Chapter 34
Configuring RADIUS and TACACS+
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
Where protocol is a Cisco attribute for a particular type of authorization, separator is
mandatory attributes, and
When you use RADIUS servers to authenticate yourself to a Cisco MDS 9000 Family switch, the
RADIUS protocol directs the RADIUS server to return user attributes, such as authorization
information, along with authentication results. This authorization information is specified through
VSAs.
VSA Format
The following VSA protocol options are supported by the Cisco NX-OS software:
•
•
The following attributes are supported by the Cisco NX-OS software:
•
•
Specifying SNMPv3 on AAA Servers
The vendor/custom attribute cisco-av-pair can be used to specify user's role mapping using the format:
shell:roles="roleA roleB ..."
If the roll option in the cisco-av-pair attribute is not set, the default user role is network-operator.
The VSA format optionally specifies your SNMPv3 authentication and privacy protocol attributes also
as follows:
shell:roles="roleA roleB..." snmpv3:auth=SHA priv=AES-128
The SNMPv3 authentication protocol options are SHA and MD5. The privacy protocol options are
AES-128 and DES. If these options are not specified in the cisco-av-pair attribute on the ACS server,
MD5 and DES are used by default.
Displaying RADIUS Server Details
Use the show radius-server command to display configured RADIUS parameters as shown in
Example
OL-18084-01, Cisco MDS NX-OS Release 4.x
(asterisk) is for optional attributes.
*
Shell protocol—Used in Access-Accept packets to provide user profile information.
Accounting protocol—Used in Accounting-Request packets. If a value contains any white spaces,
it should be put within double quotation marks.
roles—This attribute lists all the roles to which the user belongs. The value field is a string storing
the list of group names delimited by white space. For example, if you belong to roles vsan-admin
and storage-admin, the value field would be "vsan-admin storage-admin". This subattribute is
sent in the VSA portion of the Access-Accept frames from the RADIUS server, and it can only be
used with the shell protocol value. These are two examples using the roles attribute:
shell:roles="network-admin vsan-admin"
shell:roles*"network-admin vsan-admin"
When an VSA is specified as shell:roles*"network-admin vsan-admin", this VSA is flagged as
an optional attribute, and other Cisco devices ignore this attribute.
accountinginfo—This attribute stores additional accounting information besides the attributes
covered by a standard RADIUS accounting protocol. This attribute is only sent in the VSA portion
of the Account-Request frames from the RADIUS client on the switch, and it can only be used with
the accounting protocol-related PDUs.
34-2.
Cisco MDS 9000 Family CLI Configuration Guide
Configuring RADIUS
(equal sign) for
=
34-15