Prerequisites for AAA
Remote AAA servers have the following prerequisites:
• Ensure that at least one RADIUS, TACACS+, or LDAP server is reachable through IP.
• Ensure that the Cisco NX-OS device is configured as a client of the AAA servers.
• Ensure that the secret key is configured on the Cisco NX-OS device and the remote AAA servers.
• Ensure that the remote server responds to AAA requests from the Cisco NX-OS device.
Guidelines and Limitations for AAA
AAA has the following guidelines and limitations:
• If you have a user account configured on the local Cisco NX-OS device that has the same name as a
remote user account on an AAA server, the Cisco NX-OS software applies the user roles for the local
user account to the remote user, not the user roles configured on the AAA server.
• Cisco Nexus 9000 Series switches support the aaa authentication login ascii-authentication command
only for TACACS+ (and not for RADIUS).
• If you modify the default login authentication method (without using the local keyword), the configuration
overrides the console login authentication method. To explicitly configure the console authentication
method, use the aaa authentication login console {group group-list [none] | local | none} command.
• The login block-for and login quiet-mode configuration mode commands are renamed to system login
block-for and system login quiet-mode, respectively.
Default Settings for AAA
This table lists the default settings for AAA parameters.
Table 4: Default AAA Parameter Settings
DefaultParameters
localConsole authentication method
localDefault authentication method
DisabledLogin authentication failure messages
DisabledCHAP authentication
DisabledMSCHAP authentication
localDefault accounting method
250 KBAccounting log display length
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
14
Configuring AAA
Prerequisites for AAA
To Next Page
Loading...
