|
Step 5 |
(Optional) show aaa authentication login {mschap | mschapv2} Example: |
(Optional)
Displays the MSCHAP or MSCHAP V2 configuration. |
||
|
Step 6 |
(Optional) copy running-config startup-config Example: |
(Optional)
Copies the running configuration to the startup configuration. |
Cisco NX-OS software supports TACACS+ and RADIUS methods for accounting. Cisco NX-OS devices report user activity to TACACS+ or RADIUS security servers in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the AAA server.
When you activate AAA accounting, the Cisco NX-OS device reports these attributes as accounting records, which are then stored in an accounting log on the security server.
You can create default method lists defining specific accounting methods, which include the following:
Note |
If you have configured server groups and the server groups do not respond, by default, the local database is used for authentication. |
Configure RADIUS or TACACS+ server groups, as needed.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
configure terminal Example: |
Enters configuration mode. |
|
Step 2 |
aaa accounting default {group group-list | local} Example: |
Configures the default accounting method. The group-list argument consists of a space-delimited list of group names. The group names are the following:
The local method uses the local database for accounting. The default method is local , which is used when no server groups are configured or when all the configured server groups fail to respond. |
|
Step 3 |
exit Example: |
Exits configuration mode. |
|
Step 4 |
(Optional) show aaa accounting Example: |
(Optional)
Displays the configuration AAA accounting default methods. |
|
Step 5 |
(Optional) copy running-config startup-config Example: |
(Optional)
Copies the running configuration to the startup configuration. |
You can use vendor-specific attributes (VSAs) to specify Cisco NX-OS user roles and SNMPv3 parameters on AAA servers.
The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating VSAs between the network access server and the RADIUS server. The IETF uses attribute 26. VSAs allow vendors to support their own extended attributes that are not suitable for general use. The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. The Cisco vendor ID is 9, and the supported option is vendor type 1, which is named cisco-av-pair. The value is a string with the following format:
protocol : attribute separator value *
The protocol is a Cisco attribute for a particular type of authorization, the separator is = (equal sign) for mandatory attributes, and * (asterisk) indicates optional attributes.
When you use RADIUS servers for authentication on a Cisco NX-OS device, the RADIUS protocol directs the RADIUS server to return user attributes, such as authorization information, along with authentication results. This authorization information is specified through VSAs.
The following VSA protocol options are supported by the Cisco NX-OS software:
The following attributes are supported by the Cisco NX-OS software:
Lists all the roles assigned to the user. The value field is a string that stores the list of group names delimited by white space. For example, if you belong to roles network-operator and vdc-admin, the value field would be network-operator vdc-admin. This subattribute is sent in the VSA portion of the Access-Accept frames from the RADIUS server, and it can only be used with the shell protocol value. These examples use the roles attribute:
shell:roles=network-operator vdc-admin shell:roles*network-operator vdc-admin
The following examples show the roles attribute as supported by FreeRADIUS:
Cisco-AVPair = shell:roles=\network-operator vdc-admin\ Cisco-AVPair = shell:roles*\network-operator vdc-admin\
Note |
When you specify a VSA as shell:roles*"network-operator vdc-admin" or "shell:roles*\"network-operator vdc-admin\"", this VSA is flagged as an optional attribute and other Cisco devices ignore this attribute. |
You can use the VSA cisco-av-pair on AAA servers to specify user role mapping for the Cisco NX-OS device using this format:
shell:roles="roleA roleB …"
If you do not specify the role option in the cisco-av-pair attribute, the default user role is network-operator.
You can also specify your SNMPv3 authentication and privacy protocol attributes as follows:
shell:roles="roleA roleB..." snmpv3:auth=SHA priv=AES-128
The SNMPv3 authentication protocol options are SHA and MD5. The privacy protocol options are AES-128 and DES. If you do not specify these options in the cisco-av-pair attribute, MD5 and DES are the default authentication protocols.
