Configuring AAA

This section uses payloads and CLIs to demonstrate how to configure AAA.

For information about AAA, see the Cisco Nexus 9000 Series NX-OS Security Configuration Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-installation-and-configuration-guides-list.html/

Setting AAA Authentication Configuration

Setting AAA Authentication Configuration

POST http://<IP_Address>/api/node/mo/sys/userext/authrealm/defaultauth.json

{
 "aaaDefaultAuth": {
   "attributes": {
      "authProtocol": "pap",
      "childAction": "",
      "descr": "",
      "dn": "sys/userext/authrealm/defaultauth",
      "errEn": "no",
      "fallback": "yes",
      "lcOwn": "local",
      "local": "no",
      "modTs": "2015-04-11T11:20:05.347+00:00",
      "name": "",
      "none": "no",
      "ownerKey": "",
      "ownerTag": "",
      "providerGroup": "tac1",
      "providerGroup2": "",
      "providerGroup3": "",
      "providerGroup4": "",
      "providerGroup5": "",
      "providerGroup6": "",
      "providerGroup7": "",
      "providerGroup8": "",
      "realm": "local",
      "status": "",
      "uid": "0"
}}}

{
    imdata": []
}

Enables ASCII authentication. The default is disabled.

The /sys/userext/authrealm.defaultauth object contains AAA configuration for the switch. Using this API you can set AAA authentication configuration on the switch.

CLI Commands

The CLI command below is the equivalent of the payload example displayed in the pane on the right.

aaa authentication login default group tac1

Note: The property information for this example was added in Release 9.3(3).

Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MO	DN
aaaDefaultAuth	sys/userext/authrealm/defaultauth

aaaDefaultAuth Properties

The following table contains information about the aaaDefaultAuth properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
authProtocol	aaa:authenticationProtocol (scalar:Enum8)	Authentication Protocol	SELECTION: 0 - pap 1 - chap 2 - mschap 3 - mschapv2 4 - ascii DEFAULT: pap
childAction	mo:ModificationChildAction scalar:Bitmask32	Delete or ignore. For internal use only.	SELECTION: 16384u - deleteAll 4096u - ignore 8192u - deleteNonPresent DEFAULT: 0
descr	pol:Descr	Description of the specified attribute
dn	reference:BinRef	A tag or metadata is a non-hierarchical keyword or term assigned to the fabric module.
errEn	scalar:Bool	Enable display of error message on login failures	SELECTION: true or false DEFAULT: no
fallback	aaa:Boolean (scalar:Enum8)	Fallback in case all AAA servers configured for remote authentication are unreachable	SELECTION: 0 - no 1 - yes DEFAULT: yes
lcOwn	NA	NA	NA
local	aaa:Boolean (scalar:Enum8)	Use local username authentication	SELECTION: 0 - no 1 - yes DEFAULT: yes
modTs	mo:TStamp (scalar:Date)	The time when this object was last modified.	SELECTION: 0 - never DEFAULT: never
name	pol:ObjName (naming:Name256)	Object name	MAX SIZE: 64
none	aaa:Boolean (scalar:Enum8)	No authentication	SELECTION: 0 - no 1 - yes DEFAULT: no
ownerKey	naming:Descr (string:Basic)	The key for enabling clients to own their data for entity correlation.	MAX SIZE: 128
ownerTag	naming:Descr1024 (string:Basic)	A tag for enabling clients to add their own data. For example, to indicate who created this object.	MAX SIZE: 64
providerGroup	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup2	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup3	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup4	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup5	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup6	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup7	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup8	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
realm	aaa:Realm (scalar:Enum8)	Realm	SELECTION: 0 - local 1 - radius 2 - tacacs 3 - ldap DEFAULT: local
status	mo:ModificationStatus (scalar:Bitmask32)	The upgrade status. This property is for internal use only.	SELECTION: 2 - created 4 - modified 8 - deleted 16 - replaced
uid	scalar:Uint16	A unique identifier for this object.

