Configuring AAA

This chapter describes how to configure authentication, authorization, and accounting (AAA) on Cisco NX-OS devices.

This chapter includes the following sections:

About AAA

This section includes information about AAA on Cisco NX-OS devices.

AAA Security Services

The AAA feature allows you to verify the identity of, grant access to, and track the actions of users managing a Cisco NX-OS device. Cisco NX-OS devices support Remote Access Dial-In User Service (RADIUS) or Terminal Access Controller Access Control System Plus (TACACS+) protocols.

Based on the user ID and password combination that you provide, Cisco NX-OS devices perform local authentication or authorization using the local database or remote authentication or authorization using one or more AAA servers. A preshared secret key provides security for communication between the Cisco NX-OS device and AAA servers. You can configure a common secret key for all AAA servers or for only a specific AAA server.

AAA security provides the following services:

Authentication
Identifies users, including login and password dialog, challenge and response, messaging support, and, depending on the security protocol that you select, encryption.

Authentication is the process of verifying the identity of the person or device accessing the Cisco NX-OS device, which is based on the user ID and password combination provided by the entity trying to access the Cisco NX-OS device. Cisco NX-OS devices allow you to perform local authentication (using the local lookup database) or remote authentication (using one or more RADIUS or TACACS+ servers).

Authorization
Provides access control.AAA authorization is the process of assembling a set of attributes that describe what the user is authorized to perform. Authorization in the Cisco NX-OS software is provided by attributes that are downloaded from AAA servers. Remote security servers, such as RADIUS and TACACS+, authorize users for specific rights by associating attribute-value (AV) pairs, which define those rights with the appropriate user.
Accounting
Provides the method for collecting information, logging the information locally, and sending the information to the AAA server for billing, auditing, and reporting.

The accounting feature tracks and maintains a log of every management session used to access the Cisco NX-OS device. You can use this information to generate reports for troubleshooting and auditing purposes. You can store accounting logs locally or send them to remote AAA servers.


Note


The Cisco NX-OS software supports authentication, authorization, and accounting independently. For example, you can configure authentication and authorization without configuring accounting.


Benefits of Using AAA

AAA provides the following benefits:

  • Increased flexibility and control of access configuration

  • Scalability

  • Standardized authentication methods, such as RADIUS and TACACS+

  • Multiple backup devices

Remote AAA Services

Remote AAA services provided through RADIUS and TACACS+ protocols have the following advantages over local AAA services:

  • It is easier to manage user password lists for each Cisco NX-OS device in the fabric.

  • AAA servers are already deployed widely across enterprises and can be easily used for AAA services.

  • You can centrally manage the accounting log for all Cisco NX-OS devices in the fabric.

  • It is easier to manage user attributes for each Cisco NX-OS device in the fabric than using the local databases on the Cisco NX-OS devices.

AAA Server Groups

You can specify remote AAA servers for authentication, authorization, and accounting using server groups. A server group is a set of remote AAA servers that implements the same AAA protocol. The purpose of a server group is to provide for failover servers in case a remote AAA server fails to respond. If the first remote server in the group fails to respond, the next remote server in the group is tried until one of the servers sends a response. If all the AAA servers in the server group fail to respond, then that server group option is considered a failure. If required, you can specify multiple server groups. If the Cisco NX-OS device encounters errors from the servers in the first group, it tries the servers in the next server group.

AAA Service Configuration Options

The AAA configuration in Cisco NX-OS devices is service based, which means that you can have separate AAA configurations for the following services:

  • User Telnet or Secure Shell (SSH) login authentication

  • Console login authentication

  • User management session accounting

This table provides the related CLI command for each AAA service configuration option.

Table 1. AAA Service Configuration Commands

AAA Service Configuration Option

Related Command

Telnet or SSH login

aaa authentication login default

Console login

aaa authentication login console

User session accounting

aaa accounting default

You can specify the following authentication methods for the AAA services:

All RADIUS servers

Uses the global pool of RADIUS servers for authentication.

Specified server groups

Uses specified RADIUS, TACACS+, or LDAP server groups you have configured for authentication.

Local

Uses the local username or password database for authentication.

None

Specifies that no AAA authentication be used.


Note


If you specify the all RADIUS servers method, rather than a specified server group method, the Cisco NX-OS device chooses the RADIUS server from the global pool of configured RADIUS servers, in the order of configuration. Servers from this global pool are the servers that can be selectively configured in a RADIUS server group on the Cisco NX-OS device.


This table shows the AAA authentication methods that you can configure for the AAA services.

Table 2. AAA Authentication Methods for AAA Services

AAA Service

AAA Methods

Console login authentication

Server groups, local, and none

User login authentication

Server groups, local, and none

User management session accounting

Server groups and local


Note


For console login authentication, user login authentication, and user management session accounting, the Cisco NX-OS device tries each option in the order specified. The local option is the default method when other configured options fail. You can disable the local option for the console or default login by using the no aaa authentication login {console | default} fallback error local command.


Authentication and Authorization Process for User Login

Figure 1. Authorization and Authentication Flow for User Login. This figure shows a flow chart of the authentication and authorization process for user login.

The following list explains the process:

  • When you log in to the required Cisco NX-OS device, you can use the Telnet, SSH, or console login options.

  • When you have configured the AAA server groups using the server group authentication method, the Cisco NX-OS device sends an authentication request to the first AAA server in the group as follows:

    • If the AAA server fails to respond, the next AAA server is tried and so on until the remote server responds to the authentication request.

    • If all AAA servers in the server group fail to respond, the servers in the next server group are tried.

    • If all configured methods fail, the local database is used for authentication, unless fallback to local is disabled for the console login.

  • If the Cisco NX-OS device successfully authenticates you through a remote AAA server, then the following possibilities apply:

    • If the AAA server protocol is RADIUS, then user roles specified in the cisco-av-pair attribute are downloaded with an authentication response.

