Aes Password Encryption And Master Encryption Keys; Licensing Requirements For Aaa - Cisco Nexus 9000 Series Configuration Manual
Nx-os security configuration guide, release 9.x
Hide thumbs
Also See for Nexus 9000 Series:
- Configuration manual (276 pages) ,
- Troubleshooting manual (126 pages) ,
- Quick start configuration manual (6 pages)
Table of Contents
Advertisement
Configuring AAA
• When you log in to the required Cisco NX-OS device, you can use the Telnet, SSH, or console login
• When you have configured the AAA server groups using the server group authentication method, the
• If the Cisco NX-OS device successfully authenticates you through a remote AAA server, then the
• If your username and password are successfully authenticated locally, the Cisco NX-OS device logs you
Note
"No more server groups left" means that there is no response from any server in all server groups. "No more
servers left" means that there is no response from any server within this server group.
AES Password Encryption and Master Encryption Keys
You can enable strong, reversible 128-bit Advanced Encryption Standard (AES) password encryption, also
known as type-6 encryption. To start using type-6 encryption, you must enable the AES password encryption
feature and configure a master encryption key, which is used to encrypt and decrypt passwords.
After you enable AES password encryption and configure a master key, all existing and newly created clear-text
passwords for supported applications (currently RADIUS and TACACS+) are stored in type-6 encrypted
format, unless you disable type-6 password encryption. You can also configure Cisco NX-OS to convert all
existing weakly encrypted passwords to type-6 encrypted passwords.
Licensing Requirements for AAA
The following table shows the licensing requirements for this feature:
Product
Cisco NX-OS
options.
Cisco NX-OS device sends an authentication request to the first AAA server in the group as follows:
• If the AAA server fails to respond, the next AAA server is tried and so on until the remote server
responds to the authentication request.
• If all AAA servers in the server group fail to respond, the servers in the next server group are tried.
• If all configured methods fail, the local database is used for authentication, unless fallback to local
is disabled for the console login.
following possibilities apply:
• If the AAA server protocol is RADIUS, then user roles specified in the cisco-av-pair attribute are
downloaded with an authentication response.
• If the AAA server protocol is TACACS+, then another request is sent to the same server to get the
user roles specified as custom attributes for the shell.
in and assigns you the roles configured in the local database.
License Requirement
AAA requires no license. Any feature not included in a license package is bundled with the
nx-os image and is provided at no extra charge to you. For an explanation of the Cisco NX-OS
licensing scheme, see the
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
AES Password Encryption and Master Encryption Keys
Cisco NX-OS Licensing
Guide.
13
- Quick Links:
- Radius and Tacacs+ Security Protocols
Hide quick links:
Advertisement
Table of Contents
