Configuring AAA

This chapter describes how to configure authentication, authorization, and accounting (AAA) on Cisco NX-OS devices.

Information About AAA

AAA Security Services

The authentication, authorization, and accounting (AAA) features allows you to verify the identity of, grant access to, and track the actions of users who manage Cisco Nexus devices. The Cisco Nexus device supports Remote Access Dial-In User Service (RADIUS) or Terminal Access Controller Access Control device Plus (TACACS+) protocols.

Based on the user ID and password that you provide, the switches perform local authentication or authorization using the local database or remote authentication or authorization using one or more AAA servers. A preshared secret key provides security for communication between the switch and AAA servers. You can configure a common secret key for all AAA servers or for only a specific AAA server.

AAA security provides the following services:

  • Authentication—Identifies users, including login and password dialog, challenge and response, messaging support, and, encryption depending on the security protocol that you select.

  • Authorization—Provides access control.

    Authorization to access a Cisco Nexus device is provided by attributes that are downloaded from AAA servers. Remote security servers, such as RADIUS and TACACS+, authorize users for specific rights by associating attribute-value (AV) pairs, which define those rights with the appropriate user.

  • Accounting—Provides the method for collecting information, logging the information locally, and sending the information to the AAA server for billing, auditing, and reporting.


Note


The Cisco NX-OS software supports authentication, authorization, and accounting independently. For example, you can configure authentication and authorization without configuring accounting.


Benefits of Using AAA

AAA provides the following benefits:

  • Increased flexibility and control of access configuration

  • Scalability

  • Standardized authentication methods, such as RADIUS and TACACS+

  • Multiple backup devices

Remote AAA Services

Remote AAA services provided through RADIUS and TACACS+ protocols have the following advantages over local AAA services:

  • User password lists for each switch in the fabric are easier to manage.

  • AAA servers are already deployed widely across enterprises and can be easily used for AAA services.

  • The accounting log for all switches in the fabric can be centrally managed.

  • User attributes for each switch in the fabric are easier to manage than using the local databases on the switches.

AAA Server Groups

You can specify remote AAA servers for authentication, authorization, and accounting using server groups. A server group is a set of remote AAA servers that implement the same AAA protocol. A server group provides for failover servers if a remote AAA server fails to respond. If the first remote server in the group fails to respond, the next remote server in the group is tried until one of the servers sends a response. If all the AAA servers in the server group fail to respond, that server group option is considered a failure. If required, you can specify multiple server groups. If a switch encounters errors from the servers in the first group, it tries the servers in the next server group.

AAA Service Configuration Options

On Cisco Nexus devices, you can have separate AAA configurations for the following services:

  • User Telnet or Secure Shell (SSH) login authentication

  • Console login authentication

  • User management session accounting

The following table lists the CLI commands for each AAA service configuration option.

Table 1. AAA Service Configuration Commands

AAA Service Configuration Option

Related Command

Telnet or SSH login

aaa authentication login default

Console login

aaa authentication login console

User session accounting

aaa accounting default

You can specify the following authentication methods for the AAA services:

  • RADIUS server groups—Uses the global pool of RADIUS servers for authentication.

  • Specified server groups—Uses specified RADIUS or TACACS+ server groups for authentication.

  • Local—Uses the local username or password database for authentication.

  • None—Uses only the username.


Note


If the method is for all RADIUS servers, instead of a specific server group, the Cisco Nexus devices choose the RADIUS server from the global pool of configured RADIUS servers in the order of configuration. Servers from this global pool are the servers that can be selectively configured in a RADIUS server group on the Cisco Nexus devices.


The following table describes the AAA authentication methods that you can configure for the AAA services.

Table 2. AAA Authentication Methods for AAA Services

AAA Service

AAA Methods

Console login authentication

Server groups, local, and none

User login authentication

Server groups, local, and none

User management session accounting

Server groups and local


Note


For console login authentication, user login authentication, and user management session accounting, the Cisco Nexus devices try each option in the order specified. The local option is the default method when other configured options fail.


Authentication and Authorization Process for User Logins

The authentication and authorization process for user login is as occurs:

  • When you log in to the required Cisco Nexus device, you can use the Telnet, SSH, Fabric Manager or Device Manager, or console login options.

