Cisco MDS 9000 Series Configuration Manual page 81

Configuring Security Features on an External AAA Server
protocol : attribute separator value *
Where protocol is a Cisco attribute for a particular type of authorization, separator is = (equal sign) for
mandatory attributes, and * (asterisk) is for optional attributes.
When you use RADIUS servers to authenticate yourself to a Cisco MDS 9000 Family switch, the RADIUS
protocol directs the RADIUS server to return user attributes, such as authorization information, along with
authentication results. This authorization information is specified through VSAs.
VSA Format
The following VSA protocol options are supported by the Cisco NX-OS software:
• Shell protocol—Used in Access-Accept packets to provide user profile information.
• Accounting protocol—Used in Accounting-Request packets. If a value contains any white spaces, it
The following attributes are supported by the Cisco NX-OS software:
• roles—This attribute lists all the roles to which the user belongs. The value field is a string storing the
• accountinginfo—This attribute stores additional accounting information besides the attributes covered
Specifying SNMPv3 on AAA Servers
The vendor/custom attribute cisco-av-pair can be used to specify user's role mapping using the format:
shell:roles="roleA roleB ..."
Note When you log in to a Cisco MDS switch successfully using the Fabric Manager or Device Manager through
Telnet or SSH and if that switch is configured for AAA server-based authentication, a temporary SNMP user
entry is automatically created with an expiry time of one day. The switch authenticates the SNMPv3 protocol
data units (PDUs) with your Telnet or SSH login name as the SNMPv3 user. The management station can
temporarily use the Telnet or SSH login name as the SNMPv3 auth and priv passphrase. This temporary
SNMP login is only allowed if you have one or more active MDS shell sessions. If you do not have an active
session at any given time, your login is deleted and you will not be allowed to perform SNMPv3 operations.
If the role option in the cisco-av-pair attribute is not set, the default user role is network-operator.
should be put within double quotation marks.
list of group names delimited by white space. For example, if you belong to roles vsan-admin and
storage-admin, the value field would be "vsan-admin storage-admin". This subattribute is sent in the
VSA portion of the Access-Accept frames from the RADIUS server, and it can only be used with the
shell protocol value. These are two examples using the roles attribute:
shell:roles="network-admin vsan-admin"
shell:roles*"network-admin vsan-admin"
When an VSA is specified as shell:roles*"network-admin vsan-admin", this VSA is flagged as an
optional attribute, and other Cisco devices ignore this attribute.
by a standard RADIUS accounting protocol. This attribute is only sent in the VSA portion of the
Account-Request frames from the RADIUS client on the switch, and it can only be used with the
accounting protocol-related PDUs.
Cisco MDS 9000 Series Security Configuration Guide, Release 8.x
VSA Format
63