Cisco Nexus 3600 NX-OS Security Configuration Manual
Cisco Nexus 3600 NX-OS Security Configuration Guide, Release 7.x
First Published: 2017-09-27
Last Modified: 2018-02-27
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,
INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH
THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,
CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version
of the UNIX operating system. All rights reserved. Copyright©1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.
CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT
LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network
topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional
and coincidental.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: http://
www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Cisco and any other company. (1110R)
©
2018 Cisco Systems, Inc. All rights reserved.
CONTENTS
Preface
CHAPTER 1
CHAPTER 2
Preface xi
Audience xi
Document Conventions xi
Obtaining Documentation and Submitting a Service Request xii
Documentation Feedback xii
Related Documentation for Cisco Nexus 3600 Platform Switches xiii
New and Changed Information 1
New and Changed Information 1
Overview 3
Authentication, Authorization, and Accounting 3
RADIUS and TACACS+ Security Protocols 4
SSH and Telnet 4
SSH and Telnet 5
IP ACLs 5
CHAPTER 3
Configuring AAA 7
Information About AAA 7
AAA Security Services 7
Benefits of Using AAA 8
Remote AAA Services 8
AAA Server Groups 8
AAA Service Configuration Options 9
Authentication and Authorization Process for User Logins 10
Prerequisites for Remote AAA 11
Guidelines and Limitations for AAA 12
Cisco Nexus 3600 NX-OS Security Configuration Guide, Release 7.x
iii
Contents
Configuring AAA 12
Configuring Console Login Authentication Methods 12
Configuring Default Login Authentication Methods 13
Enabling Login Authentication Failure Messages 14
Logging Successful and Failed Login Attempts 15
Configuring AAA Command Authorization 16
Enabling MSCHAP Authentication 17
Configuring AAA Accounting Default Methods 18
Using AAA Server VSAs 20
VSAs 20
VSA Format 20
Specifying Switch User Roles and SNMPv3 Parameters on AAA Servers 20
Secure Login Enhancements 21
CHAPTER 4
Secure Login Enhancements 21
Configuring Login Parameters 21
Configuration Examples for Login Parameters 22
Restricting Sessions Per User—Per User Per Login 23
Enabling the Password Prompt for User Name 24
Configuring Share Key Value for using RADIUS/TACACS+ 24
Monitoring and Clearing the Local AAA Accounting Log 25
Verifying the AAA Configuration 25
Configuration Examples for AAA 26
Default AAA Settings 26
Configuring RADIUS 29
Information About RADIUS 29
RADIUS Network Environments 29
Information About RADIUS Operations 30
RADIUS Server Monitoring 31
Vendor-Specific Attributes 31
Prerequisites for RADIUS 32
Guidelines and Limitations for RADIUS 32
Configuring RADIUS Servers 32
Configuring RADIUS Server Hosts 33
Configuring RADIUS Global Preshared Keys 34
Cisco Nexus 3600 NX-OS Security Configuration Guide, Release 7.x
iv
Contents
Configuring RADIUS Server Preshared Keys 34
Configuring RADIUS Server Groups 35
Configuring the Global Source Interface for RADIUS Server Groups 37
Allowing Users to Specify a RADIUS Server at Login 37
Configuring the Global RADIUS Transmission Retry Count and Timeout Interval 38
Configuring Accounting and Authentication Attributes for RADIUS Servers 39
Configuring Periodic RADIUS Server Monitoring 40
Configuring the Dead-Time Interval 41
Manually Monitoring RADIUS Servers or Groups 42
Verifying the RADIUS Configuration 43
Displaying RADIUS Server Statistics 43
Clearing RADIUS Server Statistics 43
CHAPTER 5
Configuration Examples for RADIUS 44
Default Settings for RADIUS 44
Feature History for RADIUS 44
Configuring TACACS+ 45
Information About Configuring TACACS+ 45
TACACS+ Advantages 45
User Login with TACACS+ 46
Default TACACS+ Server Encryption Type and Preshared Key 46
TACACS+ Server Monitoring 47
Prerequisites for TACACS+ 47