  • When you have configured the AAA server groups using the server group authentication method, the Cisco Nexus device sends an authentication request to the first AAA server in the group as follows:

    If the AAA server fails to respond, then the next AAA server is tried and so on until the remote server responds to the authentication request.

    If all AAA servers in the server group fail to respond, the servers in the next server group are tried.

    If all configured methods fail, the local database is used for authentication.

  • If a Cisco Nexus device successfully authenticates you through a remote AAA server, the following conditions apply:

    If the AAA server protocol is RADIUS, user roles specified in the cisco-av-pair attribute are downloaded with an authentication response.

    If the AAA server protocol is TACACS+, another request is sent to the same server to get the user roles specified as custom attributes for the shell.

  • If your username and password are successfully authenticated locally, the Cisco Nexus device logs you in and assigns you the roles configured in the local database.

The following figure shows a flowchart of the authentication and authorization process.

Figure 1. Authentication and Authorization Flow for User Login

Note


This figure is applicable only to username password SSH authentication. It does not apply to public key SSH authentication. All username password SSH authentication goes through AAA.


In the figure, "No more servers left" means that there is no response from any server within this server group.

Prerequisites for Remote AAA

Remote AAA servers have the following prerequisites:

  • At least one RADIUS or TACACS+ server must be IP reachable.

  • The Cisco Nexus device is configured as a client of the AAA servers.

  • The preshared secret key is configured on the Cisco Nexus device and on the remote AAA servers.

  • The remote server responds to AAA requests from the Cisco Nexus device.

Guidelines and Limitations for AAA

The Cisco Nexus devices do not support all numeric usernames, whether created with TACACS+ or RADIUS, or created locally. If an all numeric username exists on an AAA server and is entered during a login, the Cisco Nexus device still logs in the user.

If you configure the AAA login authentication default group, TACACS-SERVER-GROUP, it also overrides the login for the console. This override occurs even if aaa authentication login console local is a default command on the switch. To prevent this, you must configure aaa authentication login console local.


Caution


You should not create user accounts with usernames that are all numeric.

Configuring AAA

Configuring Console Login Authentication Methods

The authentication methods include the following:

  • Global pool of RADIUS servers

  • Named subset of RADIUS or TACACS+ servers

  • Local database on the Cisco Nexus device.

  • Username only none

The default method is local.


Note


The group radius and group server-name forms of the aaa authentication command are used for a set of previously defined RADIUS servers. Use the radius server-host command to configure the host servers. Use the aaa group server radius command to create a named group of servers.



Note


If you configure the AAA login authentication default group, TACACS-SERVER-GROUP, it also overrides the login for the console. This override occurs even if aaa authentication login console local is a default command on the switch. To prevent this, you must configure aaa authentication login console local.


Before you configure console login authentication methods, configure RADIUS or TACACS+ server groups as needed.

SUMMARY STEPS

  1. switch# configure terminal
  2. switch(config)# aaa authentication login console {group group-list [none] | local | none}
  3. switch(config)# exit
  4. (Optional) switch# show aaa authentication
  5. (Optional) switch# copy running-config startup-config

DETAILED STEPS

  Command or Action Purpose

Step 1

switch# configure terminal

Enters global configuration mode.

Step 2

switch(config)# aaa authentication login console {group group-list [none] | local | none}

Configures login authentication methods for the console.

The group-list argument consists of a space-delimited list of group names. The group names are the following:

  • radius —Uses the global pool of RADIUS servers for authentication.

  • named-group —Uses a named subset of TACACS+ or RADIUS servers for authentication.

The local method uses the local database for authentication. The none method uses the username only.

The default console login method is local , which is used when no methods are configured or when all of the configured methods fail to respond.

Step 3

switch(config)# exit

Exits global configuration mode.

Step 4

(Optional) switch# show aaa authentication

(Optional)

Displays the configuration of the console login authentication methods.

Step 5

(Optional) switch# copy running-config startup-config

(Optional)

Copies the running configuration to the startup configuration.

Example

This example shows how to configure authentication methods for the console login:


switch# configure terminal
switch(config)# aaa authentication login console group radius
switch(config)# exit
switch# show aaa authentication
switch# copy running-config startup-config

Configuring Default Login Authentication Methods

The default method is local.