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Querying AAA Authentication Configuration

Querying AAA Authentication Configuration

GET http://<IP_Address>/api/node/mo/sys/userext/authrealm/defaultauth.json

{
 "totalCount": "1",
 "imdata": [
 {
  "aaaDefaultAuth": {
    "attributes": {
      "authProtocol": "pap",
      "childAction": "",
      "descr": "",
      "dn": "sys/userext/authrealm/defaultauth",
      "errEn": "no",
      "fallback": "yes",
      "lcOwn": "local",
      "local": "yes",
      "modTs": "2015-07-06T22:15:33.689+00:00",
      "name": "",
      "none": "no",
      "ownerKey": "",
      "ownerTag": "",
      "providerGroup": "",
      "providerGroup2": "",
      "providerGroup3": "",
      "providerGroup4": "",
      "providerGroup5": "",
      "providerGroup6": "",
      "providerGroup7": "",
      "providerGroup8": "",
      "realm": "local",
      "status": "",
      "uid": "0"
}}}]}

The /sys/userext/authrealm.defaultauth object contains AAA configuration for the switch. Using this API, you can query AAA authentication configuration on the switch.

Note: The property information for this example was added in Release 9.3(3).

MO	DN
aaaDefaultAuth	sys/userext/authrealm/defaultauth

aaaDefaultAuth Properties

Property Name	Data Type	Description	Values
authProtocol	aaa:authenticationProtocol (scalar:Enum8)	Authentication Protocol	SELECTION: 0 - pap 1 - chap 2 - mschap 3 - mschapv2 4 - ascii DEFAULT: pap
childAction	mo:ModificationChildAction scalar:Bitmask32	Delete or ignore. For internal use only.	SELECTION: 16384u - deleteAll 4096u - ignore 8192u - deleteNonPresent DEFAULT: 0
descr	pol:Descr	Description of the specified attribute
dn	reference:BinRef	A tag or metadata is a non-hierarchical keyword or term assigned to the fabric module.
errEn	scalar:Bool	Enable display of error message on login failures	SELECTION: true or false DEFAULT: no
fallback	aaa:Boolean (scalar:Enum8)	Fallback in case all AAA servers configured for remote authentication are unreachable	SELECTION: 0 - no 1 - yes DEFAULT: yes
lcOwn	NA	NA	NA
local	aaa:Boolean (scalar:Enum8)	Use local username authentication	SELECTION: 0 - no 1 - yes DEFAULT: yes
modTs	mo:TStamp (scalar:Date)	The time when this object was last modified.	SELECTION: 0 - never DEFAULT: never
name	pol:ObjName (naming:Name256)	Object name	MAX SIZE: 64
none	aaa:Boolean (scalar:Enum8)	No authentication	SELECTION: 0 - no 1 - yes DEFAULT: no
ownerKey	naming:Descr (string:Basic)	The key for enabling clients to own their data for entity correlation.	MAX SIZE: 128
ownerTag	naming:Descr1024 (string:Basic)	A tag for enabling clients to add their own data. For example, to indicate who created this object.	MAX SIZE: 64
providerGroup	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup2	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup3	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup4	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup5	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup6	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup7	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup8	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
realm	aaa:Realm (scalar:Enum8)	Realm	SELECTION: 0 - local 1 - radius 2 - tacacs 3 - ldap DEFAULT: local
status	mo:ModificationStatus (scalar:Bitmask32)	The upgrade status. This property is for internal use only.	SELECTION: 2 - created 4 - modified 8 - deleted 16 - replaced
uid	scalar:Uint16	A unique identifier for this object.

