The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes the Cisco NX-OS security commands that begin with A.
To configure authentication, authorization, and accounting (AAA) methods for accounting, use the aaa accounting default command. To revert to the default, use the no form of this command.
aaa accounting default {group {group-list} | local}
no aaa accounting default {group {group-list} | local}
The local database is the default.
Global configuration mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
The group group-list method refers to a set of previously defined RADIUS or TACACS+ servers. Use the radius-server host command to configure the host servers. Use the aaa group server command to create a named group of servers.
If you specify the group method, or local method and they fail, then the accounting authentication can fail.
This example shows how to configure any RADIUS server for AAA accounting:
switch(config)# aaa accounting default group
To configure authentication, authorization, and accounting (AAA) authentication methods for console logins, use the aaa authentication login console command. To revert to the default, use the no form of this command.
aaa authentication login console {group group-list} [none] | local | none}
no aaa authentication login console {group group-list [none] | local | none}
The local database
Global configuration mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
The group radius, group tacacs+, and group group-list methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the radius-server host or tacacs-server host command to configure the host servers. Use the aaa group server command to create a named group of servers.
If you specify the group method or local method and they fail, then the authentication can fail. If you specify the none method alone or after the group method, then the authentication always succeeds.
This example shows how to configure the AAA authentication console login method:
switch(config)# aaa authentication login console group radius
This example shows how to revert to the default AAA authentication console login method:
switch(config)# no aaa authentication login console group radius
To configure the default authentication, authorization, and accounting (AAA) authentication methods, use the aaa authentication login default command. To revert to the default, use the no form of this command.
aaa authentication login default {group group-list} [none] | local | none}
no aaa authentication login default {group group-list} [none] | local | none}
The local database
Global configuration mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
The group radius, group tacacs+, and group group-list methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the radius-server host or tacacs-server host command to configure the host servers. Use the aaa group server command to create a named group of servers.
If you specify the group method or local method and they fail, then the authentication fails. If you specify the none method alone or after the group method, then the authentication always succeeds.
This example shows how to configure the AAA authentication console login method:
switch(config)# aaa authentication login default group radius
This example shows how to revert to the default AAA authentication console login method:
switch(config)# no aaa authentication login default group radius
To configure that the authentication, authorization, and accounting (AAA) authentication failure message displays on the console, use the aaa authentication login error-enable command. To revert to the default, use the no form of this command.
aaa authentication login error-enable
no aaa authentication login error-enable
This command has no arguments or keywords.
Disabled
Global configuration mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
When you log in, the login is processed by rolling over to the local user database if the remote AAA servers do not respond. In this situation, the following message is displayed if you have enabled the displaying of login failure messages:
Remote AAA servers unreachable; local authentication done.
Remote AAA servers unreachable; local authentication failed.
This example shows how to enable the display of AAA authentication failure messages to the console:
switch(config)# aaa authentication login error-enable
This example shows how to disable the display of AAA authentication failure messages to the console:
switch(config)# no aaa authentication login error-enable
|
|
---|---|
show aaa authentication |
Displays the status of the AAA authentication failure message display. |
To enable Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) authentication at login, use the aaa authentication login mschap enable command. To revert to the default, use the no form of this command.
aaa authentication login mschap enable
no aaa authentication login mschap enable
This command has no arguments or keywords.
Disabled
Global configuration mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to enable MS-CHAP authentication:
switch(config)# aaa authentication login mschap enable
This example shows how to disable MS-CHAP authentication:
switch(config)# no aaa authentication login mschap enable
|
|
---|---|
show aaa authentication |
Displays the status of MS-CHAP authentication. |
To configure default authentication, authorization, and accounting (AAA) authorization methods for all EXEC commands, use the aaa authorization commands default command. To revert to the default, use the no form of this command.
aaa authorization commands default [group group-list] [local | none]
no aaa authorization commands default [group group-list] [local | none]
None
Global configuration mode
|
|
---|---|
4.2(1)N1(1) |
This command was introduced. |
To use this command, you must enable the TACACS+ feature by using the feature tacacs+ command.
The group tacacs+ and group group-list methods refer to a set of previously defined TACACS+ servers. Use the tacacs-server host command to configure the host servers. Use the aaa group server command to create a named group of servers. Use the show aaa groups command to display the server groups on the device.
If you specify more than one server group, the Cisco NX-OS software checks each group in the order that you specify in the list. The local method or the none method is used only if all the configured server groups fail to respond and you have configured local or none as the fallback method.
If you specify the group method or local method and it fails, then the authorization can fail. If you specify the none method alone or after the group method, then the authorization always succeeds.
This example shows how to configure the default AAA authorization methods for EXEC commands:
switch(config)# aaa authorization commands default group TacGroup local
switch(config)#
This example shows how to revert to the default AAA authorization methods for EXEC commands:
switch(config)# no aaa authorization commands default group TacGroup local
switch(config)#
To configure the default authentication, authorization, and accounting (AAA) authorization methods for all configuration commands, use the aaa authorization config-commands default command. To revert to the default, use the no form of this command.
aaa authorization config-commands default [group group-list] [local | none]
no aaa authorization config-commands default [group group-list] [local | none]
None
Global configuration mode
|
|
---|---|
4.2(1)N1(1) |
This command was introduced. |
To use this command, you must enable the TACACS+ feature by using the feature tacacs+ command.
The group tacacs+ and group group-list methods refer to a set of previously defined TACACS+ servers. Use the tacacs-server host command to configure the host servers. Use the aaa group server command to create a named group of servers. Use the show aaa groups command to display the server groups on the device.