Before you configure default login authentication methods, configure RADIUS or TACACS+ server groups as needed.

SUMMARY STEPS

  1. switch# configure terminal
  2. switch(config)# aaa authentication login default {group group-list [none] | local | none}
  3. switch(config)# exit
  4. (Optional) switch# show aaa authentication
  5. (Optional) switch# copy running-config startup-config

DETAILED STEPS

  Command or Action Purpose

Step 1

switch# configure terminal

Enters global configuration mode.

Step 2

switch(config)# aaa authentication login default {group group-list [none] | local | none}

Configures the default authentication methods.

The group-list argument consists of a space-delimited list of group names. The group names are the following:

  • radius —Uses the global pool of RADIUS servers for authentication.

  • named-group —Uses a named subset of TACACS+ or RADIUS servers for authentication.

The local method uses the local database for authentication. The none method uses the username only.

The default login method is local , which is used when no methods are configured or when all of the configured methods do not respond.

Step 3

switch(config)# exit

Exits configuration mode.

Step 4

(Optional) switch# show aaa authentication

(Optional)

Displays the configuration of the default login authentication methods.

Step 5

(Optional) switch# copy running-config startup-config

(Optional)

Copies the running configuration to the startup configuration.

Enabling Login Authentication Failure Messages

When you log in, the login is processed by the local user database if the remote AAA servers do not respond. If you have enabled the displaying of login failure messages, the following message is displayed:

Remote AAA servers unreachable; local authentication done.
Remote AAA servers unreachable; local authentication failed.

SUMMARY STEPS

  1. switch# configure terminal
  2. switch(config)# aaa authentication login error-enable
  3. switch(config)# exit
  4. (Optional) switch# show aaa authentication
  5. (Optional) switch# copy running-config startup-config

DETAILED STEPS

  Command or Action Purpose

Step 1

switch# configure terminal

Enters global configuration mode.

Step 2

switch(config)# aaa authentication login error-enable

Enables login authentication failure messages. The default is disabled.

Step 3

switch(config)# exit

Exits configuration mode.

Step 4

(Optional) switch# show aaa authentication

(Optional)

Displays the login failure message configuration.

Step 5

(Optional) switch# copy running-config startup-config

(Optional)

Copies the running configuration to the startup configuration.

Logging Successful and Failed Login Attempts

You can configure the switch to log all successful and failed login attempts to the configured syslog server.

SUMMARY STEPS

  1. configure terminal
  2. [no] login on-failure log
  3. [no] login on-success log
  4. (Optional) show login on-failure log
  5. (Optional) show login on-successful log
  6. (Optional) copy running-config startup-config

DETAILED STEPS

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal

Enters global configuration mode.

Step 2

[no] login on-failure log

Example:

switch(config)# login on-failure log

Logs all failed authentication messages to the configured syslog server. With this configuration, the following syslog message appears after the failed login:

AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user admin from 172.22.00.00

Note

 

When logging level authpriv is 6, additional Linux kernel authentication messages appear along with the previous message. If these additional messages need to be ignored, the authpriv value should be set to 3.

Step 3

[no] login on-success log

Example:

switch(config)# login on-success log

Logs all successful authentication messages to the configured syslog server. With this configuration, the following syslog message appears after the successful login:

AUTHPRIV-6-SYSTEM_MSG: pam_aaa:Authentication success for user admin from 172.22.00.00

Note

 

When logging level authpriv is 6, additional Linux kernel authentication messages appear along with the previous message.

Step 4

(Optional) show login on-failure log

Example:

switch(config)# show login on-failure log
(Optional)

Displays whether the switch is configured to log failed authentication messages to the syslog server.

Step 5

(Optional) show login on-successful log

Example:

switch(config)# show login on-successful log
(Optional)

Displays whether the switch is configured to log successful authentication messages to the syslog server.

Step 6

(Optional) copy running-config startup-config

Example:

switch(config)# copy running-config startup-config
(Optional)

Copies the running configuration to the startup configuration.

Configuring AAA Command Authorization

When a TACACS+ server authorization method is configured, you can authorize every command that a user executes with the TACACS+ server which includes all EXEC mode commands and all configuration mode commands.