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Setting AAA Authorization Configuration (config-commands)

Setting AAA Authorization Configuration (config-commands)

POST http://<IP_Address>/api/mo/sys/userext/authrealm.json

{
  "aaaAuthRealm": {
    "children": [
      {
        "aaaDefaultAuthor": {
          "attributes": {
            "authorMethodNone": "no",
            "cmdType": "config",
            "localRbac": "no",
            "providerGroup": "tac1",
            "providerGroup2": "",
            "providerGroup3": "",
            "providerGroup4": "",
            "providerGroup5": "",
            "providerGroup6": "",
            "providerGroup7": "",
            "providerGroup8": ""
}}}]}}

<System>
  <userext-items>
    <authrealm-items>
      <defaultauthor-items>
        <DefaultAuthor-list>
          <cmdType>config</cmdType>
          <authorMethodNone>false</authorMethodNone>
          <localRbac>false</localRbac>
          <providerGroup>tac1</providerGroup>
          <providerGroup2></providerGroup2>
          <providerGroup3></providerGroup3>
          <providerGroup4></providerGroup4>
          <providerGroup5></providerGroup5>
          <providerGroup6></providerGroup6>
          <providerGroup7></providerGroup7>
          <providerGroup8></providerGroup8>
        </DefaultAuthor-list>
      </defaultauthor-items>
    </authrealm-items>
  </userext-items>
</System>

Sets the AAA authorization configuration.

If AAA authorization is configured on the switch, the /sys/userext/authrealm/ object contains one or more authorization objects that enable AAA authorization for the switch. Using this API you can set AAA authorization configuration on the switch.

CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

aaa authorization config-commands default group tac1

Note: The property information for this example was added in Release 9.3(3).

MO	DN
aaaAuthRealm	sys/userext/authrealm
aaaDefaultAuthor	sys/userext/authrealm/defaultauthor-{cmdType}

aaaDefaultAuthor Properties

The following table contains information about the aaaDefaultAuthor properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
authorMethodNone	scalar:Bool	No authorization	SELECTION: true or false
cmdType	aaa:CmdType (scalar:Enum8)	Type of command for authorization	SELECTION: 0 - config 1 - exec DEFAULT: config
localRbac	scalar:Bool	Use Local RBAC based Authorization	SELECTION: true or false DEFAULT: yes
providerGroup	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup2	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup3	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup4	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup5	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup6	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup7	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup8	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Setting AAA Authorization Configuration (commands)

Setting AAA Authorization Configuration (commands)

POST http://<IP_Address>/api/node/mo/sys/userext/authrealm.json

{
  "aaaAuthRealm": {
    "children": [
      {
        "aaaDefaultAuthor": {
          "attributes": {
            "authorMethodNone": "no",
            "cmdType": "exec",
            "localRbac": "no",
            "providerGroup": "tac1",
            "providerGroup2": "",
            "providerGroup3": "",
            "providerGroup4": "",
            "providerGroup5": "",
            "providerGroup6": "",
            "providerGroup7": "",
            "providerGroup8": ""						
}}}]}}

{
  "imdata": []
}

<System>
  <userext-items>
    <authrealm-items>
      <defaultauthor-items>
        <DefaultAuthor-list>
          <cmdType>exec</cmdType>
          <authorMethodNone>false</authorMethodNone>
          <localRbac>false</localRbac>
          <providerGroup>tac1</providerGroup>
          <providerGroup2></providerGroup2>
          <providerGroup3></providerGroup3>
          <providerGroup4></providerGroup4>
          <providerGroup5></providerGroup5>
          <providerGroup6></providerGroup6>
          <providerGroup7></providerGroup7>
          <providerGroup8></providerGroup8>
        </DefaultAuthor-list>
      </defaultauthor-items>
    </authrealm-items>
  </userext-items>
</System>

Configures the command authorization method for specific roles on a TACACS+ server. The commands keyword configures authorization sources for all EXEC commands. The default keyword configures command authorization for a non-console session.

CLI Commands

aaa authorization commands default group tac1

Note: The property information for this example was added in Release 9.3(3).