Guidelines and Limitations for TACACS+ 48
Configuring TACACS+ 48
TACACS+ Server Configuration Process 48
Enabling TACACS+ 48
Configuring TACACS+ Server Hosts 49
Configuring TACACS+ Global Preshared Keys 50
Configuring TACACS+ Server Groups 51
Configuring the Global Source Interface for TACACS+ Server Groups 52
Configuring the Global TACACS+ Timeout Interval 52
Configuring the Timeout Interval for a Server 53
Configuring TCP Ports 53
Configuring Periodic TACACS+ Server Monitoring 54
Cisco Nexus 3600 NX-OS Security Configuration Guide, Release 7.x
v
Contents
Configuring the Dead-Time Interval 55
Manually Monitoring TACACS+ Servers or Groups 56
Disabling TACACS+ 56
Displaying TACACS+ Statistics 57
Verifying the TACACS+ Configuration 57
Configuration Examples for TACACS+ 57
Default Settings for TACACS+ 58
CHAPTER 6
Configuring SSH and Telnet 59
Information About SSH and Telnet 59
SSH Server 59
SSH Client 59
SSH Server Keys 60
SSH Authentication Using Digital Certificates 60
Telnet Server 61
Guidelines and Limitations for SSH 61
Configuring SSH 61
Generating SSH Server Keys 61
Specifying the SSH Public Keys for User Accounts 62
Specifying the SSH Public Keys in Open SSH Format 62
Specifying the SSH Public Keys in IETF SECSH Format 63
Specifying the SSH Public Keys in PEM-Formatted Public Key Certificate Form 63
Configuring the SSH Source Interface 64
Starting SSH Sessions to Remote Devices 65
Clearing SSH Hosts 65
Disabling the SSH Server 65
Deleting SSH Server Keys 66
Clearing SSH Sessions 66
Configuration Examples for SSH 67
Configuring X.509v3 Certificate-Based SSH Authentication 68
Configuration Example for X.509v3 Certificate-Based SSH Authentication 70
Configuring Telnet 71
Enabling the Telnet Server 71
Reenabling the Telnet Server 71
Configuring the Telnet Source Interface 71
Cisco Nexus 3600 NX-OS Security Configuration Guide, Release 7.x
vi
Contents
Starting Telnet Sessions to Remote Devices 72
Clearing Telnet Sessions 72
Verifying the SSH and Telnet Configuration 73
Default Settings for SSH 73
CHAPTER 7
Configuring IP ACLs 75
Information About ACLs 75
IP ACL Types and Applications 76
Application Order 76
Rules 76
Source and Destination 77
Protocols 77
Implicit Rules 77
Additional Filtering Options 77
Sequence Numbers 77
Logical Operators and Logical Operation Units 78
ACL TCAM Regions 78
Licensing Requirements for ACLs 79
Prerequisites for ACLs 79
Guidelines and Limitations for ACLs 80
Default ACL Settings 80
ACL Logging 81
Configuring IP ACLs 81
Creating an IP ACL 81
Configuring IPv4 ACL Logging 82
Changing an IP ACL 84
Removing an IP ACL 85
Changing Sequence Numbers in an IP ACL 86
Applying an IP ACL to mgmt0 86
Applying an IP ACL as a Port ACL 87
Applying an IP ACL as a Router ACL 87
Verifying the ACL Logging Configuration 88
About System ACLs 89
Carving a TCAM Region 90
Configuring System ACLs 90
Cisco Nexus 3600 NX-OS Security Configuration Guide, Release 7.x
vii
Contents
Configuration and Show Command Examples for the System ACLs 90
Configuring ACL Logging 92
Configuring the ACL Logging Cache 92
Applying ACL Logging to an Interface 93
Applying the ACL Log Match Level 94
Clearing Log Files 94
Verifying the ACL Logging Configuration 94
Configuring ACL TCAM Region Sizes 95
Reverting to the Default TCAM Region Sizes 97
Configuring ACLs on Virtual Terminal Lines 97
Verifying ACLs on VTY Lines 99
Configuration Examples for ACLs on VTY Lines 99
CHAPTER 8
CHAPTER 9
Configuring Unicast RPF 101
Information About Unicast RPF 101
Unicast RPF Process 102
Global Statistics 102
Licensing Requirements for Unicast RPF 103
Guidelines and Limitations for Unicast RPF 103
Default Settings for Unicast RPF 104
Configuring Unicast RPF 104
Configuration Examples for Unicast RPF 106
Verifying the Unicast RPF Configuration 106
Additional References for Unicast RPF 107
Configuring Control Plane Policing 109
About CoPP 109
Control Plane Protection 110
Control Plane Packet Types 111
viii
Classification for CoPP 111
Rate Controlling Mechanisms 112