If you specify more than one server group, the Cisco NX-OS software checks each group in the order that you specify in the list. The local method or the none method is used only if all the configured server groups fail to respond and you have configured local or none as the fallback method.
If you specify the group method or local method and it fails, then the authorization can fail. If you specify the none method alone or after the group method, then the authorization always succeeds.
This example shows how to configure the default AAA authorization methods for configuration commands:
switch(config)# aaa authorization config-commands default group TacGroup local
switch(config)#
This example shows how to revert to the default AAA authorization methods for configuration commands:
switch(config)# no aaa authorization config-commands default group TacGroup local
switch(config)#
To configure the default authentication, authorization, and accounting (AAA) authorization method for TACACS+ servers, use the aaa authorization ssh-certificate command. To disable this configuration, use the no form of this command.
aaa authorization ssh-certificate default {group group-list | local}
no aaa authorization ssh-certificate default {group group-list | local}
local
Global configuration mode
|
|
5.1(3)N1(1) |
This command was introduced. |
To use this command, you must enable the TACACS+ feature using the feature tacacs+ command.
The group tacacs+ and group group-list methods refer to a set of previously defined TACACS+ and LDAP servers. Use the tacacs-server host command to configure the host servers. Use the aaa group server command to create a named group of servers. Use the show aaa groups command to display the server groups on the device.
If you specify more than one server group, the Cisco NX-OS software checks each group in the order that you specify in the list. The local method is used only if all the configured server groups fail to respond and you have configured local as the fallback method.
If you specify the group method or local method and it fails, the authorization can fail. If you have not configured a fallback method after the TACACS+ or LDAP server group method, authorization fails if all server groups fail to respond.
This command does not require a license.
This example shows how to configure the local database with certificate authentication as the default AAA authorization method:
switch# configure terminal
switch(config)# aaa authorization ssh-certificate default local
switch(config)#
To configure local authorization with the Secure Shell (SSH) public key as the default AAA authorization method for TACACS+ servers, use the aaa authorization ssh-publickey command. To revert to the default, use the no form of this command.
aaa authorization ssh-publickey default {group group-list | local}
no aaa authorization ssh-publickey default {group group-list | local}
local
Global configuration mode
|
|
5.1(3)N1(1) |
This command was introduced. |
If you specify more than one server group, the Cisco NX-OS software checks each group in the order that you specify in the list. The local method is used only if all the configured server groups fail to respond and you have configured local as the fallback method.
If you specify the group method or local method and it fails, the authorization can fail. If you have not configured a fallback method after the server group method, authorization fails if all server groups fail to respond.
This command does not require a license.
This example shows how to configure local authorization with the SSH public key as the default AAA authorization method:
switch# configure terminal
switch(config)# aaa authorization ssh-publickey default local
switch(config)#
To create a RADIUS server group and enter RADIUS server group configuration mode, use the aaa group server radius command. To delete a RADIUS server group, use the no form of this command.
aaa group server radius group-name
no aaa group server radius group-name
group-name |
RADIUS server group name. |
None
Global configuration mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to create a RADIUS server group and enter RADIUS server configuration mode:
switch(config)# aaa group server radius RadServer
switch(config-radius)#
This example shows how to delete a RADIUS server group:
switch(config)# no aaa group server radius RadServer
|
|
---|---|
show aaa groups |
Displays server group information. |
To enable the default role assigned by the authentication, authorization, and accounting (AAA) server administrator for remote authentication, use the aaa user default-role command. To disable the default role, use the no form of this command.
aaa user default-role
no aaa user default-role
This command has no arguments or keywords.
Enabled
Global configuration mode
|
|
---|---|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to enable the default role assigned by the AAA server administrator for remote authentication:
switch(config)# aaa user default-role
switch(config)#
This example shows how to disable the default role assigned by the AAA server administrator for remote authentication:
switch(config)# no aaa user default-role
switch(config)#
|
|
---|---|
show aaa user default-role |
Displays the status of the default user for remote authentication. |
show aaa authentication |
Displays AAA authentication information. |
To restrict incoming and outgoing connections between a particular VTY (into a Cisco Nexus 5000 Series switch) and the addresses in an access list, use the access-class command. To remove access restrictions, use the no form of this command.
access-class access-list-name {in | out}
no access-class access-list-name {in | out}
None
Line configuration mode
|
|
---|---|
5.0(2)N1(1) |
This command was introduced. |
When you allow telnet or SSH to a Cisco device, you can secure access to the device by binding an access class to the VTYs.
To display the access lists for a particular terminal line, use the show line command.
This example shows how to configure an access class on a VTY line to restrict inbound packets:
switch# configure terminal
switch(config)# line vty
switch(config-line)# access-class ozi2 in
switch(config-line)#
This example shows how to remove an access class that restricts inbound packets:
switch(config)# line vty
switch(config-line)# no access-class ozi2 in
switch(config-line)#
To specify what the switch does when a packet matches a permit command in a VLAN access control list (VACL), use the action command. To remove an action command, use the no form of this command.
action {drop forward}
no action {drop forward}
drop |
Specifies that the switch drops the packet. |
forward |
Specifies that the switch forwards the packet to its destination port. |
None
VLAN access-map configuration mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
The action command specifies the action that the device takes when a packet matches the conditions in the ACL specified by the match command.
This example shows how to create a VLAN access map named vlan-map-01, assign an IPv4 ACL named ip-acl-01 to the map, specify that the switch forwards packets matching the ACL, and enable statistics for traffic matching the map:
switch(config)# vlan access-map vlan-map-01
switch(config-access-map)# match ip address ip-acl-01
switch(config-access-map)# action forward
switch(config-access-map)# statistics