    • If the AAA server protocol is TACACS+, then another request is sent to the same server to get the user roles specified as custom attributes for the shell.

  • If your username and password are successfully authenticated locally, the Cisco NX-OS device logs you in and assigns you the roles configured in the local database.


Note


"No more server groups left" means that there is no response from any server in all server groups. "No more servers left" means that there is no response from any server within this server group.


AES Password Encryption and Primary Encryption Keys

You can enable strong, reversible 128-bit Advanced Encryption Standard (AES) password encryption, also known as type-6 encryption. To start using type-6 encryption, you must enable the AES password encryption feature and configure a primary encryption key, which is used to encrypt and decrypt passwords.

After you enable AES password encryption and configure a primary key, all existing and newly created clear-text passwords for supported applications (currently RADIUS and TACACS+) are stored in type-6 encrypted format, unless you disable type-6 password encryption. You can also configure Cisco NX-OS to convert all existing weakly encrypted passwords to type-6 encrypted passwords.

Prerequisites for AAA

Remote AAA servers have the following prerequisites:

  • Ensure that at least one RADIUS, TACACS+, or LDAP server is reachable through IP.

  • Ensure that the Cisco NX-OS device is configured as a client of the AAA servers.

  • Ensure that the secret key is configured on the Cisco NX-OS device and the remote AAA servers.

  • Ensure that the remote server responds to AAA requests from the Cisco NX-OS device.

Guidelines and Limitations for AAA

AAA has the following guidelines and limitations:

  • Beginning with Cisco NX-OS Release 10.2(1)F, SNMPV3 attributes can be mentioned before the shell:roles attribute in cisco-av-pair.

  • LDAP does not support ‘snmpv3’ attributes.

  • If you have a user account that is configured on the local Cisco NX-OS device that has the same name as a remote user account on an AAA server, the Cisco NX-OS software applies the user roles for the local user account to the remote user, not the user roles configured on the AAA server.

  • Cisco Nexus 9000 Series switches support the aaa authentication login ascii-authentication command only for TACACS+ (and not for RADIUS).

  • If you modify the default login authentication method (without using the local keyword), the configuration overrides the console login authentication method. To explicitly configure the console authentication method, use the aaa authentication login console {group group-list [none] | local | none} command.

  • The login block-for and login quiet-mode configuration mode commands are renamed to system login block-for and system login quiet-mode , respectively.

  • When you use the system login quiet-mode access-class QUIET_LIST command, you must ensure that the access list is correctly defined to only block the specified traffic. For example, if you need to block only the user logins from untrusted hosts, then the access list should specify ports 22, 23, 80, and 443 corresponding to SSH, telnet, and HTTP-based access from those hosts.

  • Beginning with Cisco NX-OS Release 10.2(2)F, a new desynchronization CLI is introduced to provide you an option to disable the user synchronization between the SNMP and the security components. For more information, refer to the Configuring SNMP chapter in the System Management Configuration Guide.

    For more information about the Cisco Nexus 9000 switches that support various features spanning from release 7.0(3)I7(1) to the current release, refer to Nexus Switch Platform Support Matrix.

  • When the desynchronization CLI is enabled, remote users will not be synced to SNMP database.

  • The security users created using DCNM (also called as Nexus Dashboard Fabric Controller from Release 12.0.1a) will not have a corresponding SNMPv3 profile when the desynchronization CLI is enabled. When the synchronization is disabled, the users created on the security component can log in to the switch, but the switches will not be discovered by the controller, as the controller uses the SNMP configuration created for the security user to discover the switch. Furthermore, the SNMP does not recognize the security users created due to the desynchronized state of the userDB, resulting in failure to discover the switch. Therefore, to have the switches discovered by the controller, the SNMP user must be explicitly created. It is not recommended to use the desynchronization CLI along with DCNM functionality. For more information, refer to the Cisco Nexus 9000 NX-OS Security Configuration Guide.

  • Beginning with Cisco NX-OS Release 10.3(1)F, AAA is supported on the Cisco Nexus 9808 switches.

    • Beginning with Cisco NX-OS Release 10.4(1)F, AAA is supported on Cisco Nexus X98900CD-A, and X9836DM-A line cards with 9808 switches.

  • Beginning with Cisco NX-OS Release 10.4(1)F, AAA is supported on the Cisco Nexus 9804 switches, X98900CD-A, and X9836DM-A line cards.

  • Beginning with Cisco NX-OS release 10.4(3)F, support for SSH based authorization of X.509 certificates using TACACS+ server is being provided on the Cisco Nexus 9000 Series platform switches. This feature can be enabled using aaa authorization ssh-certificate default group tac-group-name command. For more information, see Configuring AAA SSH-Cert-Authorization on TACACS Servers.

Default Settings for AAA

This table lists the default settings for AAA parameters.

Table 3. Default AAA Parameter Settings

Parameters

Default

Console authentication method

local

Default authentication method

local

Login authentication failure messages

Disabled

CHAP authentication

Disabled

MSCHAP authentication

Disabled

Default accounting method

local

Accounting log display length

250 KB

Configuring AAA

This section describes the tasks for configuring AAA on Cisco NX-OS devices.


Note


If you are familiar with the Cisco IOS CLI, be aware that the Cisco NX-OS commands for this feature might differ from the Cisco IOS commands that you would use.



Note


Cisco Nexus 9K Series switches support the CLI command, aaa authentication login ascii-authentication, only for TACAAS+, but not for RADIUS. Ensure that you have disabled aaa authentication login ascii-authentication switch so that the default authentication, PAP, is enabled. Otherwise, you will see syslog errors.


Process for Configuring AAA

Follow these steps to configure AAA authentication and accounting:

  1. If you want to use remote RADIUS, TACACS+, or LDAP servers for authentication, configure the hosts on your Cisco NX-OS device.