Dynamic and Static CoPP ACLs 112
Default Policing Policies 113
Default Class Maps - For Cisco NX-OS Release 7.0(3)I3(1) 114
Strict Default CoPP Policy - For Cisco NX-OS Release 7.0(3)I3(1) 116
Cisco Nexus 3600 NX-OS Security Configuration Guide, Release 7.x
Contents
Moderate Default CoPP Policy - For Cisco NX-OS Release 7.0(3)I3(1) 118
Lenient Default CoPP Policy - For Cisco NX-OS Release 7.0(3)I3(1) 120
Dense Default CoPP Policy - For Cisco NX-OS Release 7.0(3)I3(1) 122
Packets Per Second Credit Limit 124
Modular QoS Command-Line Interface 124
CoPP and the Management Interface 124
Licensing Requirements for CoPP 125
Guidelines and Limitations for CoPP 125
Default Settings for CoPP 127
Configuring CoPP 127
Configuring a Control Plane Class Map 127
Configuring a Control Plane Policy Map 129
Configuring the Control Plane Service Policy 131
Configuring the CoPP Scale Factor Per Line Card 132
Changing or Reapplying the Default CoPP Policy 133
Copying the CoPP Best Practice Policy 134
Verifying the CoPP Configuration 135
Displaying the CoPP Configuration Status 137
Monitoring CoPP 137
Clearing the CoPP Statistics 138
Configuration Examples for CoPP 138
CoPP Configuration Example 138
Changing or Reapplying the Default CoPP Policy Using the Setup Utility 139
Additional References for CoPP 140
Cisco Nexus 3600 NX-OS Security Configuration Guide, Release 7.x
ix
Contents
Cisco Nexus 3600 NX-OS Security Configuration Guide, Release 7.x
x
Preface
This preface includes the following sections:
Audience, page xi
•
Document Conventions, page xi
•
Obtaining Documentation and Submitting a Service Request, page xii
•
Documentation Feedback, page xii
•
Related Documentation for Cisco Nexus 3600 Platform Switches, page xiii
•
Audience
This publication is for network administrators who install, configure, and maintain Cisco Nexus switches.
Document Conventions
Command descriptions use the following conventions:
DescriptionConvention
bold
Italic
[x | y]
{x | y}
Bold text indicates the commands and keywords that you enter literally
as shown.
Italic text indicates arguments for which the user supplies the values.
Square brackets enclose an optional element (keyword or argument).[x]
Square brackets enclosing keywords or arguments separated by a vertical
bar indicate an optional choice.
Braces enclosing keywords or arguments separated by a vertical bar
indicate a required choice.
Cisco Nexus 3600 NX-OS Security Configuration Guide, Release 7.x
xi
Obtaining Documentation and Submitting a Service Request
Preface
DescriptionConvention
[x {y | z}]
variable
string
Examples use the following conventions:
italic screen font
Nested set of square brackets or braces indicate optional or required
choices within optional or required elements. Braces and a vertical bar
within square brackets indicate a required choice within an optional
element.
Indicates a variable for which you supply values, in context where italics
cannot be used.
A nonquoted set of characters. Do not use quotation marks around the
string or the string will include the quotation marks.
DescriptionConvention
Terminal sessions and information the switch displays are in screen font.screen font
Information you must enter is in boldface screen font.boldface screen font
Arguments for which you supply values are in italic screen font.
Nonprinting characters, such as passwords, are in angle brackets.< >
Default responses to system prompts are in square brackets.[ ]
!, #
An exclamation point (!) or a pound sign (#) at the beginning of a line
of code indicates a comment line.
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service
request, and gathering additional information, see What's New in Cisco Product Documentation at: http://
www.cisco.com/c/en/us/td/docs/general/whatsnew/whatsnew.html.
Subscribe to What's New in Cisco Product Documentation, which lists all new and revised Cisco technical
documentation as an RSS feed and delivers content directly to your desktop using a reader application. The
RSS feeds are a free service.