MO	DN
aaaAuthRealm	sys/userext/authrealm
aaaDefaultAuthor	sys/userext/authrealm/defaultauthor-{cmdType}

aaaDefaultAuthor Properties

Property Name	Data Type	Description	Values
authorMethodNone	scalar:Bool	No authorization	SELECTION: true or false
cmdType	aaa:CmdType (scalar:Enum8)	Type of command for authorization	SELECTION: 0 - config 1 - exec DEFAULT: config
localRbac	scalar:Bool	Use Local RBAC based Authorization	SELECTION: true or false DEFAULT: yes
providerGroup	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup2	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup3	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup4	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup5	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup6	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup7	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup8	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Querying AAA Authorization Configuration

Querying AAA Authorization Configuration

GET http://<IP_Address>/api/node/mo/sys/userext/authrealm/defaultauthor-1.json

{
 "totalCount": "1",
 "imdata": [
 {
  "aaaDefaultAuthor": {
    "attributes": {
      "authorMethodNone": "no",
      "childAction": "",
      "cmdType": "exec",
      "descr": "",
      "dn": "sys/userext/authrealm/defaultauthor-exec",
      "lcOwn": "local",
      "localRbac": "no",
      "modTs": "2015-06-25T01:50:06.232+00:00",
      "name": "Author",
      "ownerKey": "",
      "ownerTag": "",
      "providerGroup": "",
      "providerGroup2": "",
      "providerGroup3": "",
      "providerGroup4": "",
      "providerGroup5": "",
      "providerGroup6": "",
      "providerGroup7": "",
      "providerGroup8": "",
      "realm": "tacacs",
      "status": "",
      "uid": "0"
}}}]}

The /sys/userext/authrealm/defaultrealm object contains one or more authorization objects that enable AAA authorization for the switch.
Using this API you can query AAA authorization configuration on the switch.

Note: The property information for this example was added in Release 9.3(3).

MO	DN
aaaDefaultAuthor	sys/userext/authrealm/defaultauthor-{cmdType}

aaaDefaultAuthor Properties

Property Name	Data Type	Description	Values
authorMethodNone	scalar:Bool	No authorization	SELECTION: true or false
childAction	mo:ModificationChildAction scalar:Bitmask32	Delete or ignore. For internal use only.	SELECTION: 16384u - deleteAll 4096u - ignore 8192u - deleteNonPresent DEFAULT: 0
cmdType	aaa:CmdType (scalar:Enum8)	Type of command for authorization	SELECTION: 0 - config 1 - exec DEFAULT: config
descr	pol:Descr	Description of the specified attribute
dn	reference:BinRef	A tag or metadata is a non-hierarchical keyword or term assigned to the fabric module.
lcOwn	NA	NA	NA
localRbac	scalar:Bool	Use Local RBAC based Authorization	SELECTION: true or false DEFAULT: yes
modTs	mo:TStamp (scalar:Date)	The time when this object was last modified.	SELECTION: 0 - never DEFAULT: never
name	pol:ObjName (naming:Name256)	Object name	MAX SIZE: 64
ownerKey	naming:Descr (string:Basic)	The key for enabling clients to own their data for entity correlation.	MAX SIZE: 128
ownerTag	naming:Descr1024 (string:Basic)	A tag for enabling clients to add their own data. For example, to indicate who created this object.	MAX SIZE: 64
providerGroup	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup2	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup3	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup4	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup5	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup6	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup7	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup8	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
realm	aaa:Realm (scalar:Enum8)	Realm	SELECTION: 0 - local 1 - radius 2 - tacacs 3 - ldap DEFAULT: local
status	mo:ModificationStatus (scalar:Bitmask32)	The upgrade status. This property is for internal use only.	SELECTION: 2 - created 4 - modified 8 - deleted 16 - replaced
uid	scalar:Uint16	A unique identifier for this object.