  2. Configure console login authentication methods.

  3. Configure default login authentication methods for user logins.

  4. Configure default AAA accounting default methods.

Configuring Console Login Authentication Methods

This section describes how to configure the authentication methods for the console login.

The authentication methods include the following:

  • Global pool of RADIUS servers

  • Named subset of RADIUS, TACACS+, or LDAP servers

  • Local database on the Cisco NX-OS device

  • Username only (none)

The default method is local, but you have the option to disable it .


Note


The group radius and group server-name forms of the aaa authentication command refer to a set of previously defined RADIUS servers. Use the radius-server host command to configure the host servers. Use the aaa group server radius command to create a named group of servers.



Note


If you perform a password recovery when remote authentication is enabled, local authentication becomes enabled for console login as soon as the password recovery is done. As a result, you can log into the Cisco NX-OS device through the console port using the new password. After login, you can continue to use local authentication, or you can enable remote authentication after resetting the admin password configured at the AAA servers. For more information about the password recovery process, see the Cisco Nexus 9000 Series NX-OS Troubleshooting Guide.

Before you begin

Configure RADIUS, TACACS+, or LDAP server groups, as needed.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters configuration mode.

Step 2

aaa authentication login console {group group-list [none] | local | none}

Example:

switch(config)# aaa authentication login console group radius

Configures login authentication methods for the console.

The group-list argument consists of a space-delimited list of group names. The group names are the following:

radius
Uses the global pool of RADIUS servers for authentication.
named-group
Uses a named subset of RADIUS, TACACS+, or LDAP servers for authentication.

The local method uses the local database for authentication, and the none method specifies that no AAA authentication be used.

The default console login method is local , which is used when no methods are configured or when all the configured methods fail to respond, unless fallback to local is disabled for the console login .

Step 3

exit

Example:

switch(config)# exit
switch#

Exits configuration mode.

Step 4

(Optional) show aaa authentication

Example:

switch# show aaa authentication
(Optional)

Displays the configuration of the console login authentication methods.

Step 5

(Optional) copy running-config startup-config

Example:

switch# copy running-config startup-config
(Optional)

Copies the running configuration to the startup configuration.

Configuring Default Login Authentication Methods

The authentication methods include the following:

  • Global pool of RADIUS servers

  • Named subset of RADIUS, TACACS+, or LDAP servers

  • Local database on the Cisco NX-OS device

  • Username only

The default method is local, but you have the option to disable it .

Before you begin

Configure RADIUS, TACACS+, or LDAP server groups, as needed.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters configuration mode.

Step 2

aaa authentication login default {group group-list [none] | local | none}

Example:

switch(config)# aaa authentication login default group radius

Configures the default authentication methods.

The group-list argument consists of a space-delimited list of group names. The group names are the following:

  • radius —Uses the global pool of RADIUS servers for authentication.

  • named-group—Uses a named subset of RADIUS, TACACS+, or LDAP servers for authentication.

The local method uses the local database for authentication, and the none method specifies that no AAA authentication be used. The default login method is local , which is used when no methods are configured or when all the configured methods fail to respond, unless fallback to local is disabled for the console login .

You can configure one of the following:

  • AAA authentication groups

  • AAA authentication groups with no authentication

  • Local authentication

  • No authentication

Note

 

The local keyword is not supported (and is not required) when configuring AAA authentication groups because local authentication is the default if remote servers are unreachable. For example, if you configure aaa authentication login default group g1 , local authentication is tried if you are unable to authenticate using AAA group g1. In contrast, if you configure aaa authentication login default group g1 none , no authentication is performed if you are unable to authenticate using AAA group g1.

Note

 

Cisco NX-OS AAA authentication does not support hashed key and only supports Type 6/7 keys.

Step 3

exit

Example:

switch(config)# exit
switch#

Exits configuration mode.

Step 4

(Optional) show aaa authentication

Example:

switch# show aaa authentication
(Optional)

Displays the configuration of the default login authentication methods.

Step 5

(Optional) copy running-config startup-config

Example:

switch# copy running-config startup-config
(Optional)

Copies the running configuration to the startup configuration.

Disabling Fallback to Local Authentication

By default, if remote authentication is configured for console or default login and all AAA servers are unreachable (resulting in an authentication error), the Cisco NX-OS device falls back to local authentication to ensure that users aren’t locked out of the device. However, you can disable fallback to local authentication in order to increase security.


Caution


Disabling fallback to local authentication can lock your Cisco NX-OS device, forcing you to perform a password recovery in order to gain access. To prevent being locked out of the device, we recommend that you disable fallback to local authentication for only the default login or the console login, not both.


Before you begin

Configure remote authentication for the console or default login.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters configuration mode.

Step 2

no aaa authentication login {console | default} fallback error local

Example:

switch(config)# no aaa authentication login console fallback error local

Disables fallback to local authentication for the console or default login if remote authentication is configured and all AAA servers are unreachable.

The following message appears when you disable fallback to local authentication:

“WARNING!!! Disabling fallback can lock your switch.”

Step 3

(Optional) exit

Example:

switch(config)# exit
switch#
(Optional)

Exits configuration mode.

Step 4

(Optional) show aaa authentication

Example:

switch# show aaa authentication
(Optional)

Displays the configuration of the console and default login authentication methods.

Step 5

(Optional) copy running-config startup-config

Example:

switch# copy running-config startup-config
(Optional)

Copies the running configuration to the startup configuration.

Enabling the Default User Role for AAA Authentication

You can allow remote users who do not have a user role to log in to the Cisco NX-OS device through a RADIUS or TACACS+ remote authentication server using a default user role. When you disable the AAA default user role feature, remote users who do not have a user role cannot log in to the device.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters configuration mode.

Step 2

aaa user default-role

Example:

switch(config)# aaa user default-role

Enables the default user role for AAA authentication. The default is enabled.

