AAA Configuration
This section covers the authentication, authorization and accounting (AAA) features of the Cisco Nexus 3550-H Hydra (formerly ExaLINK Hydra).
AAA Methods
AAA features are used for access control by authenticating user identity and authorizing access to the command line and to the API.
Currently two AAA methods are supported - local user database and TACACS+ servers.
Configuring AAA methods
User authentication
The aaa authentication login default command is used to specify the list of
AAA methods for authenticating logins.
The methods will be tried in the order that they appear in the list.
Currently the valid authentication methods are tacacs+, local and none.
For example, to use TACACS+ authentication, and fallback to local authentication if the TACACS+ server is not reachable:
admin@EXALINK-HYDRA(config)# aaa authentication login default tacacs+ local
If the authentication method none is used, the user will not be prompted
for a password on login.
Note: There must be at least one authentication method.
Command line and API authorization
The aaa authorization exec default command is used to specify the list of
AAA methods for authorizing command line and API access.
The methods will be tried in the order that they appear in the list.
Currently the valid authorization methods are tacacs+, local and none.
For example, to use privilege levels from TACACS+, and fallback to the local user database if the TACACS+ server is not reachable:
admin@EXALINK-HYDRA(config)# aaa authorization exec default tacacs+ local
If no more methods are available, access will be denied. For example, to deny access if the TACACS+ server is not reachable:
admin@EXALINK-HYDRA(config)# aaa authorization exec default tacacs+
The authorization method none allows full access to the system.
To allow full access to all authenticated users:
admin@EXALINK-HYDRA(config)# aaa authorization exec default none
Note: There must be at least one authorization method.
Local user database
By default, the Nexus 3550-H uses a local user database for user authentication and authorization.
The default user admin, with full access, is available on all Nexus 3550-H products.
It is recommended to change the default password using the command
configure username admin password.
Creating and removing users
Users are created using the username command.
For example to create a new user matt:
admin@EXALINK-HYDRA(config)# username matt
Created new user "matt"
Users can be removed using the no username command, for example:
admin@EXALINK-HYDRA(config)# no username matt
Deleted user "matt"
Note:
If the admin user does not exist when reloading,
it will be created and given the default password admin.
Changing Passwords
Passwords in the local user database can be changed using the password command.
For example:
admin@EXALINK-HYDRA(config)# username admin password
Changing password for user "admin"
New password:
Re-enter new password:
Password changed for user "admin"
TACACS+ server configuration
The Nexus 3550-H supports using a TACACS+ server for centralized authentication and authorization.
Minimally, a TACACS+ server and a passphrase must be supplied before TACACS+ can be used. Any number of TACACS+ servers can be configured.
To configure a server, use the tacacs-server host command, for example:
admin@EXALINK-HYDRA(config)# tacacs-server host 192.168.220.14 key s3cr3t
The timeout value (in seconds) can be configured using the
tacacs-server timeout command, for example:
admin@EXALINK-HYDRA(config)# tacacs-server timeout 5
Use the command show tacacs-server to see the current TACACS+ configuration:
admin@EXALINK-HYDRA# show tacacs-server
timeout in seconds: 5
authentication type: ascii
total number of servers: 1
the following TACACS+ servers are configured:
192.168.220.14:
available on port: 49
TACACS+ shared secret key: s3cr3t
Example TACACS+ server configuration
Nexus 3550-H has been tested with the
tac_plus TACACS+ server.
For reference, see below for an example tac_plus.conf configuration fragment:
user = admin {
login = cleartext "admin"
service = exec {
priv-lvl = 15
}
}
This page was last updated on Feb-18-2021.