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Setting AAA Accounting Configuration

Setting AAA Accounting Configuration

POST http://<IP_Address>/api/node/mo/sys/userext/authrealm/defaultacc.json

{
 "aaaAuthRealm": {
 "children": [
  {
    "aaaDefaultAcc": {
      "attributes": {
        "accMethodNone": "no",
        "localRbac": "no",
        "providerGroup": "tac1",
        "providerGroup2": "",
        "providerGroup3": "",
        "providerGroup4": "",
        "providerGroup5": "",
        "providerGroup6": "",
        "providerGroup7": "",
        "providerGroup8": ""
}}}]}}

{
   "imdata": []
}

<System>
  <userext-items>
    <authrealm-items>
      <defaultacc-items>
        <accMethodNone>false</accMethodNone>
        <localRbac>false</localRbac>
        <providerGroup>tac1</providerGroup>
        <providerGroup2></providerGroup2>
        <providerGroup3></providerGroup3>
        <providerGroup4></providerGroup4>
        <providerGroup5></providerGroup5>
        <providerGroup6></providerGroup6>
        <providerGroup7></providerGroup7>
        <providerGroup8></providerGroup8>
      </defaultacc-items>
    </authrealm-items>
  </userext-items>
</System>

CLI Commands

aaa accounting default group tac1

Note: The property information for this example was added in Release 9.3(3).

MO	DN
aaaAuthRealm	sys/userext/authrealm
aaaDefaultAcc	sys/userext/authrealm/defaultacc

aaaDefaultAcc Properties

The following table contains information about the aaaDefaultAcc properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
accMethodNone	scalar:Bool	No accounting	SELECTION: true or false DEFAULT: no
localRbac	scalar:Bool	Use Local	SELECTION: true or false DEFAULT: yes
providerGroup	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup2	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup3	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup4	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup5	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup6	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup7	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup8	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Enabling AAA Accounting

Enabling AAA Accounting

POST http://<IP_Address>/api/node/mo/sys/userext/authrealm/defaultacc.json

{
  "aaaAuthRealm": {
    "children": [
      {
        "aaaDefaultAcc": {
          "attributes": {
            "accMethodNone": "no",
            "localRbac": "yes",
            "providerGroup": "",
            "providerGroup2": "",
            "providerGroup3": "",
            "providerGroup4": "",
            "providerGroup5": "",
            "providerGroup6": "",
            "providerGroup7": "",
            "providerGroup8": ""

}}}]}}

{
  "imdata": []
}

<System>
  <userext-items>
    <authrealm-items>
      <defaultacc-items>
        <accMethodNone>false</accMethodNone>
        <localRbac>true</localRbac>
        <providerGroup></providerGroup>
        <providerGroup2></providerGroup2>
        <providerGroup3></providerGroup3>
        <providerGroup4></providerGroup4>
        <providerGroup5></providerGroup5>
        <providerGroup6></providerGroup6>
        <providerGroup7></providerGroup7>
        <providerGroup8></providerGroup8>
      </defaultacc-items>
    </authrealm-items>
  </userext-items>
</System>

CLI Commands

aaa accounting default local

Note: The property information for this example was added in Release 9.3(3).

MO	DN
aaaAuthRealm	sys/userext/authrealm
aaaDefaultAcc	sys/userext/authrealm/defaultacc

aaaDefaultAcc Properties

Property Name	Data Type	Description	Values
accMethodNone	scalar:Bool	No accounting	SELECTION: true or false DEFAULT: no
localRbac	scalar:Bool	Use Local	SELECTION: true or false DEFAULT: yes
providerGroup	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup2	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup3	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup4	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup5	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup6	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup7	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup8	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Querying AAA Accounting Configuration

