About AAA
This section includes information about AAA on Cisco NX-OS devices.
AAA Security Services
The AAA feature allows you to verify the identity of, grant access to, and track the actions of users managing a Cisco NX-OS device. Cisco NX-OS devices support Remote Access Dial-In User Service (RADIUS) or Terminal Access Controller Access Control System Plus (TACACS+) protocols.
Based on the user ID and password combination that you provide, Cisco NX-OS devices perform local authentication or authorization using the local database or remote authentication or authorization using one or more AAA servers. A preshared secret key provides security for communication between the Cisco NX-OS device and AAA servers. You can configure a common secret key for all AAA servers or for only a specific AAA server.
AAA security provides the following services:
- Authentication
- Identifies
users, including login and password dialog, challenge and response, messaging
support, and, depending on the security protocol that you select, encryption.
Authentication is the process of verifying the identity of the person or device accessing the Cisco NX-OS device, which is based on the user ID and password combination provided by the entity trying to access the Cisco NX-OS device. Cisco NX-OS devices allow you to perform local authentication (using the local lookup database) or remote authentication (using one or more RADIUS or TACACS+ servers).
- Authorization
- Provides access control.AAA authorization is the process of assembling a set of attributes that describe what the user is authorized to perform. Authorization in the Cisco NX-OS software is provided by attributes that are downloaded from AAA servers. Remote security servers, such as RADIUS and TACACS+, authorize users for specific rights by associating attribute-value (AV) pairs, which define those rights with the appropriate user.
- Accounting
- Provides the
method for collecting information, logging the information locally, and sending
the information to the AAA server for billing, auditing, and reporting.
The accounting feature tracks and maintains a log of every management session used to access the Cisco NX-OS device. You can use this information to generate reports for troubleshooting and auditing purposes. You can store accounting logs locally or send them to remote AAA servers.
Note |
The Cisco NX-OS software supports authentication, authorization, and accounting independently. For example, you can configure authentication and authorization without configuring accounting. |
Benefits of Using AAA
AAA provides the following benefits:
-
Increased flexibility and control of access configuration
-
Scalability
-
Standardized authentication methods, such as RADIUS and TACACS+
-
Multiple backup devices
Remote AAA Services
Remote AAA services provided through RADIUS and TACACS+ protocols have the following advantages over local AAA services:
-
It is easier to manage user password lists for each Cisco NX-OS device in the fabric.
-
AAA servers are already deployed widely across enterprises and can be easily used for AAA services.
-
You can centrally manage the accounting log for all Cisco NX-OS devices in the fabric.
-
It is easier to manage user attributes for each Cisco NX-OS device in the fabric than using the local databases on the Cisco NX-OS devices.
AAA Server Groups
You can specify remote AAA servers for authentication, authorization, and accounting using server groups. A server group is a set of remote AAA servers that implements the same AAA protocol. The purpose of a server group is to provide for failover servers in case a remote AAA server fails to respond. If the first remote server in the group fails to respond, the next remote server in the group is tried until one of the servers sends a response. If all the AAA servers in the server group fail to respond, then that server group option is considered a failure. If required, you can specify multiple server groups. If the Cisco NX-OS device encounters errors from the servers in the first group, it tries the servers in the next server group.
AAA Service Configuration Options
The AAA configuration in Cisco NX-OS devices is service based, which means that you can have separate AAA configurations for the following services:
-
User Telnet or Secure Shell (SSH) login authentication
-
Console login authentication
-
User management session accounting
This table provides the related CLI command for each AAA service configuration option.
AAA Service Configuration Option |
Related Command |
---|---|
Telnet or SSH login |
aaa authentication login default |
Console login |
aaa authentication login console |
User session accounting |
aaa accounting default |
You can specify the following authentication methods for the AAA services:
- All RADIUS servers
-
Uses the global pool of RADIUS servers for authentication.
- Specified server groups
-
Uses specified RADIUS, TACACS+, or LDAP server groups you have configured for authentication.
- Local
-
Uses the local username or password database for authentication.
- None
-
Specifies that no AAA authentication be used.
Note |
If you specify the all RADIUS servers method, rather than a specified server group method, the Cisco NX-OS device chooses the RADIUS server from the global pool of configured RADIUS servers, in the order of configuration. Servers from this global pool are the servers that can be selectively configured in a RADIUS server group on the Cisco NX-OS device. |
This table shows the AAA authentication methods that you can configure for the AAA services.
AAA Service |
AAA Methods |
---|---|
Console login authentication |
Server groups, local, and none |
User login authentication |
Server groups, local, and none |
User management session accounting |
Server groups and local |
Note |
For console login authentication, user login authentication, and user management session accounting, the Cisco NX-OS device tries each option in the order specified. The local option is the default method when other configured options fail. You can disable the local option for the console or default login by using the no aaa authentication login {console | default} fallback error local command. |
Authentication and Authorization Process for User Login
The following list explains the process:
-
When you log in to the required Cisco NX-OS device, you can use the Telnet, SSH, or console login options.
-
When you have configured the AAA server groups using the server group authentication method, the Cisco NX-OS device sends an authentication request to the first AAA server in the group as follows:
-
If the AAA server fails to respond, the next AAA server is tried and so on until the remote server responds to the authentication request.
-
If all AAA servers in the server group fail to respond, the servers in the next server group are tried.
-
If all configured methods fail, the local database is used for authentication, unless fallback to local is disabled for the console login.
-
-
If the Cisco NX-OS device successfully authenticates you through a remote AAA server, then the following possibilities apply:
-
If the AAA server protocol is RADIUS, then user roles specified in the cisco-av-pair attribute are downloaded with an authentication response.
-
If the AAA server protocol is TACACS+, then another request is sent to the same server to get the user roles specified as custom attributes for the shell.
-
-
If your username and password are successfully authenticated locally, the Cisco NX-OS device logs you in and assigns you the roles configured in the local database.
Note |
"No more server groups left" means that there is no response from any server in all server groups. "No more servers left" means that there is no response from any server within this server group. |
AES Password Encryption and Primary Encryption Keys
You can enable strong, reversible 128-bit Advanced Encryption Standard (AES) password encryption, also known as type-6 encryption. To start using type-6 encryption, you must enable the AES password encryption feature and configure a primary encryption key, which is used to encrypt and decrypt passwords.
After you enable AES password encryption and configure a primary key, all existing and newly created clear-text passwords for supported applications (currently RADIUS and TACACS+) are stored in type-6 encrypted format, unless you disable type-6 password encryption. You can also configure Cisco NX-OS to convert all existing weakly encrypted passwords to type-6 encrypted passwords.