About AAA
This section includes information about AAA on Cisco NX-OS devices.
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes how to configure authentication, authorization, and accounting (AAA) on Cisco NX-OS devices.
This chapter includes the following sections:
This section includes information about AAA on Cisco NX-OS devices.
The following table shows the licensing requirements for this feature:
Product |
License Requirement |
---|---|
Cisco NX-OS |
AAA requires no license. Any feature not included in a license package is bundled with the nx-os image and is provided at no extra charge to you. For an explanation of the Cisco NX-OS licensing scheme, see the Cisco NX-OS Licensing Guide. |
Remote AAA servers have the following prerequisites:
Ensure that at least one RADIUS, TACACS+, or LDAP server is reachable through IP.
Ensure that the Cisco NX-OS device is configured as a client of the AAA servers.
Ensure that the secret key is configured on the Cisco NX-OS device and the remote AAA servers.
Ensure that the remote server responds to AAA requests from the Cisco NX-OS device.
AAA has the following guidelines and limitations:
If you have a user account configured on the local Cisco NX-OS device that has the same name as a remote user account on an AAA server, the Cisco NX-OS software applies the user roles for the local user account to the remote user, not the user roles configured on the AAA server.
Cisco Nexus 3400-S Series switches support the aaa authentication login ascii-authentication command only for TACACS+ (and not for RADIUS).
If you modify the default login authentication method (without using the local keyword), the configuration overrides the console login authentication method. To explicitly configure the console authentication method, use the aaa authentication login console {group group-list [none] | local | none} command.
This table lists the default settings for AAA parameters.
Parameters |
Default |
---|---|
Console authentication method |
local |
Default authentication method |
local |
Login authentication failure messages |
Disabled |
CHAP authentication |
Disabled |
MSCHAP authentication |
Disabled |
Default accounting method |
local |
Accounting log display length |
250 KB |
This section describes the tasks for configuring AAA on Cisco NX-OS devices.
Note |
If you are familiar with the Cisco IOS CLI, be aware that the Cisco NX-OS commands for this feature might differ from the Cisco IOS commands that you would use. |
Note |
Cisco Nexus3400-S Series switches support the aaa authentication login ascii-authentication,command only for TACAAS+, but not for RADIUS. Ensure that you have disabled aaa authentication login ascii-authentication command so that the default authentication, PAP is enabled. Otherwise, you will see syslog errors. |
Follow these steps to configure AAA authentication and accounting:
If you want to use remote RADIUS, TACACS+, or LDAP servers for authentication, configure the hosts on your Cisco NX-OS device.
Configure console login authentication methods.
Configure default login authentication methods for user logins.
Configure default AAA accounting default methods.
This section describes how to configure the authentication methods for the console login.
The authentication methods include the following:
Global pool of RADIUS servers
Named subset of RADIUS, TACACS+, or LDAP servers
Local database on the Cisco NX-OS device
Username only (none)
The default method is local, but you have the option to disable it .
Note |
The group radius and group server-name forms of the aaa authentication command refer to a set of previously defined RADIUS servers. Use the radius-server host command to configure the host servers. Use the aaa group server radius command to create a named group of servers. |
Note |
If you perform a password recovery when remote authentication is enabled, local authentication becomes enabled for console login as soon as the password recovery is done. As a result, you can log into the Cisco NX-OS device through the console port using the new password. After login, you can continue to use local authentication, or you can enable remote authentication after resetting the admin password configured at the AAA servers. For more information about the password recovery process, see the Cisco Nexus 3400-S NX-OS Troubleshooting Guide. |
Configure RADIUS, TACACS+, or LDAP server groups, as needed.