The authorization methods include the following:

  • Group—TACACS+ server group

  • Local—Local role-based authorization

  • None—No authorization is performed

The default method is Local.


Note


There is no authorization on the console session.


Before you begin

You must enable TACACS+ before configuring AAA command authorization.

SUMMARY STEPS

  1. configure terminal
  2. aaa authorization {commands | config-commands} {default} {{[group group-name] | [ local]} | {[group group-name] | [ none]}}

DETAILED STEPS

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

aaa authorization {commands | config-commands} {default} {{[group group-name] | [ local]} | {[group group-name] | [ none]}}

Example:

switch(config)# aaa authorization config-commands default group tac1

Example:

switch# aaa authorization commands default group tac1

Configures authorization parameters.

Use the commands keyword to authorize EXEC mode commands.

Use the config-commands keyword to authorize configuration mode commands.

Use the group, local, or none keywords to identify the authorization method.

Example

The following example shows how to authorize EXEC mode commands with TACACS+ server group tac1:

switch# aaa authorization commands default group tac1 

The following example shows how to authorize configuration mode commands with TACACS+ server group tac1:

switch(config)# aaa authorization config-commands default group tac1
 

The following example shows how to authorize configuration mode commands with TACACS+ server group tac1:

  • If the server is reachable, the command is allowed or not allowed based on the server response.

  • If there is an error reaching the server, the command is authorized based on the user's local role.

switch(config)# aaa authorization config-commands default group tac1 local
 

The following example shows how to authorize configuration mode commands with TACACS+ server group tac1:

  • If the server is reachable, the command is allowed or not allowed based on the server response.

  • If there is an error reaching the server, allow the command regardless of the local role.

switch# aaa authorization commands default group tac1 none 
 

The following example shows how to authorize EXEC mode commands regardless of the local role:

switch# aaa authorization commands default none
 

The following example shows how to authorize EXEC mode commands using the local role for authorization:

switch# aaa authorization commands default local
 

Enabling MSCHAP Authentication

Microsoft Challenge Handshake Authentication Protocol (MSCHAP) is the Microsoft version of CHAP. You can use MSCHAP for user logins to a Cisco Nexus device through a remote authentication server (RADIUS or TACACS+).

By default, the Cisco Nexus device uses Password Authentication Protocol (PAP) authentication between the switch and the remote server. If you enable MSCHAP, you must configure your RADIUS server to recognize the MSCHAP vendor-specific attributes (VSAs).

The following table describes the RADIUS VSAs required for MSCHAP.

Table 3. MSCHAP RADIUS VSAs

Vendor-ID Number

Vendor-Type Number

VSA

Description

311

11

MSCHAP-Challenge

Contains the challenge sent by an AAA server to an MSCHAP user. It can be used in both Access-Request and Access-Challenge packets.

211

11

MSCHAP-Response

Contains the response value provided by an MSCHAP user in response to the challenge. It is only used in Access-Request packets.

SUMMARY STEPS

  1. switch# configure terminal
  2. switch(config)# aaa authentication login mschap enable
  3. switch(config)# exit
  4. (Optional) switch# show aaa authentication login mschap
  5. (Optional) switch# copy running-config startup-config

DETAILED STEPS

  Command or Action Purpose

Step 1

switch# configure terminal

Enters global configuration mode.

Step 2

switch(config)# aaa authentication login mschap enable

Enables MS-CHAP authentication. The default is disabled.

Step 3

switch(config)# exit

Exits configuration mode.

Step 4

(Optional) switch# show aaa authentication login mschap

(Optional)

Displays the MS-CHAP configuration.

Step 5

(Optional) switch# copy running-config startup-config

(Optional)

Copies the running configuration to the startup configuration.

Configuring AAA Authorization on LDAP Servers

You can configure the default AAA authorization method for LDAP servers.

Before you begin

Enable LDAP.

SUMMARY STEPS

  1. configure terminal
  2. aaa authorization ssh-certificate default {group group-list [none] | local | none}
  3. exit
  4. (Optional) show aaa authorization [all]
  5. (Optional) copy running-config startup-config

DETAILED STEPS

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

aaa authorization ssh-certificate default {group group-list [none] | local | none}

Example:

switch(config)# aaa authorization ssh-certificate default group ldap1 ldap2

Configures the default AAA authorization method for the LDAP servers.