The following secure login enhancements are supported in Cisco NX-OS:
Use this task to configure your Cisco NX-OS device for login parameters that help detect suspected DoS attacks and slow down dictionary attacks.
All login parameters are disabled by default. You must enter the login block-for command, which enables default login functionality, before using any other login commands. After the login block-for command is enabled, the following default is enforced:
All login attempts made through Telnet or SSH are denied during the quiet period; that is, no ACLs are exempt from the login period until the login quiet-mode access-class command is entered.
| Command or Action | Purpose | |||
|---|---|---|---|---|
|
Step 1 |
configure terminal Example: |
Enters global configuration mode. |
||
|
Step 2 |
[no] login block-for seconds attempts tries within seconds Example: |
Configures your Cisco NX-OS device for login parameters that help provide DoS detection.
|
||
|
Step 3 |
[no] login quiet-mode access-class {acl-name | acl-number } Example: |
(Optional) Although this command is optional, it is recommended that it be configured to specify an ACL that is to be applied to the device when the device switches to quiet mode. When the device is in quiet mode, all login requests are denied and the only available connection is through the console. |
||
|
Step 4 |
exit Example: |
Exits to privileged EXEC mode. |
||
|
Step 5 |
show login failures Example: |
Displays login parameters.
|
The following example shows how to configure your switch to enter a 100 second quiet period if 15 failed login attempts is exceeded within 100 seconds; all login requests are denied during the quiet period except hosts from the ACL "myacl."
Switch(config)# login block-for 100 attempts 15 within 100
Switch(config)# login quiet-mode access-class myaclThe following sample output from the show login command verifies that no login parameters have been specified:
Switch# show login
No Quiet-Mode access list has been configured, default ACL will be applied.
Switch is enabled to watch for login Attacks.
If more than 2 login failures occur in 45 seconds or less, logins will be disabled for 70 seconds.
Switch presently in Normal-Mode.
Current Watch Window remaining time 10 seconds.
Present login failure count 0.
The following sample output from the show login failures command shows all failed login attempts on the switch:
Switch# show login failures
Information about last 20 login failures with the device.
--------------------------------------------------------------------------------
Username Line Source Appname
TimeStamp
--------------------------------------------------------------------------------
admin pts/0 bgl-ads-728.cisco.com login
Wed Jun 10 04:56:16 2015
admin pts/0 bgl-ads-728.cisco.com login
Wed Jun 10 04:56:19 2015
--------------------------------------------------------------------------------
The following sample output from the show login failures command verifies that no information is presently logged:
Switch# show login failures
*** No logged failed login attempts with the device.***The Login Block Per User feature helps detect suspected Denial of Service (DoS) attacks and to slow down dictionary attacks. This feature is applicable only for local users. Use this task to configure login parameters to block an user after failed login attempts.
| Command or Action | Purpose | |||
|---|---|---|---|---|
|
Step 1 |
configure terminal Example: |
Enters global configuration mode. |
||
|
Step 2 |
aaa authentication rejected attempts in seconds ban seconds Example: |
Configures login parameters to block an user.
|
||
|
Step 3 |
exit Example: |
Exits to privileged EXEC mode. |
||
|
Step 4 |
show running config Example: |
(Optional) Displays the login parameters. |
||
|
Step 5 |
show aaa local user blocked Example: |
(Optional) Displays the blocked local users. |
||
|
Step 6 |
clear aaa local user blocked {username user | all} Example: |
(Optional) Clears the blocked local users.