Command or Action | Purpose | |
---|---|---|
Step 1 |
configure terminal Example:
|
Enters configuration mode. |
Step 2 |
aaa authentication login console {group group-list [none] | local | none} Example:
|
Configures login authentication methods for the console. The group-list argument consists of a space-delimited list of group names. The group names are the following:
The local method uses the local database for authentication, and the none method specifies that no AAA authentication be used. The default console login method is local , which is used when no methods are configured or when all the configured methods fail to respond, unless fallback to local is disabled for the console login . |
Step 3 |
exit Example:
|
Exits configuration mode. |
Step 4 |
(Optional) show aaa authentication Example:
|
(Optional)
Displays the configuration of the console login authentication methods. |
Step 5 |
(Optional) copy running-config startup-config Example:
|
(Optional)
Copies the running configuration to the startup configuration. |
The authentication methods include the following:
Global pool of RADIUS servers
Named subset of RADIUS, TACACS+, or LDAP servers
Local database on the Cisco NX-OS device
Username only
The default method is local, but you have the option to disable it .
Configure RADIUS, TACACS+, or LDAP server groups, as needed.
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 |
configure terminal Example:
|
Enters configuration mode. |
||
Step 2 |
aaa authentication login default {group group-list [none] | local | none} Example:
|
Configures the default authentication methods. The group-list argument consists of a space-delimited list of group names. The group names are the following:
The local method uses the local database for authentication, and the none method specifies that no AAA authentication be used. The default login method is local , which is used when no methods are configured or when all the configured methods fail to respond, unless fallback to local is disabled for the console login .
|
||
Step 3 |
exit Example:
|
Exits configuration mode. |
||
Step 4 |
(Optional) show aaa authentication Example:
|
(Optional)
Displays the configuration of the default login authentication methods. |
||
Step 5 |
(Optional) copy running-config startup-config Example:
|
(Optional)
Copies the running configuration to the startup configuration. |
By default, if remote authentication is configured for console or default login and all AAA servers are unreachable (resulting in an authentication error), the Cisco NX-OS device falls back to local authentication to ensure that users are not locked out of the device. However, you can disable fallback to local authentication in order to increase security.
Caution |
Disabling fallback to local authentication can lock your Cisco NX-OS device, forcing you to perform a password recovery in order to gain access. To prevent being locked out of the device, we recommend that you disable fallback to local authentication for only the default login or the console login, not both. |
Configure remote authentication for the console or default login.
Command or Action | Purpose | |
---|---|---|
Step 1 |
configure terminal Example:
|
Enters configuration mode. |
Step 2 |
no aaa authentication login {console | default} fallback error local Example:
|
Disables fallback to local authentication for the console or default login if remote authentication is configured and all AAA servers are unreachable. The following message appears when you disable fallback to local authentication: “WARNING!!! Disabling fallback can lock your switch.” |
Step 3 |
(Optional) exit Example:
|
(Optional)
Exits configuration mode. |
Step 4 |
(Optional) show aaa authentication Example:
|
(Optional)
Displays the configuration of the console and default login authentication methods. |
Step 5 |
(Optional) copy running-config startup-config Example:
|
(Optional)
Copies the running configuration to the startup configuration. |
You can allow remote users who do not have a user role to log in to the Cisco NX-OS device through a RADIUS or TACACS+ remote authentication server using a default user role. When you disable the AAA default user role feature, remote users who do not have a user role cannot log in to the device.
Command or Action | Purpose | |
---|---|---|
Step 1 |
configure terminal Example:
|
Enters configuration mode. |
Step 2 |
aaa user default-role Example:
|
Enables the default user role for AAA authentication. The default is enabled. You can disable the default user role feature by using the no form of this command. |
Step 3 |
exit Example:
|
Exits configuration mode. |
Step 4 |
(Optional) show aaa user default-role Example:
|
(Optional)
Displays the AAA default user role configuration. |
Step 5 |
(Optional) copy running-config startup-config Example:
|
(Optional)
Copies the running configuration to the startup configuration. |
When you log in, the login is processed by rolling over to the local user database if the remote AAA servers do not respond. In such cases, the following messages display on the user’s terminal if you have enabled login failure messages:
Remote AAA servers unreachable; local authentication done.