The ssh-certificate keyword configures LDAP or local authorization with certificate authentication. The default authorization is local authorization, which is the list of authorized commands for the user’s assigned role.

The group-list argument consists of a space-delimited list of LDAP server group names. Servers belonging to this group are contacted for AAA authorization. The local method uses the local database for authorization, and the none method specifies that no AAA authorization be used.

Step 3

exit

Example:

switch(config)# exit
switch#

Exits global configuration mode.

Step 4

(Optional) show aaa authorization [all]

Example:

switch# show aaa authorization
(Optional)

Displays the AAA authorization configuration. The all keyword displays the default values.

Step 5

(Optional) copy running-config startup-config

Example:

switch# copy running-config 
startup-config
(Optional)

Copies the running configuration to the startup configuration.

Configuring AAA SSH-Cert-Authorization on TACACS Servers

To configure AAA SSH-Cert-Authorization on TACACS Servers, follow these steps:

SUMMARY STEPS

  1. configure terminal
  2. aaa authorization ssh-certificate default {group group-list [none] | local | none}
  3. exit
  4. (Optional) show aaa authorization [all]
  5. (Optional) copy running-config startup-config

DETAILED STEPS

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

aaa authorization ssh-certificate default {group group-list [none] | local | none}

Example:

switch(config)# aaa authorization ssh-certificate default group tac1

Configures the default AAA authorization-method for SSH request having X509 certificate as TACACS server-group(s).

The ssh-certificate keyword configures TACACS or local authorization with certificate authentication. The default authorization is local authorization, which is the list of authorized commands for the user’s assigned role.

The group-list argument consists of a space-delimited list of TACACS server group names. Servers belonging to this group are contacted for AAA authorization. The local method uses the local database for authorization, and the none method specifies that no AAA authorization be used.

Step 3

exit

Example:

switch(config)# exit
switch#

Exits global configuration mode.

Step 4

(Optional) show aaa authorization [all]

Example:

switch# show aaa authorization
(Optional)

Displays the AAA authorization configuration. The all keyword displays the default values.

Step 5

(Optional) copy running-config startup-config

Example:

switch# copy running-config 
startup-config
(Optional)

Copies the running configuration to the startup configuration.

Configuring AAA Accounting Default Methods

The Cisco Nexus device supports TACACS+ and RADIUS methods for accounting. The switches report user activity to TACACS+ or RADIUS security servers in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the AAA server.

When you activate AAA accounting, the Cisco Nexus device reports these attributes as accounting records, which are then stored in an accounting log on the security server.

You can create default method lists defining specific accounting methods, which include the following:.

  • RADIUS server group—Uses the global pool of RADIUS servers for accounting.

  • Specified server group—Uses a specified RADIUS or TACACS+ server group for accounting.

  • Local—Uses the local username or password database for accounting.


Note


If you have configured server groups and the server groups do not respond, by default, the local database is used for authentication.


Before you begin

Before you configure AAA accounting default methods, configure RADIUS or TACACS+ server groups as needed.

SUMMARY STEPS

  1. switch# configure terminal
  2. switch(config)# aaa accounting default {group group-list | local}
  3. switch(config)# exit
  4. (Optional) switch# show aaa accounting
  5. (Optional) switch# copy running-config startup-config

DETAILED STEPS

  Command or Action Purpose

Step 1

switch# configure terminal

Enters global configuration mode.

Step 2

switch(config)# aaa accounting default {group group-list | local}

Configures the default accounting method. One or more server group names can be specified in a space-separated list.

The group-list argument consists of a space-delimited list of group names. The group names are the following:

  • radius —Uses the global pool of RADIUS servers for accounting.

  • named-group —Uses a named subset of TACACS+ or RADIUS servers for accounting.

The local method uses the local database for accounting.

The default method is local , which is used when no server groups are configured or when all the configured server group do not respond.

Step 3

switch(config)# exit

Exits configuration mode.

Step 4

(Optional) switch# show aaa accounting

(Optional)

Displays the configuration AAA accounting default methods.

Step 5

(Optional) switch# copy running-config startup-config

(Optional)

Copies the running configuration to the startup configuration.