|
The following example shows how to configure the login parameters to block a user for 300 seconds when five login attempts fail within a period of 60 seconds:
switch(config)# aaa authentication rejected 5 in 60 ban 300
The following example shows the login parameters configured for a switch:
switch# show run | i rejected
aaa authentication rejected 5 in 60 ban 300
The following example shows the blocked local users:
switch# show aaa local user blocked
Local-user State
testuser Watched (till 11:34:42 IST Feb 5 2015)
The following example shows how to clear the blocked local user testuser:
switch# clear aaa local user blocked username testuserUse this task to restrict the maximum sessions per user.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 2 |
[no] user max-logins max-logins Example: |
Restricts the maximum sessions per user. The range is from 1 to 7. If you set the maximum login limit as 1, then only one session (telnet/SSH) is allowed per user. |
|
Step 3 |
exit Example: |
Exits to privileged EXEC mode. |
Perform this task to configure passphrase lengths, time values, and locking user accounts.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
userpassphrase { min-length | max-length } Example: |
Admin is allowed to configure either minimum or maximum passphrase length |
|
Step 2 |
userpassphrase { min-length & max-length } Example: |
Admin is allowed to configure both minimum and maximum passphrase length |
|
Step 3 |
show userpassphrase {min-length | max-length | length } Example: |
Using min-length or max-length option, user is allowed to view either minimum or maximum passphrase length configuration .Using length option, they can view complete passphrase length configuration. |
|
Step 4 |
no userpassphrase {min-length | max-length | length } Example: |
To reset the passphrase length configuration to default configuration |
|
Step 5 |
show userpassphrase all Example: |
To list all the parameter values under userpassphrase |
|
Step 6 |
userpassphrase { default-lifetime | default-warntime | default-gracetime } Example: |
Admin is allowed to update the default configurations |
|
Step 7 |
username <username> passphrase { lifetime | warntime | gracetime } Example: |
Admin can configure passphrase lifetimes for any user |
|
Step 8 |
no username <username> passphrase { lifetime | warntime | gracetime | timevalues } Example: |
Admin can reset passphrase lifetimes to default values for any user |
|
Step 9 |
show username <username> passphrase timevalues Example: |
Any user can view his/her passphrase lifetimes configured and admin can view for any user |
|
Step 10 |
username <username> lock-user-account Example: |
Admin can lock any user account |
|
Step 11 |
username <username> expire-userpassphrase Example: |
Admin can set any userpassphrase to expire immediately |
|
Step 12 |
show locked-users Example: |
Admin can view and unlock all the locked users |
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 2 |
[no] password prompt username Example: |
Enables the login knob. If this command is enabled and the user enters the username command without the password option, then the password is prompted. The password accepts hidden characters. Use the no form of this command to disable the login knob. |
|
Step 3 |
exit Example: |
Exits to privileged EXEC mode. |
Use the show file bootflash:/ sha256sum command to display the sha256sum of the file. The sample output for this command is shown below:
Switch# show file bootflash:/ sha256sum
abd9d40020538acc363df3d1bae7d1df16841e4903fca2c07c7898bf4f549ef5
The shared secret you configure for remote authentication and accounting must be hidden. For the radius-server key and tacacs-server key commands, a separate command to generate encrypted shared secret can be used.
| Command or Action | Purpose | |||
|---|---|---|---|---|
|
Step 1 |
configure terminal Example: |
Enters global configuration mode. |
||
|
Step 2 |
generate type7_encrypted_secret Example: |
Configures RADIUS and TACACS shared secret with key type 7. While generating an encrypted shared secret, user input is hidden.
|
||
|
Step 3 |
exit Example: |
Exits to privileged EXEC mode. |
To configure AAA SSH-Cert-Authorization on TACACS Servers, follow these steps:
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 2 |
aaa authorization ssh-certificate default {group group-list [none] | local | none} Example: |
Configures the default AAA authorization-method for SSH request having X509 certificate as TACACS server-group(s). The ssh-certificate keyword configures TACACS or local authorization with certificate authentication. The default authorization is local authorization, which is the list of authorized commands for the user’s assigned role. The group-list argument consists of a space-delimited list of TACACS server group names. Servers belonging to this group are contacted for AAA authorization. The local method uses the local database for authorization, and the none method specifies that no AAA authorization be used. |
|
Step 3 |
exit Example: |
Exits global configuration mode. |
|
Step 4 |
(Optional) show aaa authorization [all] Example: |
(Optional)
Displays the AAA authorization configuration. The all keyword displays the default values. |
|
Step 5 |
(Optional) copy running-config startup-config Example: |
(Optional)
Copies the running configuration to the startup configuration. |
The Cisco NX-OS device maintains a local log for the AAA accounting activity. You can monitor this log and clear it.