Remote AAA servers unreachable; local authentication failed.
Command or Action | Purpose | |
---|---|---|
Step 1 |
configure terminal Example:
|
Enters configuration mode. |
Step 2 |
aaa authentication login error-enable Example:
|
Enables login authentication failure messages. The default is disabled. |
Step 3 |
exit Example:
|
Exits configuration mode. |
Step 4 |
(Optional) show aaa authentication Example:
|
(Optional)
Displays the login failure message configuration. |
Step 5 |
(Optional) copy running-config startup-config Example:
|
(Optional)
Copies the running configuration to the startup configuration. |
You can configure the switch to log all successful and failed login attempts to the configured syslog server.
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 |
configure terminal Example:
|
Enters global configuration mode. |
||
Step 2 |
[no] login on-failure log Example:
|
Logs all failed authentication messages to the configured syslog server. With this configuration, the following syslog message appears after the failed login: AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user admin from 172.22.00.00
|
||
Step 3 |
[no] login on-success log Example:
|
Logs all successful authentication messages to the configured syslog server. With this configuration, the following syslog message appears after the successful login: AUTHPRIV-6-SYSTEM_MSG: pam_aaa:Authentication success for user admin from 172.22.00.00
|
||
Step 4 |
(Optional) show login on-failure log Example:
|
(Optional)
Displays whether the switch is configured to log failed authentication messages to the syslog server. |
||
Step 5 |
(Optional) show login on-successful log Example:
|
(Optional)
Displays whether the switch is configured to log successful authentication messages to the syslog server. |
||
Step 6 |
(Optional) copy running-config startup-config Example:
|
(Optional)
Copies the running configuration to the startup configuration. |
The Cisco NX-OS software supports the Challenge Handshake Authentication Protocol (CHAP), a challenge-response authentication protocol that uses the industry-standard Message Digest (MD5) hashing scheme to encrypt responses. You can use CHAP for user logins to a Cisco NX-OS device through a remote authentication server (RADIUS or TACACS+).
By default, the Cisco NX-OS device uses Password Authentication Protocol (PAP) authentication between the Cisco NX-OS device and the remote server. If you enable CHAP, you need to configure your RADIUS or TACACS+ server to recognize the CHAP vendor-specific attributes (VSAs).
This table shows the RADIUS and TACACS+ VSAs required for CHAP.
Vendor-ID Number |
Vendor-Type Number |
VSA |
Description |
---|---|---|---|
311 |
11 |
CHAP-Challenge |
Contains the challenge sent by an AAA server to a CHAP user. It can be used in both Access-Request and Access-Challenge packets. |
211 |
11 |
CHAP-Response |
Contains the response value provided by a CHAP user in response to the challenge. It is used only in Access-Request packets. |
Disable AAA ASCII authentication for logins.
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 |
configure terminal Example:
|
Enters configuration mode. |
||
Step 2 |
no aaa authentication login ascii-authentication Example:
|
Disables ASCII authentication. |
||
Step 3 |
aaa authentication login chap enable Example:
|
Enables CHAP authentication. The default is disabled.
|
||
Step 4 |
(Optional) exit Example:
|
(Optional)
Exits configuration mode. |
||
Step 5 |
(Optional) show aaa authentication login chap Example:
|
(Optional)
Displays the CHAP configuration. |
||
Step 6 |
(Optional) copy running-config startup-config Example:
|
(Optional)
Copies the running configuration to the startup configuration. |
Microsoft Challenge Handshake Authentication Protocol (MSCHAP) is the Microsoft version of CHAP. The Cisco NX-OS software also supports MSCHAP Version 2 (MSCHAP V2). You can use MSCHAP for user logins to a Cisco NX-OS device through a remote authentication server (RADIUS or TACACS+). MSCHAP V2 only supports user logins to a Cisco NX-OS device through remote authentication RADIUS servers. If you configure a TACACS+ group with MSCHAP V2, the AAA default login authentication uses the next configured method, or the local method, if no other server group is configured.