You can disable the default user role feature by using the no form of this command.

Step 3

exit

Example:

switch(config)# exit
switch#

Exits configuration mode.

Step 4

(Optional) show aaa user default-role

Example:

switch# show aaa user default-role
(Optional)

Displays the AAA default user role configuration.

Step 5

(Optional) copy running-config startup-config

Example:

switch# copy running-config startup-config
(Optional)

Copies the running configuration to the startup configuration.

Enabling Login Authentication Failure Messages

When you log in, the login is processed by rolling over to the local user database if the remote AAA servers do not respond. In such cases, the following messages display on the user’s terminal if you have enabled login failure messages:

Remote AAA servers unreachable; local authentication done.
Remote AAA servers unreachable; local authentication failed.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters configuration mode.

Step 2

aaa authentication login error-enable

Example:

switch(config)# aaa authentication login error-enable

Enables login authentication failure messages. The default is disabled.

Step 3

exit

Example:

switch(config)# exit
switch#

Exits configuration mode.

Step 4

(Optional) show aaa authentication

Example:

switch# show aaa authentication
(Optional)

Displays the login failure message configuration.

Step 5

(Optional) copy running-config startup-config

Example:

switch# copy running-config startup-config
(Optional)

Copies the running configuration to the startup configuration.

Logging Successful and Failed Login Attempts

You can configure the switch to log all successful and failed login attempts to the configured syslog server.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal

Enters global configuration mode.

Step 2

[no] login on-failure log

Example:

switch(config)# login on-failure log

Logs all failed authentication messages to the configured syslog server only if the logging level is set to 6. With this configuration, the following syslog message appears after the failed login:

AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user admin from 172.22.00.00

Note

 

When logging level authpriv is 6, additional Linux kernel authentication messages appear along with the previous message. If these additional messages need to be ignored, the authpriv value should be set to 3.

Step 3

[no] login on-success log

Example:

switch(config)# login on-success log
switch(config)# logging level authpriv 6
switch(config)# logging level daemon 6

Logs all successful authentication messages to the configured syslog server only if the logging level is set to 6. With this configuration, the following syslog message appears after the successful login:

AUTHPRIV-6-SYSTEM_MSG: pam_aaa:Authentication success for user admin from 172.22.00.00

Note

 

When logging level authpriv is 6, additional Linux kernel authentication messages appear along with the previous message. If these additional messages need to be ignored, the authpriv value should be set to 3.

Step 4

(Optional) show login on-failure log

Example:

switch(config)# show login on-failure log
(Optional)

Displays whether the switch is configured to log failed authentication messages to the syslog server.

Step 5

(Optional) show login on-successful log

Example:

switch(config)# show login on-successful log
(Optional)

Displays whether the switch is configured to log successful authentication messages to the syslog server.

Step 6

(Optional) copy running-config startup-config

Example:

switch(config)# copy running-config startup-config
(Optional)

Copies the running configuration to the startup configuration.

Configuring Login Block Per User

Ensure that the switch is in global configuration mode.

The Login Block Per User feature helps detect suspected Denial of Service (DoS) attacks and to slow down dictionary attacks. This feature is applicable for local users and remote users. Use this task to configure login parameters to block a user after failed login attempts.


Note


From Release 9.3(7), you can configure login block for remote users.


Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal

Enters global configuration mode.

Step 2

aaa authentication rejected attemptsinsecondsbanseconds

Example:

switch(config)# aaa authentication rejected 3 in 20 ban 300

Configures login parameters to block a user.

Note

 

Use no aaa authentication rejected command to revert to the default login parameters.

Step 3

exit

Example:

switch(config)# exit

Exits to privileged EXEC mode.

Step 4

(Optional) show running config

Example:

switch# show running config
(Optional)

Displays the login parameters.

Step 5

show aaa local user blocked

Example:

switch# show aaa local user blocked

Displays the blocked local users.

Step 6

clear aaa local user blocked {username user| all}

Example:

switch(config)# switch# clear aaa local user blocked username testuser

Clears the blocked local users.

all –Clears all the blocked local users.

Step 7

show aaa user blocked

Example:

switch(config)# show aaa user blocked

Displays all blocked local and remote users.

Step 8

(Optional) clear aaa user blocked{username user| all}

Example:

switch# clear aaa user blocked username testuser
(Optional)

Clears all blocked local and remote users.

all – Clears all the blocked local and remote users.

Example


Note


Only network-admin, and vdc-admin have privileges to run the show and clear commands.


The following example shows how to configure the login parameters to block a user for 300 seconds when three login attempts fail within a period of 20 seconds:

switch(config)# aaa authentication rejected 3 in 20 ban 300
switch# show run | i rejected
aaa authentication rejected 3 in 20 ban 300
switch# show aaa local user blocked
Local-user                 State
testuser                   Watched (till 11:34:42 IST Nov 12 2020)
switch# clear aaa local user blocked username testuser
switch# show aaa user blocked
Local-user                 State
testuser                   Watched (till 11:34:42 IST Nov 12 2020)
switch# clear aaa user blocked username testuser

Enabling CHAP Authentication

The Cisco NX-OS software supports the Challenge Handshake Authentication Protocol (CHAP), a challenge-response authentication protocol that uses the industry-standard Message Digest (MD5) hashing scheme to encrypt responses. You can use CHAP for user logins to a Cisco NX-OS device through a remote authentication server (RADIUS or TACACS+).

By default, the Cisco NX-OS device uses Password Authentication Protocol (PAP) authentication between the Cisco NX-OS device and the remote server. If you enable CHAP, you need to configure your RADIUS or TACACS+ server to recognize the CHAP vendor-specific attributes (VSAs).


