Cisco nexus 5000 series Cli Configuration Manual page 230
Hide thumbs
Also See for nexus 5000 series:
- Configuration manual (334 pages) ,
- Command reference manual (196 pages) ,
- Operation manual (45 pages)
Table of Contents
Advertisement
Configuring AAA
S e n d f e e d b a c k t o n x 5 0 0 0 - d o c f e e d b a c k @ c i s c o . c o m
implementation supports one vendor-specific option using the format recommended in the specification.
The Cisco vendor ID is 9, and the supported option is vendor type 1, which is named cisco-av-pair. The
value is a string with the following format:
protocol : attribute seperator value *
The protocol is a Cisco attribute for a particular type of authorization, separator is an equal sign (=) for
mandatory attributes, and an asterisk (
When you use RADIUS servers for authentication on a Nexus 5000 Series switch, the RADIUS protocol
directs the RADIUS server to return user attributes, such as authorization information, along with
authentication results. This authorization information is specified through VSAs.
VSA Format
The following VSA protocol options are supported by the Nexus 5000 Series switches:
•
•
The following attributes are supported by the Nexus 5000 Series switches:
•
•
Specifying Nexus 5000 Series switch User Roles and SMNPv3 Parameters on AAA Servers
You can use the VSA cisco-av-pair on AAA servers to specify user role mapping for the Nexus 5000
Series switch using this format:
shell:roles="roleA roleB ..."
If you do not specify the role option in the cisco-av-pair attribute, the default user role is
network-operator.
You can also specify your SNMPv3 authentication and privacy protocol attributes as follows:
shell:roles="roleA roleB..." snmpv3:auth=SHA priv=AES-128
The SNMPv3 authentication protocol options are SHA and MD5. The privacy protocol options are
AES-128 and DES. If you do not specify these options in the cisco-av-pair attribute, MD5 and DES are
the default authentication protocols.
For more information on user roles, see
Cisco Nexus 5000 Series Switch CLI Software Configuration Guide
1-12
Shell— Used in access-accept packets to provide user profile information.
Accounting—Used in accounting-request packets. If a value contains any white spaces, put it within
double quotation marks.
roles—Lists all the roles assigned to the user. The value field is a string that stores the list of group
names delimited by white space.
accountinginfo—Stores additional accounting information in addition to the attributes covered by a
standard RADIUS accounting protocol. This attribute is sent only in the VSA portion of the
Account-Request frames from the RADIUS client on the switch, and it can only be used with the
accounting protocol-related PDUs.
) indicates optional attributes.
*
Chapter 1, "Configuring User Accounts and RBAC."
Chapter 1
Configuring AAA
OL-16597-01
Advertisement
Chapters
Table of Contents
Troubleshooting
