Prerequisites for AAA
Remote AAA servers have the following prerequisites:
• Ensure that at least one RADIUS, , or LDAP server is reachable through IP.
• Ensure that the Cisco NX-OS device is configured as a client of the AAA servers.
• Ensure that the secret key is configured on the Cisco NX-OS device and the remote AAA servers.
• Ensure that the remote server responds to AAA requests from the Cisco NX-OS device.
Guidelines and Limitations for AAA
AAA has the following guidelines and limitations:
• If you have a user account configured on the local Cisco NX-OS device that has the same name as a
remote user account on an AAA server, the Cisco NX-OS software applies the user roles for the local
user account to the remote user, not the user roles configured on the AAA server.
• Cisco Nexus 9000 Series switches support the
aaa authentication login ascii-authentication
command
only for (and not for RADIUS).
• If you modify the default login authentication method (without using the
local
keyword), the configuration
overrides the console login authentication method. To explicitly configure the console authentication
method, use the
aaa authentication login console
{
group group-list
[
none
] |
local
|
none
} command.
• The
login block-for
and
login quiet-mode
configuration mode commands are renamed to
system login
block-for
and
system login quiet-mode
, respectively.
Default Settings for AAA
This table lists the default settings for AAA parameters.
Table 4: Default AAA Parameter Settings
Default
Parameters
local
Console authentication method
local
Default authentication method
Disabled
Login authentication failure messages
Disabled
CHAP authentication
Disabled
MSCHAP authentication
local
Default accounting method
250 KB
Accounting log display length
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
14
Configuring AAA
Prerequisites for AAA