- New and Changed Information
- Preface
- Overview
- Managing User Accounts
- Configuring VSD
- Configuring AAA
- Configuring RADIUS
- Configuring TACACS+
- Configuring SSH
- Configuring Telnet
- Configuring an IP ACL
- Configuring a MAC ACL
- Configuring Port Security
- Configuring DHCP Snooping
- Configuring Dynamic ARP Inspection
- Configuring IP Source Guard
- Disabling the HTTP Server
- Blocking Unknown Unicast Flooding
- Configuration Limits
- Index
Configuring AAA
This chapter describes how to configure authentication, authorization, and accounting (AAA) and includes the following sections:
•AAA Guidelines and Limitations
Information About AAA
This section includes the following topics:
AAA Security Services
Based on a user ID and password combination, AAA is used to authenticate and authorize users. A key secures communication with AAA servers.
In many circumstances, AAA uses protocols such as RADIUS or TACACS+, to administer its security functions. If your router or access server is acting as a network access server, AAA is the means through which you establish communication between your network access server and your RADIUS or TACACS+, security server.
Although AAA is the primary (and recommended) method for access control, additional features for simple access control are available outside the scope of AAA, such as local username authentication, line password authentication, and enable password authentication. However, these features do not provide the same degree of access control that is possible by using AAA.
Separate AAA configurations are made for the following services:
•User Telnet or Secure Shell (SSH) login authentication
•Console login authentication
•User management session accounting
Table 4-1 shows the related CLI command for configuring an AAA service.
.
|
|
---|---|
Telnet or SSH login |
aaa authentication login default |
Console login |
aaa authentication login console |
AAA secures the following:
Authentication
Authentication identifies users with a login and password, messaging, and encryption.
Authentication is accomplished as follows:
Figure 4-1 Authenticating User Log In
Authorization
Authorization restricts the actions that a user is allowed to perform.
Accounting
Accounting tracks and maintains a log of every SVS management session. You can use this information to generate reports for troubleshooting and auditing purposes. You can store accounting logs locally or send them to remote AAA servers.
AAA Server Groups
Remote AAA server groups can provide fail-over in case one remote AAA server fails to respond. If the first server in the group fails, the next server in the group is tried until a server responds. Multiple server groups can provide fail-over for each other in this same way.
If all remote server groups fail, the local database is used for authentication.
Prerequisites for AAA
Authentication using remote AAA servers requires that the following be in place:
•At least one TACACS+ or RADIUS server is IP reachable
•The VSM is configured as an AAA server client.
•A shared secret key is configured on the VSM and the remote AAA server.
See the "Configuring Shared Keys" procedure on page 6-9.
AAA Guidelines and Limitations
The Cisco Nexus 1000Vdoes not support user names made up of all numeric characters and does not create local user names made up of all numeric characters. If a username made up of all numeric characters exists on an AAA server and is entered during login, the Cisco Nexus 1000V does authenticate the user.
Default Settings
The following table lists the AAA defaults.
|
|
---|---|
Console authentication method |
local |
Default authentication method |
local |
Login authentication failure messages |
Disabled |
Configuring AAA
This section includes the following topics:
•Configuring a Login Authentication Method
•Enabling Login Authentication Failure Messages
Use the following flow chart to configure AAA.
Flow Chart: Configuring AAA
Configuring a Login Authentication Method
Use this procedure to configure the login authentication method.
BEFORE YOU BEGIN
Before beginning this procedure, you must know or do the following:
•You are logged in to the CLI in EXEC mode.
•If authentication is to be done with TACACS+ server group(s), you have already added the group(s). For more information, see Configuring a TACACS+ Server Group, page 6-12.
SUMMARY STEPS
1. config t
2. aaa authentication login {console | default} {group group-list [none] | local | none}
3. exit
4. show aaa authentication
5. copy running-config start-config
DETAILED STEPS
Enabling Login Authentication Failure Messages
Use this procedure to enable the login authentication failure message to displays if the remote AAA servers do not respond.
BEFORE YOU BEGIN
Before beginning this procedure, you must know or do the following:
•You are logged in to the CLI in EXEC mode.
•The following is the Login Authentication Failure message:
Remote AAA servers unreachable; local authentication done.
Remote AAA servers unreachable; local authentication failed.
SUMMARY STEPS
1. config t
2. aaa authentication login error-enable
3. exit
4. show aaa authentication login error-enable
5. copy running-config start-config
DETAILED STEPS
Verifying AAA Configuration
To display AAA configuration information, perform one of the following tasks:
|
|
---|---|
show aaa authentication [login {error-enable | mschap}] |
Displays AAA authentication information. See Example 4-1 |
show aaa groups |
Displays the AAA server group configuration. |
show running-config aaa [all] |
Displays the AAA configuration in the running configuration. See Example 4-2 |
show startup-config aaa |
Displays the AAA configuration in the startup configuration. See Example 4-3 |
Example 4-1 show aaa authentication
n1000v# show aaa authentication login error-enable
disabled
Example 4-2 show running config aaa
n1000v# show running-config aaa all
version 4.0(1)
aaa authentication login default local
aaa accounting default local
no aaa authentication login error-enable
no aaa authentication login mschap enable
no radius-server directed-request
no snmp-server enable traps aaa server-state-change
no tacacs-server directed-request
n1000v#
Example 4-3 show startup-config aaa
n1000v# show startup-config aaa
version 4.0(1)svs#
Example AAA Configuration
The following is an AAA configuration example:
aaa authentication login default group tacacs
aaa authentication login console group tacacs
Additional References
For additional information related to implementing AAA, see the following sections:
Related Documents
Standards
|
|
---|---|
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. |
— |
Feature History for AAA
This section provides the AAA release history.
|
|
|
---|---|---|
AAA |
4.0(4)SV1(1) |
This feature was introduced. |