Documentation Feedback
To provide technical feedback on this document, or to report an error or omission, please send your comments
to nexus3k-docfeedback@cisco.com. We appreciate your feedback.
xii
Cisco Nexus 3600 NX-OS Security Configuration Guide, Release 7.x
Preface
Related Documentation for Cisco Nexus 3600 Platform Switches
Related Documentation for Cisco Nexus 3600 Platform Switches
The entire Cisco Nexus 3600 platform switch documentation set is available at the following URL:
http://www.cisco.com/c/en/us/support/switches/nexus-3000-series-switches/
tsd-products-support-series-home.html
Cisco Nexus 3600 NX-OS Security Configuration Guide, Release 7.x
xiii
Related Documentation for Cisco Nexus 3600 Platform Switches
Preface
xiv
Cisco Nexus 3600 NX-OS Security Configuration Guide, Release 7.x
New and Changed Information
This chapter provides release-specific information for each new and changed feature in the Cisco Nexus
3600 Series NX-OS Security Configuration Guide.
New and Changed Information, page 1
•
New and Changed Information
This table summarizes the new and changed features for the Cisco Nexus 3600 Series NX-OS Security
Configuration Guide and where they are documented.
Table 1: New and Changed Features
CHAPTER 1
System ACLs
Access Control Lists
Authentication, Authorization,
and Accounting
SSH and Telnet
DescriptionFeature
system ACLs.
Control Lists (ACLs).
Authentication, Authorization,
and Accounting (AAA).
Telnet.
in
Release
7.0(3)F3(4)Added support for configuring
7.0(3)F3(1)Added support for Access
7.0(3)F3(1)Added support for SSH and
7.0(3)F3(1)Added support for TACACS+.TACACS+
7.0(3)F3(1)Added support for RADIUS.RADIUS
Where DocumentedChanged
About System ACLs, on page
89
Configuring IP ACLs, on page
75
Configuring AAA, on page 77.0(3)F3(1)Added support for
Configuring SSH and Telnet,
on page 59
Configuring TACACS+, on
page 45
Configuring RADIUS, on page
29
Cisco Nexus 3600 NX-OS Security Configuration Guide, Release 7.x
1
New and Changed Information
New and Changed Information
DescriptionFeature
Where DocumentedChanged
in
Release
7.0(3)F3(1)Added support for unicast RPF.Unicast RPF
Configuring Unicast RPF, on
page 101
7.0(3)F3(1)Added support for CoPPControl Plane Policing (CoPP)
Configuring Control Plane
Policing, on page 109
Cisco Nexus 3600 NX-OS Security Configuration Guide, Release 7.x
2
CHAPTER 2
Overview
The Cisco NX-OS software supports security features that can protect your network against degradation or
failure and also against data loss or compromise resulting from intentional attacks and from unintended but
damaging mistakes by well-meaning network users.
Authentication, Authorization, and Accounting, page 3
•
RADIUS and TACACS+ Security Protocols, page 4
•
SSH and Telnet, page 4
•
SSH and Telnet, page 5
•
IP ACLs, page 5
•
Authentication, Authorization, and Accounting
Authentication, authorization, and accounting (AAA) is an architectural framework for configuring a set of
three independent security functions in a consistent, modular manner.
Authentication
Provides the method of identifying users, including login and password dialog, challenge and response,
messaging support, and, depending on the security protocol that you select, encryption. Authentication
is the way a user is identified prior to being allowed access to the network and network services. You
configure AAA authentication by defining a named list of authentication methods and then applying
that list to various interfaces.
Authorization
Provides the method for remote access control, including one-time authorization or authorization for
each service, per-user account list and profile, user group support, and support of IP, IPX, ARA, and
Telnet.
Remote security servers, such as RADIUS and TACACS+, authorize users for specific rights by
associating attribute-value (AV) pairs, which define those rights, with the appropriate user. AAA
authorization works by assembling a set of attributes that describe what the user is authorized to perform.
These attributes are compared with the information contained in a database for a given user, and the
result is returned to AAA to determine the user’s actual capabilities and restrictions.
Cisco Nexus 3600 NX-OS Security Configuration Guide, Release 7.x
3
RADIUS and TACACS+ Security Protocols
Accounting
Provides the method for collecting and sending security server information used for billing, auditing,
and reporting, such as user identities, start and stop times, executed commands (such as PPP), number
of packets, and number of bytes. Accounting enables you to track the services that users are accessing,
as well as the amount of network resources that they are consuming.