Querying AAA Accounting Configuration

GET http://<IP_Address>/api/node/mo/sys/userext/authrealm/defaultacc.json

{
"totalCount": "1",
"imdata": [
{
  "aaaDefaultAcc": {
    "attributes": {
      "accMethodNone": "no",
      "childAction": "",
      "descr": "",
      "dn": "sys/userext/authrealm/defaultacc",
      "lcOwn": "local",
      "localRbac": "yes",
      "modTs": "2015-07-02T20:45:51.932+00:00",
      "name": "Accounting",
      "ownerKey": "",
      "ownerTag": "",
      "providerGroup": "",
      "providerGroup2": "",
      "providerGroup3": "",
      "providerGroup4": "",
      "providerGroup5": "",
      "providerGroup6": "",
      "providerGroup7": "",
      "providerGroup8": "",
      "realm": "local",
      "status": "",
      "uid": "0"
}}}]}

The /sys/userext/authrealm.defaultacc object contains AAA accounting configuration for the switch. Using this API you can query the AAA accounting configuration.

Note: The property information for this example was added in Release 9.3(3).

MO	DN
aaaDefaultAcc	sys/userext/authrealm/defaultacc

aaaDefaultAcc Properties

Property Name	Data Type	Description	Values
accMethodNone	scalar:Bool	No accounting	SELECTION: true or false DEFAULT: no
childAction	mo:ModificationChildAction scalar:Bitmask32	Delete or ignore. For internal use only.	SELECTION: 16384u - deleteAll 4096u - ignore 8192u - deleteNonPresent DEFAULT: 0
descr	pol:Descr	Description of the specified attribute
dn	reference:BinRef	A tag or metadata is a non-hierarchical keyword or term assigned to the fabric module.
lcOwn	NA	NA	NA
localRbac	scalar:Bool	Use Local	SELECTION: true or false DEFAULT: yes
modTs	mo:TStamp (scalar:Date)	The time when this object was last modified.	SELECTION: 0 - never DEFAULT: never
name	pol:ObjName (naming:Name256)	Object name	MAX SIZE: 64
ownerKey	naming:Descr (string:Basic)	The key for enabling clients to own their data for entity correlation.	MAX SIZE: 128
ownerTag	naming:Descr1024 (string:Basic)	A tag for enabling clients to add their own data. For example, to indicate who created this object.	MAX SIZE: 64
providerGroup	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup2	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup3	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup4	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup5	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup6	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup7	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup8	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
realm	aaa:Realm (scalar:Enum8)	Realm	SELECTION: 0 - local 1 - radius 2 - tacacs 3 - ldap DEFAULT: local
status	mo:ModificationStatus (scalar:Bitmask32)	The upgrade status. This property is for internal use only.	SELECTION: 2 - created 4 - modified 8 - deleted 16 - replaced
uid	scalar:Uint16	A unique identifier for this object.

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Authorize EXEC Mode Commands

Authorize EXEC Mode Commands

POST http://<IP_Address>/api/node/mo/sys/userext/authrealm/defaultauthor-exec.json

{
  "aaaAuthRealm": {
    "children": [
      {
        "aaaDefaultAuthor": {
          "attributes": {
            "authorMethodNone": "no",
            "cmdType": "exec",
            "localRbac": "yes",
            "providerGroup": "",
            "providerGroup2": "",
            "providerGroup3": "",
            "providerGroup4": "",
            "providerGroup5": "",
            "providerGroup6": "",
            "providerGroup7": "",
            "providerGroup8": ""
}}}]}}

{
  "imdata": []
}

<System>
  <userext-items>
    <authrealm-items>
      <defaultauthor-items>
        <DefaultAuthor-list>
          <cmdType>exec</cmdType>
          <authorMethodNone>false</authorMethodNone>
          <localRbac>true</localRbac>
          <providerGroup></providerGroup>
          <providerGroup2></providerGroup2>
          <providerGroup3></providerGroup3>
          <providerGroup4></providerGroup4>
          <providerGroup5></providerGroup5>
          <providerGroup6></providerGroup6>
          <providerGroup7></providerGroup7>
          <providerGroup8></providerGroup8>
        </DefaultAuthor-list>
      </defaultauthor-items>
    </authrealm-items>
  </userext-items>
</System>

The local method uses the local database for accounting.

