This tech note outlines the main differences in authentication, authorization and accounting (AAA), LDAP, RADIUS, and TACACS+ support between Cisco® NX-OS Software and Cisco IOS® Software. Sample configurations are included for Cisco NX-OS and Cisco IOS Software for some common features to demonstrate the similarities and differences. Please refer to the NX-OS documentation on Cisco.com for a complete list of supported features.
AAA Overview
AAA used in combination with LDAP, RADIUS or TACACS+ provides remote authentication, authorization and accounting security services for centralized system management. AAA services improve scalability and simplify security management by using a central security database rather than local databases.
Important Cisco NX-OS and Cisco IOS Software Differences
In Cisco NX-OS:
LDAP and TACACS+ command-line interface (CLI) configuration and verification commands are not available until you enable the LDAP or TACACS+ feature with the feature ldap or feature tacacs+ command (The RADIUS feature is enabled by default and cannot be disabled).
The aaa new-model command is not required to enable AAA authentication, authorization, or accounting.
LDAP version 3 can be configured to support authentication and authorization services. Cisco IOS software does not support LDAP for authentication or authorization services.
The RADIUS vendor-specific attributes (VSA) feature is enabled by default. Cisco IOS Software requires the global radius-server vsa send configuration command to enable IETF attribute 26.
Local command authorization can be performed using privilege-levels or role-based access control (RBAC) without a AAA server. Local privilege-levels or RBAC roles can be associated to users configured on the AAA server using VSAs (TACACS+ supports command authorization that can be configured on the AAA server).
If a configured AAA server is not available for authentication, the local database (username/password) is automatically used for device access.
The RADIUS and TACACS+ host keys are Triple Data Encryption Standard (3DES) encrypted in the configuration. Cisco IOS Software requires the service password command.
All configuration commands are recorded in a local log (NVRAM) with user and time stamp information by default (no AAA configuration required). The log can be viewed with the show accounting log command.
The aaa accounting default command enables accounting for start and stop records as well as command accounting (Exec mode and configuration mode). Cisco IOS Software requires additional aaa accounting commands to enable both types of accounting.
RADIUS and TACACS+ support Cisco Fabric Services (CFS) for automated configuration synchronization between Nexus 7000 chassis.
Things You Should Know
The following list provides some additional facts about Cisco NX-OS that should be helpful when configuring and maintaining AAA, LDAP, RADIUS, and TACACS+ services.
Different AAA, LDAP, RADIUS and TACACS+ policies can be applied per virtual device context (VDC). However, the console login policy only applies to the default VDC.
Configuring a protocol for AAA is a multi-step configuration process: Define the server(s), create the server group, and associate the server group to the required AAA commands.
If you remove a feature such as LDAP or TACACS+ with the global no feature <name> command, all relevant configuration information is removed from the running-configuration for the specified feature.
64 LDAP, 64 RADIUS and 64 TACACS+ servers can be configured per device.
AAA server groups are associated with the default Virtual Route Forwarding (VRF) instance by default. Associate the proper VRF instance with the AAA server group if you are using the management port on the supervisor module or if the AAA server is in a non-default VRF instance.
A RADIUS and TACACS+ source interface can be configured globally or per AAA server group to specify the source IP address for packets destined to remote AAA services.
RADIUS and TACACS+ server keys can be specified for a group of servers or per individual server.
By default, LDAP uses TCP port 389, RADIUS uses UDP ports 1812 (authentication) and 1813 (accounting), and TACACS+ uses TCP port 49. All server ports can be configured to use different values.
Directed server requests are enabled by default for RADIUS and TACACS+.
The local option can be used with AAA authorization to fallback to local privilege-levels or RBAC in the event a AAA server is not available for command authorization.
RADIUS and TACACS+ support global server test monitoring (Per server monitoring takes precedence over global monitoring).
Use the show running-config command with the aaa, ldap, radius or tacacs+ option to display the running configuration for a specific feature.
Configuration Comparison
The following sample code shows configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software CLIs. The configurations for the two operating systems are very similar.
Cisco IOS CLI
Cisco NX-OS CLI
Enabling LDAP
Cisco IOS Software does not support LDAP for authentication and authorization services.
