Blog‎ > ‎

NX-OS AAA

posted Apr 21, 2014, 10:32 PM by Rick McGee   [ updated Apr 23, 2014, 5:59 PM ]
AAA
    Authentication, Authorization, and Accounting
    
Difference between Authentication (AuthC) and Authorization (AuthZ)
    AuthC tells the server who I am 
    e.g. Rick McGee
    AuthZ serve tells me what I'm allowed to do 
    e.g. Make a change to an interface = Yes/No

    Local Users
        With Role Based Access Control (RBAC)
    RADIUS Users (can use TACACS+ as well)
       On a N7K, network-admin assumes vdc-admin role upon a "switchto" a different VDC as well
       as network-operator to vdc-operator
        If you happen to look yourself out of the another VDC you can always log into the default 
        VDC to change that password (like a backdoor)

RBAC
    Uses a multi-level access for local users
    Limits the commands that can be run by a user in NX-OS
    Can be handed down form RADIUS
    Can limit the domain in which a user can make changes
        E.g. Only within specific VRF's 
               Only within specific VLAN's 
               Only within specific Interfaces

SNMPv3
    Same as SNMPv2, except the addition of cryptographic security
        SNMPv1,v2 only used a simple clear-text password (community string)
        SNMPv2 message contains security parameters which are encoded as an octet string 
            Confidentiality- Encryption of packets
            Integrity- Message integrity to ensure that a packet has not been tampered within transit
            Authentication- Who is making the request/response

sh run | in user

 Configuration 
    username "xxxxxxx" pass "xxxxxxx" role vdc-operator


show role

You also have priv-0 - priv-15 just like in IOS

You can also create  your own role with "role name XXXXX"
    This you can get very granular with with following attributes 

can configured rules under the role command syntax (config-role) 
You can create 256 rules per role


assign role to user Contractor
    user Contractor pass cisco role SHOW-INT

 Configure users on a RADIUS server

conf t
    radius-server host 192.168.0.xxx key cisco123
    aaa group server radius ISE (this will put you in the (config-radius) prompt)
        server 192.168.0.xxx
        use-vfr management 
    exit
        aaa authentication login default group ISE
        aaa authentication login default fallback error local (local DB on switch)

If you don't assign a role on the RADIUS sever it will assume prig-0

snmp-server host x.x.x.x version 3 ? this can be:
    auth     Use the SNMPv3 authNoPriv Security Level
    noauth Use the SNMPv3 noAuthNoPriv Security level
    priv      Use the SNMPv3 AuthPriv Security level

snmp-server user xxxx auth md5 cisco priv cisco
snmp-server host x.x.x.x use-vrf management 




        
Comments