Cisco NX-OS/IOS TACACS+, RADIUS, and AAA Comparison
From DocWiki
Objective
This tech note outlines the main differences in TACACS+, RADIUS, and authentication, authorization and accounting (AAA) support between Cisco® NX-OS Software and Cisco IOS® Software. Sample configurations are included for Cisco NX-OS and Cisco IOS Software for some common features to demonstrate the similarities and differences. Please refer to the NX-OS documentation on Cisco.com for a complete list of supported features.
AAA Overview
AAA used in combination with TACACS+ or RADIUS provides remote authentication, authorization and accounting security services for centralized system management. AAA services improve scalability and simplify network management because they use a central security database rather than local databases.
Important Cisco NX-OS and Cisco IOS Software Differences
In Cisco NX-OS:
- TACACS+ command-line interface (CLI) configuration and verification commands are not available until you enable the TACACS+ feature with the feature tacacs+ command.
- The aaa new-model command is not required to enable AAA authentication, authorization, or accounting.
- The RADIUS vendor-specific attributes (VSA) feature is enabled by default.
- Local command authorization can be performed when using role-based access control (RBAC) without a AAA server. User roles can be associated with users configured on the AAA server using VSAs. Remote command authorization can be performed on a AAA server when using AAA with TACACS+.
- If no AAA server is available for authentication, the local database is automatically used for device access.
- The TACACS+ and RADIUS host keys are Triple Data Encryption Standard (3DES) encrypted in the configuration. Cisco IOS Software requires the service password command.
Things You Should Know
The following list provides some additional facts about Cisco NX-OS that should be helpful when configuring and maintaining TACACS+, RADIUS, and AAA services.
- Different AAA, TACACS+, and RADIUS policies can be applied per virtual device context (VDC). However, the console login policy only applies to the default VDC.
- If you remove the feature tacacs+ command, all relevant TACACS+ configuration information is also removed.
- 64 TACACS+ and 64 RADIUS servers can be configured per device.
- AAA server groups are associated with the default Virtual Route Forwarding (VRF) instance by default. Associate the proper VRF instance with the AAA server group if you are using the management port on the supervisor or if the AAA server is in a non default VRF instance.
- An IP source interface can be associated with AAA server groups.
- TACACS+ and RADIUS server keys can be specified for a group of servers or per individual server.
- By default, TACACS+ uses TCP port 49, and RADIUS uses UDP ports 1812 (authentication) and 1813 (accounting).
- Directed server requests are enabled by default for TACACS+ and RADIUS.
- The local option can be used with AAA authorization to fallback to RBAC in the event a AAA server is not available for command authorization.
- Use the show running-config command with the aaa, tacacs+, or radius option to display the current AAA configuration.
Configuration Comparison
The following sample code shows configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software CLIs. The configurations for the two operating systems are very similar.
| Cisco IOS CLI | Cisco NX-OS CLI | |
|---|---|---|
| Enabling TACACS+ |
| Cisco IOS Software does not have the ability to enable or disable TACACS+. | feature tacacs+ |
|---|
| Configuring a TACACS+ Server with a Key |
| tacacs-server host 192.168.1.1 key cisco123 | tacacs-server host 192.168.1.1 key 7 "fewhg123" |
|---|
| Specifying a Nondefualt TACACS+ TCP Port |
| tacacs-server host 192.168.1.1 port 85 | tacacs-server host 192.168.1.1 port 85 |
|---|
| Specifying the TACACS+ Timeout Value (Global) |
| tacacs-server timeout 10 | tacacs-server timeout 10 |
|---|
| Configuring a RADIUS Server with a Key |
| radius-server host 192.168.1.1 key cisco123 | radius-server host 192.168.1.1 key 7 "fewhg123" |
|---|
| Specifying Nondefualt RADIUS UDP Ports |
| radius-server host 192.16.1.1 auth-port 1645 acct-port 1646 | radius-server 192.168.1.1 auth-port 1645 acct-port 1646 |
|---|
| Specifying the RADIUS Timeout Value (Global) |
| radius-server host 192.168.1.1 timeout 10 | radius-server timeout 10 |
|---|
| Configuring an AAA Server Group (TACACS+) |
| aaa group server tacacs+ AAA-Servers
server 192.168.1.1 | aaa group server tacacs+ AAA-Servers
server 192.168.1.1 |
|---|
| Configuring an AAA Server Group (RADIUS) |
| aaa group server radius AAA-Servers
server 192.168.1.1 | aaa group server radius AAA-Servers
server 192.168.1.1 |
|---|
| Configuring an AAA Server Group for a VRF Instance (RADIUS) |
| aaa group server radius AAA-Servers
server 192.168.1.1 ip vrf forwarding management | aaa group server radius AAA-Servers
server 192.168.1.1 use-vrf management |
|---|
| Configuring the AAA Server Group Dead Time (RADIUS) |
| aaa group server radius AAA-Servers
deadtime 5 | aaa group server radius AAA-Servers
deadtime 5 |
|---|
| Enabling AAA Authentication with an AAA Server Group |
| aaa new-model
aaa authentication login default group AAA-Servers | aaa authentication login default group AAA-Servers |
|---|
| Enabling AAA Authorization with an AAA Server Group |
| aaa new-model
aaa authorization config-commands aaa authorization commands 1 default group AAA-Servers | aaa authorization config-commands default group AAA-Servers
aaa authorization commands default group AAA-Servers |
|---|
| Enabling AAA Accounting with an AAA Server Group |
| aaa new-model
aaa accounting exec default start-stop group AAA-Servers | aaa accounting default group AAA-Servers |
|---|
Verification Command Comparison
The following table compares some useful show commands for verifying and troubleshooting AAA, TACACS+, and RADIUS.
| Cisco NX-OS AAA | Cisco IOS Software AAA | Command Description |
|---|---|---|
| show tacacs | show tacacs | Displays the TACACS+ server configuration for all servers |
| show tacacs <x.x.x.x> | - | Displays a specific TACACS+ server configuration |
| show tacacs server directed-request | - | Displays the status of the directed-request feature (enabled or disabled) |
| show tacacs server groups | - | Displays TACACS+ server groups |
| show tacacs statistics <x.x.x.x> | - | Displays TACACS+ statistics for a specific server |
| - | - | - |
| show radius | - | Displays the RADIUS server configuration for all servers |
| show radius <x.x.x.x> | - | Displays a specific RADIUS server configuration |
| show radius server directed-request | - | Displays the status of the directed-request feature (enabled or disabled) |
| show radius server groups | show radius server-group | Displays RADIUS server groups |
| show radius statistics <x.x.x.x> | show radius statistics | Displays RADIUS statistics for a specific server |
| - | - | - |
| show aaa accounting | - | Displays the status of AAA accounting |
| show aaa authentication | - | Displays the default and console login methods |
| show aaa authentication login error-enable | - | Displays the login error message status (enabled or disabled) |
| show aaa authentication login mschap | - | Displays the status of the Microsoft Challenge Handshake Authentication Protocol (MS-CHAP; enabled or disabled) |
| show aaa authorization | - | Displays the AAA authorization configuration |
| show aaa groups | - | Displays the AAA groups that are configured |
| - | - | - |
| show user-account | - | Displays a list of locally configured users |
| show users | show users | Displays the users who are logged in |
