AAA Configuration

This section covers the Cisco Nexus 3550-T Programmable Switch Platform's authentication, authorization and accounting (AAA) features.

AAA Methods

AAA features are used for access control by authenticating user identity and authorizing access to the command line and to the API.

Currently the following AAA methods are supported:

  • Local user database
  • TACACS+ servers

Configure AAA Methods

User Authentication

To specify the list of AAA methods for authenticating logins, use the aaa authentication login default command. The methods are tried in the order that they appear in the list. Currently the valid authentication methods are tacacs+, local and none.

For example, to use TACACS+ authentication, and fallback to local authentication if the TACACS+ server is not reachable, run the following command:

admin@NX-3550-T(config)# aaa authentication login default tacacs+ local

If the authentication method none is used, you will not be prompted for a password on login.

Note

There must be at least one authentication method.

Command Line and API Authorization

To specify the list of AAA methods for authorizing command line and API access, use the aaa authorization exec default command. The methods are tried in the order that they appear in the list. Currently the valid authorization methods are tacacs+, local and none.

For example, to use privilege levels from TACACS+, and fallback to the local user database if the TACACS+ server is not reachable, run the following command:

admin@NX-3550-T(config)# aaa authorization exec default tacacs+ local

If no more methods are available, access is denied. For example, to deny access if the TACACS+ server is not reachable, run the following command:

admin@NX-3550-T(config)# aaa authorization exec default tacacs+

The authorization method none allows full access to the system. To allow full access to all authenticated users, run the following command:

admin@NX-3550-T(config)# aaa authorization exec default none

Note

There must be at least one authorization method.

Local User Database

By default, the Nexus 3550-T uses a local user database for user authentication and authorization.

The default user admin, with full access, is available on all Nexus 3550-T products. We recommend to change the default password by using the configure username admin password command.

Create and Remove Users

To create users, use the username command. For example to create a new user matt, run the following command:

admin@NX-3550-T(config)# username matt
Created new user "matt"

To remove users, use the no username command, for example:

admin@NX-3550-T(config)# no username matt
Deleted user "matt"

Note

If the admin user does not exist when reloading, it is created and given the default password admin.

Change Passwords

To change the passwords in the local user database, use the password command, for example:

admin@NX-3550-T(config)# username admin password
Changing password for user "admin"
New password:
Re-enter new password:
Password changed for user "admin"

TACACS+ Server Configuration

The Nexus 3550-T supports using a TACACS+ server for centralized authentication and authorization.

Minimally, you must supply a TACACS+ server and a passphrase before you can use TACACS+. You can configure any number of TACACS+ servers.

To configure a server, use the tacacs-server host command, for example:

admin@NX-3550-T(config)# tacacs-server host 192.168.220.14 key s3cr3t

To configure the timeout value (in seconds) use the tacacs-server timeout command, for example:

admin@NX-3550-T(config)# tacacs-server timeout 5

To see the current TACACS+ configuration, use the show tacacs-server command, for example:

admin@NX-3550-T# show tacacs-server
timeout in seconds: 5
authentication type: ascii
total number of servers: 1

the following TACACS+ servers are configured:
        192.168.220.14:
                available on port: 49
                TACACS+ shared secret key: s3cr3t

Example TACACS+ Server Configuration

The Nexus 3550-T has been tested with the tac_plus TACACS+ server. For reference, see the following example tac_plus.conf configuration fragment:

user = admin {
  login = cleartext "admin"
  service = exec {
    priv-lvl = 15
  }
}

This page was last updated on Mar-23-2021.