Note


Cisco Nexus 9K Series switches support the CLI command, aaa authentication login ascii-authentication, only for TACAAS+, but not for RADIUS. Ensure that you have disabled aaa authentication login ascii-authentication switch so that the default authentication, PAP, is enabled. Otherwise, you will see syslog errors. For example:

2017 Jun 14 16:14:15 N9K-1 %RADIUS-2-RADIUS_NO_AUTHEN_INFO: ASCII authentication not supported
2017 Jun 14 16:14:16 N9K-1 %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed from 192.168.12.34 - dcos_sshd[16804]

This table shows the RADIUS and TACACS+ VSAs required for CHAP.

Table 4. CHAP RADIUS and TACACS+ VSAs

Vendor-ID Number

Vendor-Type Number

VSA

Description

311

11

CHAP-Challenge

Contains the challenge sent by an AAA server to a CHAP user. It can be used in both Access-Request and Access-Challenge packets.

211

11

CHAP-Response

Contains the response value provided by a CHAP user in response to the challenge. It is used only in Access-Request packets.

Before you begin

Disable AAA ASCII authentication for logins.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters configuration mode.

Step 2

no aaa authentication login ascii-authentication

Example:

switch(config)# no aaa authentication login ascii-authentication

Disables ASCII authentication.

Step 3

aaa authentication login chap enable

Example:

switch(config)# aaa authentication login chap enable

Enables CHAP authentication. The default is disabled.

Note

 

You cannot enable both CHAP and MSCHAP or MSCHAP V2 on your Cisco NX-OS device.

Step 4

(Optional) exit

Example:

switch(config)# exit
switch#
(Optional)

Exits configuration mode.

Step 5

(Optional) show aaa authentication login chap

Example:

switch# show aaa authentication login chap
(Optional)

Displays the CHAP configuration.

Step 6

(Optional) copy running-config startup-config

Example:

switch# copy running-config startup-config
(Optional)

Copies the running configuration to the startup configuration.

Enabling MSCHAP or MSCHAP V2 Authentication

Microsoft Challenge Handshake Authentication Protocol (MSCHAP) is the Microsoft version of CHAP. The Cisco NX-OS software also supports MSCHAP Version 2 (MSCHAP V2). You can use MSCHAP for user logins to a Cisco NX-OS device through a remote authentication server (RADIUS or TACACS+). MSCHAP V2 only supports user logins to a Cisco NX-OS device through remote authentication RADIUS servers. If you configure a TACACS+ group with MSCHAP V2, the AAA default login authentication uses the next configured method, or the local method, if no other server group is configured.


Note


The Cisco NX-OS software may display the following message:

“ Warning: MSCHAP V2 is supported only with Radius.”

This warning message is informational only and does not affect MSCHAP V2 operation with RADIUS.


By default, the Cisco NX-OS device uses Password Authentication Protocol (PAP) authentication between the Cisco NX-OS device and the remote server. If you enable MSCHAP or MSCHAP V2, you need to configure your RADIUS server to recognize the MSCHAP and MSCHAP V2 vendor-specific attributes (VSAs).

This table shows the RADIUS VSAs required for MSCHAP.

Table 5. MSCHAP and MSCHAP V2 RADIUS VSAs

Vendor-ID Number

Vendor-Type Number

VSA

Description

311

11

MSCHAP-Challenge

Contains the challenge sent by an AAA server to an MSCHAP or MSCHAP V2 user. It can be used in both Access-Request and Access-Challenge packets.

211

11

MSCHAP-Response

Contains the response value provided by an MSCHAP or MSCHAP V2 user in response to the challenge. It is only used in Access-Request packets.

Before you begin

Disable AAA ASCII authentication for logins.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters configuration mode.

Step 2

no aaa authentication login ascii-authentication

Example:

switch(config)# no aaa authentication login ascii-authentication

Disables ASCII authentication.

Step 3

aaa authentication login {mschap | mschapv2} enable

Example:

switch(config)# aaa authentication login mschap enable

Enables MSCHAP or MSCHAP V2 authentication. The default is disabled.

Note

 

You cannot enable both MSCHAP and MSCHAP V2 on your Cisco NX-OS device.

Step 4

exit

Example:

switch(config)# exit
switch#

Exits configuration mode.

Step 5

(Optional) show aaa authentication login {mschap | mschapv2}

Example:

switch# show aaa authentication login mschap
(Optional)

Displays the MSCHAP or MSCHAP V2 configuration.

Step 6

(Optional) copy running-config startup-config

Example:

switch# copy running-config startup-config
(Optional)

Copies the running configuration to the startup configuration.

Configuring AAA Authorization on LDAP Servers

You can configure the default AAA authorization method for LDAP servers.

Before you begin

Enable LDAP.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

aaa authorization ssh-certificate default {group group-list [none] | local | none}

Example:

switch(config)# aaa authorization ssh-certificate default group ldap1 ldap2

Configures the default AAA authorization method for the LDAP servers.

The ssh-certificate keyword configures LDAP or local authorization with certificate authentication. The default authorization is local authorization, which is the list of authorized commands for the user’s assigned role.

The group-list argument consists of a space-delimited list of LDAP server group names. Servers belonging to this group are contacted for AAA authorization. The local method uses the local database for authorization, and the none method specifies that no AAA authorization be used.

Step 3

exit

Example:

switch(config)# exit
switch#

Exits global configuration mode.

Step 4

(Optional) show aaa authorization [all]

Example:

switch# show aaa authorization
(Optional)

Displays the AAA authorization configuration. The all keyword displays the default values.

Step 5

(Optional) copy running-config startup-config

Example:

switch# copy running-config 
startup-config
(Optional)

Copies the running configuration to the startup configuration.

Configuring AAA SSH-Cert-Authorization on TACACS Servers

To configure AAA SSH-Cert-Authorization on TACACS Servers, follow these steps:

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

aaa authorization ssh-certificate default {group group-list [none] | local | none}

Example:

switch(config)# aaa authorization ssh-certificate default group tac1

Configures the default AAA authorization-method for SSH request having X509 certificate as TACACS server-group(s).