Note |
The AAA accounting log is local to the default VDC. You can monitor the contents from any VDC, but you must clear it in the default VDC. |
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
show accounting log [size | last-index | start-seqnum number | start-time year month day hh:mm:ss] Example: |
Displays the accounting log contents. By default, the command output contains up to 250,000 bytes of the accounting log. You can use the size argument to limit command output. The range is from 0 to 250000 bytes. You can also specify a starting sequence number or a starting time for the log output.The range of the starting index is from 1 to 1000000. Use the last-index keyword to display the value of the last index number in the accounting log file. |
|
Step 2 |
(Optional) clear accounting log Example: |
(Optional)
Clears the accounting log contents. |
To display AAA configuration information, perform one of the following tasks:
|
Command |
Purpose |
|---|---|
|
show aaa accounting |
Displays AAA accounting configuration. |
|
show aaa authentication [login {ascii-authentication | error-enable | mschap | mschapv2}] |
Displays AAA authentication login configuration information. |
|
show aaa groups |
Displays the AAA server group configuration. |
|
show running-config aaa [all] |
Displays the AAA configuration in the running configuration. |
|
show startup-config aaa |
Displays the AAA configuration in the startup configuration. |
For detailed information about the fields in the output from these commands, see the Cisco Nexus 7000 Series NX-OS Security Command Reference.
The following example shows how to configure AAA:
aaa authentication login default group radius
aaa authentication login console group radius
aaa accounting default group radius
This section includes additional information related to implementing AAA.
|
Related Topic |
Document Title |
|---|---|
|
Cisco NX-OS Licensing |
Cisco NX-OS Licensing Guide |
|
Command reference |
Cisco Nexus 7000 Series NX-OS Security Command Reference |
|
SNMP |
Cisco Nexus 7000 Series NX-OS System Management Configuration Guide |
|
Standards |
Title |
|---|---|
|
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. |
— |
CISCO-AAA-SERVER-MIB
CISCO-AAA-SERVER-EXT-MIB
This table lists the release history for this feature.
|
Feature Name |
Releases |
Feature Information |
|---|---|---|
|
Login Block Per User |
7.3(0)D1(1) |
Added support for login block per user. Refer to the "Secure Login Enhancements" section. |
|
Secure Login Enhancements |
7.2(0)D1(1) |
Added enhancements for secure login. Refer to the "Secure Login Enhancements" section. |
|
AAA |
6.0(1) |
No change from Release 5.2. |
|
AAA |
5.2(1) |
Added support for the Cisco Nexus 3000 Series Switches. |
|
AAA |
5.2(1) |
No change from Release 5.1. |
|
AAA |
5.1(1) |
No change from Release 5.0. |
|
AAA authentication |
5.0(2) |
Added support for enabling or disabling AAA authentication for user logins. |
|
AAA authentication |
5.0(2) |
Added support for remote users who do not have a user role to log in to the Cisco NX-OS device through a RADIUS or TACACS+ remote authentication server using a default user role. |
|
Login authentication |
5.0(2) |
Added support for enabling or disabling login authentication failure messages. |
|
CHAP authentication |
5.0(2) |
Added support for enabling or disabling CHAP authentication. |
|
Local authentication |
5.0(2) |
Added support for enabling fallback to local authentication when remote authentication fails. |
|
Local authentication |
5.0(2) |
Added support for disabling fallback to local authentication. |
|
MSCHAP V2 authentication |
4.2(1) |
Added support for enabling or disabling MSCHAP V2 authentication. |
|
AAA |
4.2(1) |
No change from Release 4.1. |
Feedback