Overview
Note
You can configure authentication outside of AAA. However, you must configure AAA if you want to use
RADIUS or TACACS+, or if you want to configure a backup authentication method.
RADIUS and TACACS+ Security Protocols
AAA uses security protocols to administer its security functions. If your router or access server is acting as
a network access server, AAA is the means through which you establish communication between your network
access server and your RADIUS or TACACS+ security server.
The chapters in this guide describe how to configure the following security server protocols:
RADIUS
A distributed client/server system implemented through AAA that secures networks against unauthorized
access. In the Cisco implementation, RADIUS clients run on Cisco routers and send authentication
requests to a central RADIUS server that contains all user authentication and network service access
information.
TACACS+
A security application implemented through AAA that provides a centralized validation of users who
are attempting to gain access to a router or network access server. TACACS+ services are maintained
in a database on a TACACS+ daemon running, typically, on a UNIX or Windows NT workstation.
TACACS+ provides for separate and modular authentication, authorization, and accounting facilities.
SSH and Telnet
You can use the Secure Shell (SSH) server to enable an SSH client to make a secure, encrypted connection
to a Cisco NX-OS device. SSH uses strong encryption for authentication. The SSH server in the Cisco NX-OS
software can interoperate with publicly and commercially available SSH clients.
The SSH client in the Cisco NX-OS software works with publicly and commercially available SSH servers.
The Telnet protocol enables TCP/IP connections to a host. Telnet allows a user at one site to establish a TCP
connection to a login server at another site and then passes the keystrokes from one device to the other. Telnet
can accept either an IP address or a domain name as the remote device address.
Cisco Nexus 3600 NX-OS Security Configuration Guide, Release 7.x
4
Overview
SSH and Telnet
You can use the Secure Shell (SSH) server to enable an SSH client to make a secure, encrypted connection
to a Cisco NX-OS device. SSH uses strong encryption for authentication. The SSH server in the Cisco NX-OS
software can interoperate with publicly and commercially available SSH clients.
The SSH client in the Cisco NX-OS software works with publicly and commercially available SSH servers.
The Telnet protocol enables TCP/IP connections to a host. Telnet allows a user at one site to establish a TCP
connection to a login server at another site and then passes the keystrokes from one device to the other. Telnet
can accept either an IP address or a domain name as the remote device address.
IP ACLs
IP ACLs are ordered sets of rules that you can use to filter traffic based on IPv4 information in the Layer 3
header of packets. Each rule specifies a set of conditions that a packet must satisfy to match the rule. When
the Cisco NX-OS software determines that an IP ACL applies to a packet, it tests the packet against the
conditions of all rules. The first match determines whether a packet is permitted or denied, or if there is no
match, the Cisco NX-OS software applies the applicable default rule. The Cisco NX-OS software continues
processing packets that are permitted and drops packets that are denied.
SSH and Telnet
Cisco Nexus 3600 NX-OS Security Configuration Guide, Release 7.x
5
IP ACLs
Overview
Cisco Nexus 3600 NX-OS Security Configuration Guide, Release 7.x
6
CHAPTER 3
Configuring AAA
This chapter describes how to configure authentication, authorization, and accounting (AAA) on Cisco
NX-OS devices.
Information About AAA, page 7
•
Prerequisites for Remote AAA, page 11
•
Guidelines and Limitations for AAA, page 12
•
Configuring AAA, page 12
•
Monitoring and Clearing the Local AAA Accounting Log , page 25
•
Verifying the AAA Configuration, page 25
•
Configuration Examples for AAA, page 26
•
Default AAA Settings, page 26
•
Information About AAA
AAA Security Services
The authentication, authorization, and accounting (AAA) features allows you to verify the identity of, grant
access to, and track the actions of users who manage Cisco Nexus devices. The Cisco Nexus device supports
Remote Access Dial-In User Service (RADIUS) or Terminal Access Controller Access Control device Plus
(TACACS+) protocols.
Based on the user ID and password that you provide, the switches perform local authentication or authorization
using the local database or remote authentication or authorization using one or more AAA servers. A preshared
secret key provides security for communication between the switch and AAA servers. You can configure a
common secret key for all AAA servers or for only a specific AAA server.