The ssh-certificate keyword configures TACACS or local authorization with certificate authentication. The default authorization is local authorization, which is the list of authorized commands for the user’s assigned role.

The group-list argument consists of a space-delimited list of TACACS server group names. Servers belonging to this group are contacted for AAA authorization. The local method uses the local database for authorization, and the none method specifies that no AAA authorization be used.

Step 3

exit

Example:

switch(config)# exit
switch#

Exits global configuration mode.

Step 4

(Optional) show aaa authorization [all]

Example:

switch# show aaa authorization
(Optional)

Displays the AAA authorization configuration. The all keyword displays the default values.

Step 5

(Optional) copy running-config startup-config

Example:

switch# copy running-config 
startup-config
(Optional)

Copies the running configuration to the startup configuration.

Configuring AAA Accounting Default Methods

Cisco NX-OS software supports TACACS+ and RADIUS methods for accounting. Cisco NX-OS devices report user activity to TACACS+ or RADIUS security servers in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the AAA server.

When you activate AAA accounting, the Cisco NX-OS device reports these attributes as accounting records, which are then stored in an accounting log on the security server.

You can create default method lists defining specific accounting methods, which include the following:

RADIUS server group
Uses the global pool of RADIUS servers for accounting.
Specified server group
Uses a specified RADIUS or TACACS+ server group for accounting.
Local
Uses the local username or password database for accounting.

Note


If you have configured server groups and the server groups do not respond, by default, the local database is used for authentication.


Before you begin

Configure RADIUS or TACACS+ server groups, as needed.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters configuration mode.

Step 2

aaa accounting default {group group-list | local}

Example:

switch(config)# aaa accounting default group radius

Configures the default accounting method.

The group-list argument consists of a space-delimited list of group names. The group names are the following:

  • radius —Uses the global pool of RADIUS servers for accounting.

  • named-group—Uses a named subset of TACACS+ or RADIUS servers for accounting.

The local method uses the local database for accounting.

The default method is local , which is used when no server groups are configured or when all the configured server groups fail to respond.

Step 3

exit

Example:

switch(config)# exit
switch#

Exits configuration mode.

Step 4

(Optional) show aaa accounting

Example:

switch# show aaa accounting 
(Optional)

Displays the configuration AAA accounting default methods.

Step 5

(Optional) copy running-config startup-config

Example:

switch# copy running-config startup-config
(Optional)

Copies the running configuration to the startup configuration.

Using AAA Server VSAs with Cisco NX-OS Devices

You can use vendor-specific attributes (VSAs) to specify Cisco NX-OS user roles and SNMPv3 parameters on AAA servers.

About VSAs

The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating VSAs between the network access server and the RADIUS server. The IETF uses attribute 26. VSAs allow vendors to support their own extended attributes that are not suitable for general use. The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. The Cisco vendor ID is 9, and the supported option is vendor type 1, which is named cisco-av-pair. The value is a string with the following format:

protocol : attribute separator value *

The protocol is a Cisco attribute for a particular type of authorization, the separator is = (equal sign) for mandatory attributes, and * (asterisk) indicates optional attributes.

When you use RADIUS servers for authentication on a Cisco NX-OS device, the RADIUS protocol directs the RADIUS server to return user attributes, such as authorization information, along with authentication results. This authorization information is specified through VSAs.

VSA Format

The following VSA protocol options are supported by the Cisco NX-OS software:

Shell
Protocol used in access-accept packets to provide user profile information.
Accounting
Protocol used in accounting-request packets. If a value contains any white spaces, put it within double quotation marks.

The following attributes are supported by the Cisco NX-OS software:

roles

Lists all the roles assigned to the user. The value field is a string that stores the list of group names delimited by white space. For example, if you belong to role network-operator and network-admin, the value field would be network-operator network-admin. This subattribute is sent in the VSA portion of the Access-Accept frames from the RADIUS server, and it can only be used with the shell protocol value. These examples use the roles attribute:

shell:roles=network-operator network-admin 
shell:roles*network-operator network-admin

The following examples show the roles attribute as supported by FreeRADIUS:

Cisco-AVPair = shell:roles=\network-operator network-admin\ 
Cisco-AVPair = shell:roles*\network-operator network-admin\ 


Note


When you specify a VSA as shell:roles*"network-operator network-admin" or "shell:roles*\"network-operator network-admin\"", this VSA is flagged as an optional attribute and other Cisco devices ignore this attribute.


accountinginfo
Stores accounting information in addition to the attributes covered by a standard RADIUS accounting protocol. This attribute is sent only in the VSA portion of the Account-Request frames from the RADIUS client on the switch, and it can only be used with the accounting protocol-related PDUs.

Specifying Cisco NX-OS User Roles and SNMPv3 Parameters on AAA Servers

You can use the VSA cisco-av-pair on AAA servers to specify user role mapping for the Cisco NX-OS device using this format:

shell:roles="roleA roleB …"

If you do not specify the role option in the cisco-av-pair attribute, the default user role is network-operator.

The SNMPv3 attributes should come together, either before the shell attributes or after. You can also specify your SNMPv3 authentication and privacy protocol attributes as follows:

snmpv3:auth=”SHA” priv=”AES-128” shell:roles="network-admin" shell:priv-lvl=15

shell:roles="network-admin" shell:priv-lvl=15 snmpv3:auth=”SHA” priv=”AES-128”

The SNMPv3 authentication protocol options are SHA and MD5. The privacy protocol options are AES-128 and DES. If you do not specify these options in the cisco-av-pair attribute, MD5 and DES are the default authentication protocols.