Note |
The Cisco NX-OS software may display the following message: “ Warning: MSCHAP V2 is supported only with Radius.” This warning message is informational only and does not affect MSCHAP V2 operation with RADIUS. |
By default, the Cisco NX-OS device uses Password Authentication Protocol (PAP) authentication between the Cisco NX-OS device and the remote server. If you enable MSCHAP or MSCHAP V2, you need to configure your RADIUS server to recognize the MSCHAP and MSCHAP V2 vendor-specific attributes (VSAs).
This table shows the RADIUS VSAs required for MSCHAP.
Vendor-ID Number |
Vendor-Type Number |
VSA |
Description |
---|---|---|---|
311 |
11 |
MSCHAP-Challenge |
Contains the challenge sent by an AAA server to an MSCHAP or MSCHAP V2 user. It can be used in both Access-Request and Access-Challenge packets. |
211 |
11 |
MSCHAP-Response |
Contains the response value provided by an MSCHAP or MSCHAP V2 user in response to the challenge. It is only used in Access-Request packets. |
Disable AAA ASCII authentication for logins.
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 |
configure terminal Example:
|
Enters configuration mode. |
||
Step 2 |
no aaa authentication login ascii-authentication Example:
|
Disables ASCII authentication. |
||
Step 3 |
aaa authentication login {mschap | mschapv2} enable Example:
|
Enables MSCHAP or MSCHAP V2 authentication. The default is disabled.
|
||
Step 4 |
exit Example:
|
Exits configuration mode. |
||
Step 5 |
(Optional) show aaa authentication login {mschap | mschapv2} Example:
|
(Optional)
Displays the MSCHAP or MSCHAP V2 configuration. |
||
Step 6 |
(Optional) copy running-config startup-config Example:
|
(Optional)
Copies the running configuration to the startup configuration. |
Cisco NX-OS software supports TACACS+ and RADIUS methods for accounting. Cisco NX-OS devices report user activity to TACACS+ or RADIUS security servers in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the AAA server.
When you activate AAA accounting, the Cisco NX-OS device reports these attributes as accounting records, which are then stored in an accounting log on the security server.
You can create default method lists defining specific accounting methods, which include the following:
Note |
If you have configured server groups and the server groups do not respond, by default, the local database is used for authentication. |
Configure RADIUS or TACACS+ server groups, as needed.
Command or Action | Purpose | |
---|---|---|
Step 1 |
configure terminal Example:
|
Enters configuration mode. |
Step 2 |
aaa accounting default {group group-list | local} Example:
|
Configures the default accounting method. The group-list argument consists of a space-delimited list of group names. The group names are the following:
The local method uses the local database for accounting. The default method is local , which is used when no server groups are configured or when all the configured server groups fail to respond. |
Step 3 |
exit Example:
|
Exits configuration mode. |
Step 4 |
(Optional) show aaa accounting Example:
|
(Optional)
Displays the configuration AAA accounting default methods. |
Step 5 |
(Optional) copy running-config startup-config Example:
|
(Optional)
Copies the running configuration to the startup configuration. |
You can use vendor-specific attributes (VSAs) to specify Cisco NX-OS user roles and SNMPv3 parameters on AAA servers.
The Cisco NX-OS device maintains a local log for the AAA accounting activity. You can monitor this log and clear it.