AAA security provides the following services:
• Authentication—Identifies users, including login and password dialog, challenge and response, messaging
support, and, encryption depending on the security protocol that you select.
• Authorization—Provides access control.
Cisco Nexus 3600 NX-OS Security Configuration Guide, Release 7.x
7
Benefits of Using AAA
Configuring AAA
Authorization to access a Cisco Nexus device is provided by attributes that are downloaded from AAA
servers. Remote security servers, such as RADIUS and TACACS+, authorize users for specific rights
by associating attribute-value (AV) pairs, which define those rights with the appropriate user.
• Accounting—Provides the method for collecting information, logging the information locally, and
sending the information to the AAA server for billing, auditing, and reporting.
Note
The Cisco NX-OS software supports authentication, authorization, and accounting independently. For
example, you can configure authentication and authorization without configuring accounting.
Benefits of Using AAA
AAA provides the following benefits:
Increased flexibility and control of access configuration
•
Scalability
•
Standardized authentication methods, such as RADIUS and TACACS+
•
Multiple backup devices
•
Remote AAA Services
Remote AAA services provided through RADIUS and TACACS+ protocols have the following advantages
over local AAA services:
User password lists for each switch in the fabric are easier to manage.
•
AAA servers are already deployed widely across enterprises and can be easily used for AAA services.
•
The accounting log for all switches in the fabric can be centrally managed.
•
User attributes for each switch in the fabric are easier to manage than using the local databases on the
•
switches.
AAA Server Groups
You can specify remote AAA servers for authentication, authorization, and accounting using server groups.
A server group is a set of remote AAA servers that implement the same AAA protocol. A server group provides
for failover servers if a remote AAA server fails to respond. If the first remote server in the group fails to
respond, the next remote server in the group is tried until one of the servers sends a response. If all the AAA
servers in the server group fail to respond, that server group option is considered a failure. If required, you
can specify multiple server groups. If a switch encounters errors from the servers in the first group, it tries
the servers in the next server group.
Cisco Nexus 3600 NX-OS Security Configuration Guide, Release 7.x
8
Configuring AAA
AAA Service Configuration Options
On Cisco Nexus devices, you can have separate AAA configurations for the following services:
User Telnet or Secure Shell (SSH) login authentication
•
Console login authentication
•
User management session accounting
•
The following table lists the CLI commands for each AAA service configuration option.
Table 2: AAA Service Configuration Commands
AAA Service Configuration Options
Related CommandAAA Service Configuration Option
aaa authentication login defaultTelnet or SSH login
aaa authentication login consoleConsole login
Note
aaa accounting defaultUser session accounting
You can specify the following authentication methods for the AAA services:
• RADIUS server groups—Uses the global pool of RADIUS servers for authentication.
• Specified server groups—Uses specified RADIUS or TACACS+ server groups for authentication.
• Local—Uses the local username or password database for authentication.
• None—Uses only the username.
If the method is for all RADIUS servers, instead of a specific server group, the Cisco Nexus devices choose
the RADIUS server from the global pool of configured RADIUS servers in the order of configuration.
Servers from this global pool are the servers that can be selectively configured in a RADIUS server group
on the Cisco Nexus devices.
The following table describes the AAA authentication methods that you can configure for the AAA services.
Table 3: AAA Authentication Methods for AAA Services
AAA MethodsAAA Service
Server groups, local, and noneConsole login authentication
Server groups, local, and noneUser login authentication
Server groups and localUser management session accounting
Cisco Nexus 3600 NX-OS Security Configuration Guide, Release 7.x
9
Authentication and Authorization Process for User Logins
Configuring AAA
Note
For console login authentication, user login authentication, and user management session accounting, the
Cisco Nexus devices try each option in the order specified. The local option is the default method when
other configured options fail.
Authentication and Authorization Process for User Logins
The authentication and authorization process for user login is as occurs:
When you log in to the required Cisco Nexus device, you can use the Telnet, SSH, Fabric Manager or
•
Device Manager, or console login options.
When you have configured the AAA server groups using the server group authentication method, the
•
Cisco Nexus device sends an authentication request to the first AAA server in the group as follows:
If the AAA server fails to respond, then the next AAA server is tried and so on until the remote server
responds to the authentication request.
If all AAA servers in the server group fail to respond, the servers in the next server group are tried.
If all configured methods fail, the local database is used for authentication.