Configuring Secure Login Features

Configuring Login Parameters

You can configure login parameters to automatically block further login attempts when a possible denial-of-service (DoS) attack is detected and slow down dictionary attacks by enforcing a quiet period if multiple failed connection attempts are detected.


Note


This feature restarts if a system switchover occurs or the AAA process restarts.



Note


The login block-for and login quiet-mode configuration mode commands have been renamed to system login block-for and system login quiet-mode, respectively.


Procedure
  Command or Action Purpose

Step 1

configure terminal

Example:
switch# configure terminal

Enters global configuration mode.

Step 2

[no] system login block-for seconds attempts tries within seconds

Example:
switch(config)# system  login block-for 100 attempts 2 within 60

Configures the quiet mode time period. The range for all arguments is from 1 to 65535.

The example shows how to configure the switch to enter a 100-second quiet period if 2 failed login attempts are exceeded within 60 seconds.

After you enter this command, all login attempts made through Telnet or SSH are denied during the quiet period. Access control lists (ACLs) are not exempt from the quiet period until the system command is entered.

Note

 

You must enter this command before any other login command can be used.

Step 3

(Optional) [no] system login quiet-mode access-class acl-name

Example:
switch(config)# system  login quiet-mode access-class myacl
(Optional)

Specifies an ACL that is to be applied to the switch when it changes to quiet mode. When the switch is in quiet mode, all login requests are denied, and the only available connection is through the console.

Step 4

(Optional) show system login [failures]

Example:
switch(config)# show system  login
(Optional)
Displays the login parameters. The failures option displays information related only to failed login attempts.

Step 5

(Optional) copy running-config startup-config

Example:
switch(config)# copy running-config startup-config
(Optional)

Copies the running configuration to the startup configuration.

Restricting User Login Sessions

You can restrict the maximum number of simultaneous login sessions per user. Doing so prevents users from having multiple unwanted sessions and solves the potential security issue of unauthorized users accessing a valid SSH or Telnet session.

Procedure
  Command or Action Purpose

Step 1

configure terminal

Example:
switch# configure terminal

Enters global configuration mode.

Step 2

[no] user max-logins max-logins

Example:
switch(config)# user max-logins 1

Restricts the maximum number of simultaneous login sessions per user. The range is from 1 to 7. If you set the maximum login limit as 1, only one Telnet or SSH session is allowed per user.

Note

 

The configured login limit applies to all users. You cannot set a different limit for individual users.

Step 3

(Optional) show running-config all | i max-login

Example:
switch(config)# show running-config all | i max-login
(Optional)

Displays the maximum number of login sessions allowed per user.

Step 4

(Optional) copy running-config startup-config

Example:
switch(config)# copy running-config startup-config
(Optional)

Copies the running configuration to the startup configuration.

Restricting the Password Length

You can restrict the minimum and maximum length of the user password. This feature enables you to increase system security by forcing the user to provide a strong password.

Before you begin

You must enable password strength checking using the password strength-check command. If you restrict the password length but do not enable password strength checking and the user enters a password that is not within the restricted length, an error appears, but a user account is created. To enforce the password length and prevent a user account from being created, you must enable password strength checking and restrict the password length.

Procedure
  Command or Action Purpose

Step 1

configure terminal

Example:
switch# configure terminal

Enters global configuration mode.

Step 2

[no] userpassphrase {min-length min-length | max-length max-length }

Example:
switch(config)# userpassphrase min-length 8 max-length 80 

Restricts the minimum and/or maximum length of the user password. The minimum password length is from 4 to 127 characters, and the maximum password length is from 80 to 127 characters.

Step 3

(Optional) show userpassphrase {length | max-length | min-length}

Example:
switch(config)# show userpassphrase length
(Optional)

Displays the minimum and maximum length of the user password.

Step 4

(Optional) copy running-config startup-config

Example:
switch(config)# copy running-config startup-config
(Optional)

Copies the running configuration to the startup configuration.

Enabling the Password Prompt for the Username

You can configure the switch to prompt the user to enter a password after entering the username.

Procedure
  Command or Action Purpose

Step 1

configure terminal

Example:
switch# configure terminal

Enters global configuration mode.

Step 2

password prompt username

Example:
switch(config)# password prompt username
Password prompt username is enabled.
After providing the required options in the username command, press enter.
User will be prompted for the username password and password will be hidden.
Note: Choosing password key in the same line while configuring user account, password will not be hidden. 

Configures the switch to prompt the user to enter a password after she enters the username command without the password option or the snmp-server user command. The password that the user enters will be hidden. You can use the no form of this command to disable this feature.

Note

 

From Cisco NX-OS Release 10.5(2)F onwards, the configuration for SNMP user removal under the password prompt skips the password-related prompts for ease of use.

Step 3

(Optional) copy running-config startup-config

Example:
switch(config)# copy running-config startup-config
(Optional)

Copies the running configuration to the startup configuration.

Configuring the Shared Secret for RADIUS or TACACS+

The shared secret that you configure for remote authentication and accounting between the switch and the RADIUS or TACACS+ server should be hidden because it is sensitive information. You can use a separate command to generate an encrypted shared secret for the radius-server [host] key and tacacs-server [host] key commands. The SHA256 hashing method is used to store the encrypted shared secret.

Procedure
  Command or Action Purpose

Step 1

configure terminal

Example:
switch# configure terminal

Enters global configuration mode.

Step 2

generate type7_encrypted_secret

Example:
switch(config)# generate type7_encrypted_secret
Type-7 (Vigenere) Encryption,
 Use this encrypted secret to configure radius and tacacs shared secret with key type 7.
 Copy complete secret with double quotes.

Enter plain text secret: 
Confirm plain text secret: 
Type 7 Encrypted secret is : "fewhg" 

Configures the RADIUS or TACACS+ shared secret with key type 7. You are prompted to enter the shared secret in plain text twice. The secret is hidden as you enter it. Then an encrypted version of the secret appears.