About No Service Password-Recovery

The No Service Password-Recovery feature enables anyone with console access, the ability to access the router and its network.

Enabling No Service Password-Recovery

If the no service password-recovery feature is enabled, then none except the administrator with network privileges will be able to modify the administrator password.

Before you begin

If you plan to enter the no service password-recovery command, Cisco recommends that you save a copy of the system configuration file in a location away from the device.

SUMMARY STEPS

  1. configure terminal
  2. no service password-recovery
  3. (Optional) copy running-config startup-config
  4. Reload
  5. exit
  6. (Optional) show user-account
  7. (Optional) copy running-config startup-config

DETAILED STEPS

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

no service password-recovery

Example:

switch(config)# no service password-recovery
WARNING: Executing this command will disable the password recovery mechanism. Do not execute this command without another plan for password recovery. Are you sure you want to continue? (y/n) : [y] y
switch(config)# copy run start
[########################################] 100%
Copy complete, now saving to disk (please wait)...
Copy complete.

Disables the password recovery mechanism.

Step 3

(Optional) copy running-config startup-config

Example:

switch# copy running-config startup-config
(Optional)

Copies the running configuration to the startup configuration.

Step 4

Reload

Example:

switch(config)# Reload
This command will reboot the system. (y/n)?  [n] y
2018 Jun 26 16:23:19 BAR %$ VDC-1 %$ %PLATFORM-2-PFM_SYSTEM_RESET: Manual system restart from Command Line Interface
 
CISCO SWITCH Ver 8.34
 
CISCO SWITCH Ver 8.34
Manual system restart from Command Line Interface
writing reset reason 9,
..
..
              
switch(boot)# config t
Enter configuration commands, one per line.  End with CNTL/Z.
switch(boot)(config)# admin-password Abcd!123$
ERROR: service password-recovery disabled. Cannot change password!
switch(boot)(config)#
 

Step 5

exit

Example:

switch(config)# exit
switch#

Exits global configuration mode.

Step 6

(Optional) show user-account

Example:

switch# show user-account
(Optional)

Displays the role configuration.

Step 7

(Optional) copy running-config startup-config

Example:

switch# copy running-config startup-config
(Optional)

Copies the running configuration to the startup configuration.

Using AAA Server VSAs

VSAs

You can use vendor-specific attributes (VSAs) to specify the Cisco Nexus device user roles and SNMPv3 parameters on AAA servers.

The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating VSAs between the network access server and the RADIUS server. The IETF uses attribute 26. VSAs allow vendors to support their own extended attributes that are not suitable for general use. The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. The Cisco vendor ID is 9, and the supported option is vendor type 1, which is named cisco-av-pair. The value is a string with the following format:

protocol : attribute seperator value *

The protocol is a Cisco attribute for a particular type of authorization, separator is an equal sign (=) for mandatory attributes, and an asterisk (* ) indicates optional attributes.

When you use RADIUS servers for authentication on a Cisco Nexus device, the RADIUS protocol directs the RADIUS server to return user attributes, such as authorization information, with authentication results. This authorization information is specified through VSAs.

VSA Format

The following VSA protocol options are supported by the Cisco Nexus device:

  • Shell— Used in access-accept packets to provide user profile information.

  • Accounting—Used in accounting-request packets. If a value contains any white spaces, put it within double quotation marks.

The following attributes are supported by the Cisco Nexus device:

  • roles—Lists all the roles assigned to the user. The value field is a string that stores the list of group names delimited by white space.

  • accountinginfo—Stores additional accounting information in addition to the attributes covered by a standard RADIUS accounting protocol. This attribute is sent only in the VSA portion of the Account-Request frames from the RADIUS client on the switch, and it can only be used with the accounting protocol-related PDUs.

Specifying Switch User Roles and SNMPv3 Parameters on AAA Servers

You can use the VSA cisco-av-pair on AAA servers to specify user role mapping for the Cisco Nexus device using this format:

shell:roles="roleA roleB …"

If you do not specify the role option in the cisco-av-pair attribute, the default user role is network-operator.


Note


For information on Cisco Unified Wireless Network TACACS+ configurations and to change the user roles, see Cisco Unified Wireless Network TACACS+ Configuration.