Command or Action | Purpose | |
---|---|---|
Step 1 |
show accounting log [size | last-index | start-seqnum number | start-time year month day hh:mm:ss] Example:
|
Displays the accounting log contents. By default, the command output contains up to 250,000 bytes of the accounting log. You can use the size argument to limit command output. The range is from 0 to 250000 bytes. You can also specify a starting sequence number or a starting time for the log output.The range of the starting index is from 1 to 1000000. Use the last-index keyword to display the value of the last index number in the accounting log file. |
Step 2 |
(Optional) clear accounting log [logflash] Example:
|
(Optional)
Clears the accounting log contents. The logflash keyword clears the accounting log stored in the logflash. |
To display AAA configuration information, perform one of the following tasks:
Command |
Purpose |
---|---|
show aaa accounting |
Displays AAA accounting configuration. |
show aaa authentication [login {ascii-authentication | chap | error-enable | mschap | mschapv2}] |
Displays AAA authentication login configuration information. |
show aaa groups |
Displays the AAA server group configuration. |
show running-config aaa [all] |
Displays the AAA configuration in the running configuration. |
show startup-config aaa |
Displays the AAA configuration in the startup configuration. |
The following example shows how to configure AAA:
aaa authentication login default group radius
aaa authentication login console group radius
aaa accounting default group radius
The following example shows how to configure the switch to enter a 100-second quiet period if 3 failed login attempts is exceeded within 60 seconds. This example shows no login failures.
switch# configure terminal
switch(config)# login block-for 100 attempts 3 within 60
switch(config)# show login
No Quiet-Mode access list has been configured, default ACL will be applied.
Switch is enabled to watch for login Attacks.
If more than 3 login failures occur in 60 seconds or less,
logins will be disabled for 100 seconds.
Switch presently in Normal-Mode.
Current Watch Window remaining time 45 seconds.
Present login failure count 0.
switch(config)# show login failures
*** No logged failed login attempts with the device.***
The following example shows how to configure a quiet-mode ACL. All login requests are denied during the quiet period except hosts from the myacl ACL. This example also shows a login failure.
switch# configure terminal
switch(config)# login block-for 100 attempts 3 within 60
switch(config)# login quiet-mode access-class myacl
switch(config)# show login
Switch is enabled to watch for login Attacks.
If more than 3 login failures occur in 60 seconds or less,
logins will be disabled for 100 seconds.
Switch presently in Quiet-Mode.
Will remain in Quiet-Mode for 98 seconds.
Denying logins from all sources.
switch(config)# show login failures
Information about last 20 login failure's with the device.
--------------------------------------------------------------------------------
Username Line SourceIPAddr Appname TimeStamp
--------------------------------------------------------------------------------
asd /dev/pts/0 171.70.55.158 login Mon Aug 3 18:18:54 2015
qweq /dev/pts/0 171.70.55.158 login Mon Aug 3 18:19:02 2015
qwe /dev/pts/0 171.70.55.158 login Mon Aug 3 18:19:08 2015
--------------------------------------------------------------------------------
The following example shows how to configure the switch to prompt the user to enter a password after she enters the username command and the error message that displays if she does not enter a password.
switch# configure terminal
switch(config)# password prompt username
Password prompt username is enabled.
After providing the required options in the username command, press enter.
User will be prompted for the username password and password will be hidden.
Note: Choosing password key in the same line while configuring user account, password will not be hidden.
switch(config)# username user1
Enter password:
Confirm password:
warning: password for user:user1 not set. S/he may not be able to login
The following example shows how to configure the switch to prompt the user to enter a password after she enters the snmp-server user command and the prompts that then display to the user.
switch# configure terminal
switch(config)# password prompt username
Password prompt username is enabled.
After providing the required options in the username command, press enter.
User will be prompted for the username password and password will be hidden.
Note: Choosing password key in the same line while configuring user account, password will not be hidden.
N9K-1(config)# snmp-server user user1
Enter auth md5 password (Press Enter to Skip):
Enter auth sha password (Press Enter to Skip):
This section includes additional information related to implementing AAA.
Related Topic |
Document Title |
---|---|
Cisco NX-OS Licensing |
Cisco NX-OS Licensing Guide |
Standards |
Title |
---|---|
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. |
— |