Note

 

You can generate the encrypted equivalent of a plain-text secret separately and configure the encrypted shared secret later using the radius-server [host] key and tacacs-server [host] key commands.

Step 3

(Optional) copy running-config startup-config

Example:
switch(config)# copy running-config startup-config
(Optional)

Copies the running configuration to the startup configuration.

Monitoring and Clearing the Local AAA Accounting Log

The Cisco NX-OS device maintains a local log for the AAA accounting activity. You can monitor this log and clear it.

Procedure

  Command or Action Purpose

Step 1

show accounting log [size | last-index | start-seqnum number | start-time year month day hh:mm:ss]

Example:

switch# show accounting log

Displays the accounting log contents. By default, the command output contains up to 250,000 bytes of the accounting log. You can use the size argument to limit command output. The range is from 0 to 250000 bytes. You can also specify a starting sequence number or a starting time for the log output.The range of the starting index is from 1 to 1000000. Use the last-index keyword to display the value of the last index number in the accounting log file.

Step 2

(Optional) clear accounting log [logflash]

Example:

switch# clear aaa accounting log
(Optional)

Clears the accounting log contents. The logflash keyword clears the accounting log stored in the logflash.

Verifying the AAA Configuration

To display AAA configuration information, perform one of the following tasks:

Command

Purpose

show aaa accounting

Displays AAA accounting configuration.

show aaa authentication [login {ascii-authentication | chap | error-enable | mschap | mschapv2}]

Displays AAA authentication login configuration information.

show aaa groups

Displays the AAA server group configuration.

show login [failures]

Displays the login parameters. The failures option displays information related only to failed login attempts.

Note

 

The clear login failures command clears the login failures in the current watch period.

show login on-failure log

Displays whether the switch is configured to log failed authentication messages to the syslog server.

show login on-successful log

Displays whether the switch is configured to log successful authentication messages to the syslog server.

show running-config aaa [all]

Displays the AAA configuration in the running configuration.

show running-config all | i max-login

Displays the maximum number of login sessions allowed per user.

show startup-config aaa

Displays the AAA configuration in the startup configuration.

show userpassphrase {length | max-length | min-length}

Displays the minimum and maximum length of the user password.

show userpassphrase sequence alphabet length

Displays the maximum alphabet sequence length of the user password.

show userpassphrase sequence keyboard length

Displays the maximum sequence keyboard length of the user password.

Configuration Examples for AAA

The following example shows how to configure AAA:


aaa authentication login default group radius 
aaa authentication login console group radius 
aaa accounting default group radius

Configuration Examples for Login Parameters

The following example shows how to configure the switch to enter a 100-second quiet period if 3 failed login attempts is exceeded within 60 seconds. This example shows no login failures.

switch# configure terminal
switch(config)# login block-for 100 attempts 3 within 60
switch(config)# show login

No Quiet-Mode access list has been configured, default ACL will be applied. 

 Switch is enabled to watch for login Attacks. 
 If more than 3 login failures occur in 60 seconds or less,
 logins will be disabled for 100 seconds. 

 Switch presently in Normal-Mode.
 Current Watch Window remaining time 45 seconds.
 Present login failure count 0.

switch(config)# show login failures
*** No logged failed login attempts with the device.***

The following example shows how to configure a quiet-mode ACL. All login requests are denied during the quiet period except hosts from the myacl ACL. This example also shows a login failure.

switch# configure terminal
switch(config)# login block-for 100 attempts 3 within 60
switch(config)# login quiet-mode access-class myacl

switch(config)# show login

 Switch is enabled to watch for login Attacks. 
 If more than 3 login failures occur in 60 seconds or less,
 logins will be disabled for 100 seconds. 

 Switch presently in Quiet-Mode.
 Will remain in Quiet-Mode for 98 seconds.
 Denying logins from all sources.

switch(config)# show login failures 
Information about last 20 login failure's with the device.
--------------------------------------------------------------------------------
Username      Line    						SourceIPAddr    Appname    TimeStamp
--------------------------------------------------------------------------------
asd         		/dev/pts/0    171.70.55.158   login      Mon Aug  3 18:18:54 2015
qweq										/dev/pts/0    171.70.55.158   login      Mon Aug  3 18:19:02 2015
qwe											/dev/pts/0    171.70.55.158   login      Mon Aug  3 18:19:08 2015
--------------------------------------------------------------------------------

Configuration Examples for the Password Prompt Feature

The following example shows how to configure the switch to prompt the user to enter a password after she enters the username command and the error message that displays if she does not enter a password.

switch# configure terminal
switch(config)# password prompt username
Password prompt username is enabled.
After providing the required options in the username command, press enter.
User will be prompted for the username password and password will be hidden.
Note: Choosing password key in the same line while configuring user account, password will not be hidden.


switch(config)# username user1
Enter password: 
Confirm password: 
warning: password for user:user1 not set. S/he may not be able to login

The following example shows how to configure the switch to prompt the user to enter a password after she enters the snmp-server user command and the prompts that then display to the user.

switch# configure terminal
switch(config)# password prompt username
Password prompt username is enabled.
After providing the required options in the username command, press enter.
User will be prompted for the username password and password will be hidden.
Note: Choosing password key in the same line while configuring user account, password will not be hidden.


N9K-1(config)# snmp-server user user1
Enter auth md5 password (Press Enter to Skip): 
Enter auth sha password (Press Enter to Skip): 

Additional References for AAA

This section includes additional information related to implementing AAA.

Related Documents

Related Topic

Document Title

Cisco NX-OS Licensing

Cisco NX-OS Licensing Guide

Standards

Standards

Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.

MIBs

MIBs

MIBs Link

MIBs related to AAA

To locate and download supported MIBs, go to the following URL:

ftp://ftp.cisco.com/pub/mibs/supportlists/nexus9000/Nexus9000MIBSupportList.html