If a Cisco Nexus device successfully authenticates you through a remote AAA server, the following
•
conditions apply:
If the AAA server protocol is RADIUS, user roles specified in the cisco-av-pair attribute are downloaded
with an authentication response.
If the AAA server protocol is TACACS+, another request is sent to the same server to get the user roles
specified as custom attributes for the shell.
If your username and password are successfully authenticated locally, the Cisco Nexus device logs you
•
in and assigns you the roles configured in the local database.
Cisco Nexus 3600 NX-OS Security Configuration Guide, Release 7.x
10
Configuring AAA
Prerequisites for Remote AAA
The following figure shows a flowchart of the authentication and authorization process.
Figure 1: Authentication and Authorization Flow for User Login
Note
In the figure, "No more servers left" means that there is no response from any server within this server group.
Prerequisites for Remote AAA
Remote AAA servers have the following prerequisites:
At least one RADIUS or TACACS+ server must be IP reachable.
•
The Cisco Nexus device is configured as a client of the AAA servers.
•
The preshared secret key is configured on the Cisco Nexus device and on the remote AAA servers.
•
The remote server responds to AAA requests from the Cisco Nexus device.
•
Cisco Nexus 3600 NX-OS Security Configuration Guide, Release 7.x
11
Guidelines and Limitations for AAA
Guidelines and Limitations for AAA
The Cisco Nexus devices do not support all numeric usernames, whether created with TACACS+ or RADIUS,
or created locally. If an all numeric username exists on an AAA server and is entered during a login, the Cisco
Nexus device still logs in the user.
If you configure the AAA login authentication default group, TACACS-SERVER-GROUP, it also overrides
the login for the console. This override occurs even if aaa authentication login console local is a default
command on the switch. To prevent this, you must configure aaa authentication login console local.
You should not create user accounts with usernames that are all numeric.Caution
Configuring AAA
Configuring AAA
Configuring Console Login Authentication Methods
The authentication methods include the following:
Global pool of RADIUS servers
•
Named subset of RADIUS or TACACS+ servers
•
Local database on the Cisco Nexus device.
•
Username only none
•
The default method is local.
Note
Note
The group radius and group server-name forms of the aaa authentication command are used for a
set of previously defined RADIUS servers. Use the radius server-host command to configure the host
servers. Use the aaa group server radius command to create a named group of servers.
If you configure the AAA login authentication default group, TACACS-SERVER-GROUP, it also overrides
the login for the console. This override occurs even if aaa authentication login console local is a default
command on the switch. To prevent this, you must configure aaa authentication login console local.
Before you configure console login authentication methods, configure RADIUS or TACACS+ server groups
as needed.
Cisco Nexus 3600 NX-OS Security Configuration Guide, Release 7.x
12
Configuring AAA
Configuring Default Login Authentication Methods
Procedure
PurposeCommand or Action
Step 1
Step 2
Step 3
Step 4
Step 5
authentication login console
{group group-list [none] | local
| none}
switch# show aaa
authentication
switch# copy running-config
startup-config
Enters global configuration mode.switch# configure terminal
Configures login authentication methods for the console.switch(config)# aaa
The group-list argument consists of a space-delimited list of
group names. The group names are the following:
• radius —Uses the global pool of RADIUS servers for
authentication.
• named-group —Uses a named subset of TACACS+ or
RADIUS servers for authentication.
The local method uses the local database for authentication.
The none method uses the username only.
The default console login method is local, which is used when
no methods are configured or when all of the configured
methods fail to respond.
Exits global configuration mode.switch(config)# exit
(Optional)
Displays the configuration of the console login authentication
methods.
(Optional)
Copies the running configuration to the startup configuration.
This example shows how to configure authentication methods for the console login:
switch# configure terminal
switch(config)# aaa authentication login console group radius
switch(config)# exit
switch# show aaa authentication
switch# copy running-config startup-config
Configuring Default Login Authentication Methods
The default method is local.
Before you configure default login authentication methods, configure RADIUS or TACACS+ server groups
as needed.