You can also specify your SNMPv3 authentication and privacy protocol attributes as follows:

shell:roles="roleA roleB..." snmpv3:auth=SHA priv=AES-128 

The SNMPv3 authentication protocol options are SHA and MD5. The privacy protocol options are AES-128 and DES. If you do not specify these options in the cisco-av-pair attribute, MD5 and DES are the default authentication protocols.

For additional information, see the Configuring User Accounts and RBAC chapter in the System Management Configuration Guide for your Cisco Nexus device.

Secure Login Enhancements

Secure Login Enhancements

The following secure login enhancements are supported in Cisco NX-OS:

  • Configuring Login Parameters

  • Configuration Examples for Login Parameters

  • Restricting Sessions Per User—Per User Per Login

  • Enabling the Password Prompt for User Name

  • Configuring Share Key Value for using RADIUS/TACACS+

Configuring Login Parameters

Use this task to configure your Cisco NX-OS device for login parameters that help detect suspected DoS attacks and slow down dictionary attacks.

All login parameters are disabled by default. You must enter the login block-for command, which enables default login functionality, before using any other login commands. After the login block-for command is enabled, the following default is enforced:

  • All login attempts made through Telnet or SSH are denied during the quiet period; that is, no ACLs are exempt from the login period until the login quiet-mode access-class command is entered.

SUMMARY STEPS

  1. configure terminal
  2. [no] login block-for seconds attempts tries within seconds
  3. [no] login quiet-mode access-class {acl-name | acl-number }
  4. exit
  5. show login failures

DETAILED STEPS

  Command or Action Purpose

Step 1

configure terminal

Example:


Switch# configure terminal

Enters global configuration mode.

Step 2

[no] login block-for seconds attempts tries within seconds

Example:


Switch(config)# login block-for 100 attempts 2 within 100

Configures your Cisco NX-OS device for login parameters that help provide DoS detection.

Note

 

This command must be issued before any other login command can be used.

Step 3

[no] login quiet-mode access-class {acl-name | acl-number }

Example:


Switch(config)# login quiet-mode access-class myacl

(Optional) Although this command is optional, it is recommended that it be configured to specify an ACL that is to be applied to the device when the device switches to quiet mode. When the device is in quiet mode, all login requests are denied and the only available connection is through the console.

Step 4

exit

Example:


Switch(config)# exit

Exits to privileged EXEC mode.

Step 5

show login failures

Example:


Switch# show login

Displays login parameters.

  • failures --Displays information related only to failed login attempts.

Configuration Examples for Login Parameters

Setting Login Parameters Example

The following example shows how to configure your switch to enter a 100 second quiet period if 15 failed login attempts is exceeded within 100 seconds; all login requests are denied during the quiet period except hosts from the ACL "myacl."


Switch(config)# login block-for 100 attempts 15 within 100
Switch(config)# login quiet-mode access-class myacl

The following sample output from the show login command verifies that no login parameters have been specified:


Switch# show login

No Quiet-Mode access list has been configured, default ACL will be applied. 

Switch is enabled to watch for login Attacks. 
If more than 2 login failures occur in 45 seconds or less,  logins will be disabled for 70 seconds. 

Switch presently in Normal-Mode.
Current Watch Window remaining time 10 seconds.
Present login failure count 0.

The following sample output from the show login failures command shows all failed login attempts on the switch:


Switch# show login failures

Information about last 20 login failures with the device.
--------------------------------------------------------------------------------
Username                                Line    Source          						Appname         
TimeStamp
--------------------------------------------------------------------------------
admin                                    pts/0   bgl-ads-728.cisco.com   login   
        Wed Jun 10 04:56:16 2015
admin                                    pts/0   bgl-ads-728.cisco.com   login   
        Wed Jun 10 04:56:19 2015
--------------------------------------------------------------------------------

The following sample output from the show login failures command verifies that no information is presently logged:


Switch# show login failures
*** No logged failed login attempts with the device.***

Restricting Sessions Per User—Per User Per Login

Use this task to restrict the maximum sessions per user.

SUMMARY STEPS

  1. configure terminal
  2. [no] user max-logins max-logins
  3. exit

DETAILED STEPS

  Command or Action Purpose

Step 1

configure terminal

Example:


Switch# configure terminal

Enters global configuration mode.

