AAA Configuration
This section covers the Cisco Nexus 3550-T Programmable Switch Platform's authentication, authorization and accounting (AAA) features.
AAA Methods
AAA features are used for access control by authenticating user identity and authorizing access to the command line and to the API.
Currently the following AAA methods are supported:
- Local user database
- TACACS+ servers
Configure AAA Methods
User Authentication
To specify the list of AAA methods for authenticating logins, use the
aaa authentication login default
command.
The methods are tried in the order that they appear in the list.
Currently the valid authentication methods are tacacs+
, local
and none
.
For example, to use TACACS+ authentication, and fallback to local authentication if the TACACS+ server is not reachable, run the following command:
admin@NX-3550-T(config)# aaa authentication login default tacacs+ local
If the authentication method none
is used, you will not be prompted
for a password on login.
Note
There must be at least one authentication method.
Command Line and API Authorization
To specify the list of AAA methods for authorizing command line and API access, use the aaa authorization exec default
command.
The methods are tried in the order that they appear in the list.
Currently the valid authorization methods are tacacs+
, local
and none
.
For example, to use privilege levels from TACACS+, and fallback to the local user database if the TACACS+ server is not reachable, run the following command:
admin@NX-3550-T(config)# aaa authorization exec default tacacs+ local
If no more methods are available, access is denied. For example, to deny access if the TACACS+ server is not reachable, run the following command:
admin@NX-3550-T(config)# aaa authorization exec default tacacs+
The authorization method none
allows full access to the system.
To allow full access to all authenticated users, run the following command:
admin@NX-3550-T(config)# aaa authorization exec default none
Note
There must be at least one authorization method.
Local User Database
By default, the Nexus 3550-T uses a local user database for user authentication and authorization.
The default user admin
, with full access, is available on all Nexus 3550-T products.
We recommend to change the default password by using the
configure username admin password
command.
Create and Remove Users
To create users, use the username
command.
For example to create a new user matt
, run the following command:
admin@NX-3550-T(config)# username matt
Created new user "matt"
To remove users, use the no username
command, for example:
admin@NX-3550-T(config)# no username matt
Deleted user "matt"
Note
If the admin
user does not exist when reloading, it is created and given the default password admin
.
Change Passwords
To change the passwords in the local user database, use the password
command, for example:
admin@NX-3550-T(config)# username admin password
Changing password for user "admin"
New password:
Re-enter new password:
Password changed for user "admin"
TACACS+ Server Configuration
The Nexus 3550-T supports using a TACACS+ server for centralized authentication and authorization.
Minimally, you must supply a TACACS+ server and a passphrase before you can use TACACS+. You can configure any number of TACACS+ servers.
To configure a server, use the tacacs-server host
command, for example:
admin@NX-3550-T(config)# tacacs-server host 192.168.220.14 key s3cr3t
To configure the timeout value (in seconds) use the
tacacs-server timeout
command, for example:
admin@NX-3550-T(config)# tacacs-server timeout 5
To see the current TACACS+ configuration, use the show tacacs-server
command, for example:
admin@NX-3550-T# show tacacs-server
timeout in seconds: 5
authentication type: ascii
total number of servers: 1
the following TACACS+ servers are configured:
192.168.220.14:
available on port: 49
TACACS+ shared secret key: s3cr3t
Example TACACS+ Server Configuration
The Nexus 3550-T has been tested with the tac_plus TACACS+ server.
For reference, see the following example tac_plus.conf
configuration fragment:
user = admin {
login = cleartext "admin"
service = exec {
priv-lvl = 15
}
}
This page was last updated on Mar-23-2021.