Cisco Nexus 3600 NX-OS Security Configuration Guide, Release 7.x
13
Enabling Login Authentication Failure Messages
Procedure
Configuring AAA
PurposeCommand or Action
Step 1
Step 2
Step 3
Step 4
Step 5
authentication login default
{group group-list [none] | local
| none}
switch# show aaa authentication
switch# copy running-config
startup-config
Enters global configuration mode.switch# configure terminal
Configures the default authentication methods.switch(config)# aaa
The group-list argument consists of a space-delimited list of
group names. The group names are the following:
• radius —Uses the global pool of RADIUS servers for
authentication.
• named-group —Uses a named subset of TACACS+ or
RADIUS servers for authentication.
The local method uses the local database for authentication.
The none method uses the username only.
The default login method is local , which is used when no
methods are configured or when all of the configured methods
do not respond.
Exits configuration mode.switch(config)# exit
(Optional)
Displays the configuration of the default login authentication
methods.
(Optional)
Copies the running configuration to the startup configuration.
Enabling Login Authentication Failure Messages
When you log in, the login is processed by the local user database if the remote AAA servers do not respond.
If you have enabled the displaying of login failure messages, the following message is displayed:
Remote AAA servers unreachable; local authentication done.
Remote AAA servers unreachable; local authentication failed.
Procedure
Step 1
Step 2
Step 3
Cisco Nexus 3600 NX-OS Security Configuration Guide, Release 7.x
14
switch(config)# aaa authentication login
error-enable
PurposeCommand or Action
Enters global configuration mode.switch# configure terminal
Enables login authentication failure messages.
The default is disabled.
Exits configuration mode.switch(config)# exit
Configuring AAA
Logging Successful and Failed Login Attempts
PurposeCommand or Action
Step 4
Step 5
switch# show aaa authentication
switch# copy running-config
startup-config
Logging Successful and Failed Login Attempts
You can configure the switch to log all successful and failed login attempts to the configured syslog server.
Procedure
PurposeCommand or Action
Step 1
Step 2
Example:
switch# configure terminal
[no] login on-failure log
Example:
switch(config)# login
on-failure log
Enters global configuration mode.configure terminal
Logs all failed authentication messages to the configured
syslog server. With this configuration, the following syslog
message appears after the failed login:
AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication
failed for user admin from 172.22.00.00
Note
(Optional)
Displays the login failure message configuration.
(Optional)
Copies the running configuration to the startup
configuration.
When logging level authpriv is 6, additional Linux
kernel authentication messages appear along with
the previous message. If these additional messages
need to be ignored, the authpriv value should be set
to 3.
Step 3
Step 4
[no] login on-success log
Example:
switch(config)# login
on-success log
show login on-failure log
Example:
switch(config)# show login
on-failure log
Cisco Nexus 3600 NX-OS Security Configuration Guide, Release 7.x
Logs all successful authentication messages to the configured
syslog server. With this configuration, the following syslog
message appears after the successful login:
AUTHPRIV-6-SYSTEM_MSG: pam_aaa:Authentication
success for user admin from 172.22.00.00
Note
When logging level authpriv is 6, additional Linux
kernel authentication messages appear along with
the previous message.
(Optional)
Displays whether the switch is configured to log failed
authentication messages to the syslog server.
15
Configuring AAA Command Authorization
Configuring AAA
PurposeCommand or Action
Step 5
Step 6
show login on-successful log
Example:
switch(config)# show login
on-successful log
copy running-config startup-config
Example:
switch(config)# copy
running-config startup-config
Configuring AAA Command Authorization
When a TACACS+ server authorization method is configured, you can authorize every command that a user
executes with the TACACS+ server which includes all EXEC mode commands and all configuration mode
commands.
The authorization methods include the following:
• Group—TACACS+ server group
• Local—Local role-based authorization
• None—No authorization is performed
(Optional)
Displays whether the switch is configured to log successful
authentication messages to the syslog server.
(Optional)
Copies the running configuration to the startup configuration.
The default method is Local.
There is no authorization on the console session.Note
Before You Begin
You must enable TACACS+ before configuring AAA command authorization.
Procedure
PurposeCommand or Action
Step 1
Example:
switch# configure terminal
switch(config)#
Step 2
config-commands} {default} {{[group
group-name] | [ local]} | {[group group-name] |
[ none]}}
Enters global configuration mode.configure terminal
Configures authorization parameters.aaa authorization {commands |
Use the commands keyword to authorize EXEC
mode commandes.
Cisco Nexus 3600 NX-OS Security Configuration Guide, Release 7.x
16
Loading...