Step 2

[no] user max-logins max-logins

Example:


Switch(config)# user max-logins 1

Restricts the maximum sessions per user. The range is from 1 to 7. If you set the maximum login limit as 1, then only one session (telnet/SSH) is allowed per user.

Step 3

exit

Example:


Switch(config)# exit

Exits to privileged EXEC mode.

Enabling the Password Prompt for User Name

SUMMARY STEPS

  1. configure terminal
  2. [no] password prompt username
  3. exit

DETAILED STEPS

  Command or Action Purpose

Step 1

configure terminal

Example:


Switch# configure terminal

Enters global configuration mode.

Step 2

[no] password prompt username

Example:


Switch(config)# password prompt username

Enables the login knob. If this command is enabled and the user enters the username command without the password option, then the password is prompted. The password accepts hidden characters. Use the no form of this command to disable the login knob.

Step 3

exit

Example:


Switch(config)# exit

Exits to privileged EXEC mode.

Configuring Share Key Value for using RADIUS/TACACS+

The shared secret you configure for remote authentication and accounting must be hidden. For the radius-server key and tacacs-server key commands, a separate command to generate encrypted shared secret can be used.

SUMMARY STEPS

  1. configure terminal
  2. generate type7_encrypted_secret
  3. exit

DETAILED STEPS

  Command or Action Purpose

Step 1

configure terminal

Example:


Switch# configure terminal

Enters global configuration mode.

Step 2

generate type7_encrypted_secret

Example:


Switch(config)# generate type7_encrypted_secret

Configures RADIUS and TACACS shared secret with key type 7. While generating an encrypted shared secret, user input is hidden.

Note

 

You can generate encrypted equivalent of plain text separately and can configure the encrypted shared secret later.

Step 3

exit

Example:


Switch(config)# exit

Exits to privileged EXEC mode.

Monitoring and Clearing the Local AAA Accounting Log

The Cisco Nexus device maintains a local log for the AAA accounting activity.

SUMMARY STEPS

  1. switch# show accounting log [size] [start-time year month day hh : mm : ss]
  2. (Optional) switch# clear accounting log

DETAILED STEPS

  Command or Action Purpose

Step 1

switch# show accounting log [size] [start-time year month day hh : mm : ss]

Displays the accounting log contents. By default, the command output contains up to 250,000 bytes of the accounting log. You can use the size argument to limit command output. The range is from 0 to 250000 bytes. You can also specify a start time for the log output.

Step 2

(Optional) switch# clear accounting log

(Optional)

Clears the accounting log contents.

Verifying the AAA Configuration

To display AAA configuration information, perform one of the following tasks:

Command

Purpose

show aaa accounting

Displays AAA accounting configuration.

show aaa authentication [login {error-enable | mschap}]

Displays AAA authentication information.

show aaa authorization

Displays AAA authorization information.

show aaa groups

Displays the AAA server group configuration.

show login [failures ]

Displays the login parameters. The failures option displays information related only to failed login attempts.

Note

 

The clear login failures command clears the login failures in the current watch period.

show login on-failure log

Displays whether the switch is configured to log failed authentication messages to the syslog server.

show login on-successful log

Displays whether the switch is configured to log successful authentication messages to the syslog server.

show running-config aaa [all]

Displays the AAA configuration in the running configuration.

show running-config aaa [all]

Displays the AAA configuration in the running configuration.

show running-config all | i max-login

Displays the maximum number of login sessions allowed per user.

show startup-config aaa

Displays the AAA configuration in the startup configuration.

show userpassphrase {length | max-length | min-length }

Displays the minimum and maximum length of the user password.

Configuration Examples for AAA

The following example shows how to configure AAA:

 switch(config)# aaa authentication login default group radius
 switch(config)# aaa authentication login console group radius
 switch(config)# aaa accounting default group radius

Default AAA Settings

The following table lists the default settings for AAA parameters.

Table 4. Default AAA Parameters

Parameters

Default

Console authentication method

local

Default authentication method

local

Login authentication failure messages

Disabled

MSCHAP authentication

Disabled

Default accounting method

local

Accounting log display length

250 KB