Using Aaa Server Vsas; About Vsas; Vsa Format - Cisco Nexus 5000 Series Configuration Manual

About VSAs

Command or Action
Step 3 switch(config)# exit
Step 4 switch# show aaa accounting
Step 5 switch# copy running-config
startup-config

Using AAA Server VSAs

About VSAs
You can use vendor-specific attributes (VSAs) to specify the Cisco Nexus 5000 Series user roles and SNMPv3
parameters on AAA servers.
The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating VSAs
between the network access server and the RADIUS server. The IETF uses attribute 26. VSAs allow vendors
to support their own extended attributes that are not suitable for general use. The Cisco RADIUS implementation
supports one vendor-specific option using the format recommended in the specification. The Cisco vendor
ID is 9, and the supported option is vendor type 1, which is named cisco-av-pair. The value is a string with
the following format:
protocol : attribute seperator value *
The protocol is a Cisco attribute for a particular type of authorization, separator is an equal sign (=) for
mandatory attributes, and an asterisk (* ) indicates optional attributes.
When you use RADIUS servers for authentication on a Nexus 5000 Series switch, the RADIUS protocol
directs the RADIUS server to return user attributes, such as authorization information, along with authentication
results. This authorization information is specified through VSAs.

VSA Format

The following VSA protocol options are supported by the Cisco Nexus 5000 Series switches:
• Shell— Used in access-accept packets to provide user profile information.
• Accounting—Used in accounting-request packets. If a value contains any white spaces, put it within
The following attributes are supported by the Cisco Nexus 5000 Series switches:
• roles—Lists all the roles assigned to the user. The value field is a string that stores the list of group
• accountinginfo—Stores additional accounting information in addition to the attributes covered by a
Cisco Nexus 5000 Series NX-OS Security Configuration Guide
18
Purpose
The default method is local , which is used when no server groups are
configured or when all the configured server group do not respond.
Exits configuration mode.
(Optional)
Displays the configuration AAA accounting default methods.
(Optional)
Copies the running configuration to the startup configuration.
double quotation marks.
names delimited by white space.
standard RADIUS accounting protocol. This attribute is sent only in the VSA portion of the
Account-Request frames from the RADIUS client on the switch, and it can only be used with the
accounting protocol-related PDUs.
Using AAA Server VSAs
OL-20919-01