AAA security provides the following services:
+ Authentication – Identifies users, including login and password dialog, challenge and response, messaging support, and, depending on the security protocol that you select, encryption.
Authentication is the process of verifying the identity of the person or device accessing the Cisco NX-OS device, which is based on the user ID and password combination provided by the entity trying to access the Cisco NX-OS device. Cisco NX-OS devices allow you to perform local authentication (using the local lookup database) or remote authentication (using one or more RADIUS or TACACS+ servers).
+ Authorization – Provides access control.
AAA authorization is the process of assembling a set of attributes that describe what the user is authorized to perform. Authorization in the Cisco NX-OS software is provided by attributes that are downloaded from AAA servers. Remote security servers, such as RADIUS and TACACS+, authorize users for specific rights by associating attribute-value (AV) pairs, which define those rights with the appropriate user.
+ Accounting – Provides the method for collecting information, logging the information locally, and sending the information to the AAA server for billing, auditing, and reporting.
In conclusion, authorization specifies which resources the users are allowed to access.
In the “aaa authentication login login radius local” command, the first “login” is a keyword which authenticates users who want exec access into the access server (tty, vty, console and aux). The second “login” is a list name. “radius local” part indicates the RADIUS authentication should be used first. If the RADIUS server does not reply then use the local database to authenticate.
Method lists are specific to the authorization type requested:
+ Auth-proxy – Applies specific security policies on a per-user basis. For detailed information on the authentication proxy feature, refer to the chapter “Configuring Authentication Proxy” in the “Traffic Filtering and Firewalls” part of this book.
+ Commands – Applies to the EXEC mode commands a user issues. Command authorization attempts authorization for all EXEC mode commands, including global configuration commands, associated with a specific privilege level.
+ EXEC – Applies to the attributes associated with a user EXEC terminal session.
+ Network – Applies to network connections. This can include a PPP, SLIP, or ARAP connection.
+ Reverse Access – Applies to reverse Telnet sessions.
When you create a named method list, you are defining a particular list of authorization methods for the indicated authorization type.
Once defined, method lists must be applied to specific lines or interfaces before any of the defined methods will be performed. The only exception is the default method list (which is named “default”). If the aaa authorization command for a particular authorization type is issued without a named method list specified, the default method list is automatically applied to all interfaces or lines except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, local authorization takes place by default.
For 802.1x port-based authentication, the Remote Authentication Dial-In User Service (RADIUS) security system with Extensible Authentication Protocol (EAP) extensions is the only supported authentication server; it is available in Cisco Secure Access Control Server version 3.0. RADIUS operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients.
The console port is authenticated with NO_AUTH list. But this list does not contain any authentication method (it uses “none”) so no authentication is required when connecting to the console port.
The VTY line can be accessed via Telnet and SSH by default. It is authenticated by “default” list which is defined with the “aaa authentication login default group radius local line” command. Therefore users who access via Telnet or SSH are authenticated via RADIUS first, then local database and finally line VTY password.
Note: The “group” keyword provides a way to group existing server hosts. The feature allows the user to select a subset of the configured server hosts and use them for a particular service. Therefore we can understand “group radius” here means “some pre-defined radius servers”.
You can configure port security and 802.1X on the same interfaces. Port security secures the MAC addresses that 802.1X authenticates. 802.1X processes packets before port security processes them, so when you enable both on an interface, 802.1X is already preventing inbound traffic on the interface from unknown MAC addresses.
When you enable 802.1X and port security on the same interface, port security continues to learn MAC addresses by the sticky or dynamic method, as configured. Additionally, depending on whether you enable 802.1X in single-host mode or multiple-host mode, one of the following occurs:
+ Single host mode—Port security learns the MAC address of the authenticated host.
+ Multiple host mode—Port security drops any MAC addresses learned for this interface by the dynamic method and learns the MAC address of the first host authenticated by 802.1X.
If a MAC address that 802.1X passes to port security would violate the applicable maximum number of secure MAC addresses, the device sends an authentication failure message to the host.
The device treats MAC addresses authenticated by 802.1X as though they were learned by the dynamic method, even if port security previously learned the address by the sticky or static methods. If you attempt to delete a secure MAC address that has been authenticated by 802.1X, the address remains secure.
If the MAC address of an authenticated host is secured by the sticky or static method, the device treats the address as if it were learned by the dynamic method, and you cannot delete the MAC address manually.
Port security integrates with 802.1X to reauthenticate hosts when the authenticated and secure MAC address of the host reaches its port security age limit.