The default method is local, which is used when no server groups are configured or when all the configured server groups fail to respond.

CLI Commands

aaa authorization commands default local

Note: The property information for this example was added in Release 9.3(3).

MO	DN
aaaAuthRealm	sys/userext/authrealm
aaaDefaultAuthor	sys/userext/authrealm/defaultauthor-{cmdType}

aaaDefaultAuthor Properties

Property Name	Data Type	Description	Values
authorMethodNone	scalar:Bool	No authorization	SELECTION: true or false
cmdType	aaa:CmdType (scalar:Enum8)	Type of command for authorization	SELECTION: 0 - config 1 - exec DEFAULT: config
localRbac	scalar:Bool	Use Local RBAC based Authorization	SELECTION: true or false DEFAULT: yes
providerGroup	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup2	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup3	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup4	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup5	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup6	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup7	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup8	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Authorize Configuration Mode Commands

Authorize Configuration Mode Commands

POST http://<IP_Address>/api/node/mo/sys/userext/authrealm/defaultauthor-config.json

{
  "aaaDefaultAuthor": {
    "attributes": {
      "authorMethodNone": "no",
      "cmdType": "config",
      "localRbac": "yes",
      "providerGroup": "",
      "providerGroup2": "",
      "providerGroup3": "",
      "providerGroup4": "",
      "providerGroup5": "",
      "providerGroup6": "",
      "providerGroup7": "",
      "providerGroup8": ""
}}}

{
  "imdata": []
}

<System>
  <userext-items>
    <authrealm-items>
      <defaultauthor-items>
        <DefaultAuthor-list>
          <cmdType>config</cmdType>
          <authorMethodNone>false</authorMethodNone>
          <localRbac>true</localRbac>
          <providerGroup></providerGroup>
          <providerGroup2></providerGroup2>
          <providerGroup3></providerGroup3>
          <providerGroup4></providerGroup4>
          <providerGroup5></providerGroup5>
          <providerGroup6></providerGroup6>
          <providerGroup7></providerGroup7>
          <providerGroup8></providerGroup8>
        </DefaultAuthor-list>
      </defaultauthor-items>
    </authrealm-items>
  </userext-items>
</System>

Configures the command authorization method for specific roles on a TACACS+ server.

The commands keyword configures authorization sources for all EXEC commands, and the config-commands keyword configures authorization sources for all configuration commands.

CLI Commands

The CLI command below is the equivalent of the payload example displayed in the pane on the right.

aaa authorization config-commands default local

Note: The property information for this example was added in Release 9.3(3).

MO	DN
aaaDefaultAuthor	sys/userext/authrealm/defaultauthor-{cmdType}

aaaDefaultAuthor Properties

Property Name	Data Type	Description	Values
authorMethodNone	scalar:Bool	No authorization	SELECTION: true or false
cmdType	aaa:CmdType (scalar:Enum8)	Type of command for authorization	SELECTION: 0 - config 1 - exec DEFAULT: config
localRbac	scalar:Bool	Use Local RBAC based Authorization	SELECTION: true or false DEFAULT: yes
providerGroup	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup2	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup3	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup4	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup5	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup6	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup7	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup8	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring the Default Authentication Method

Configuring the Default Authentication Method

POST http://<IP_Address>/api/mo/sys/userext/authrealm.json

{
  "aaaAuthRealm": {
    "children": [
      {
        "aaaDefaultAuth": {
          "attributes": {
            "local": "yes",
            "none": "no",
            "providerGroup": "",
            "providerGroup2": "",
            "providerGroup3": "",
            "providerGroup4": "",
            "providerGroup5": "",
            "providerGroup6": "",
            "providerGroup7": "",
            "providerGroup8": ""
}}}]}}

{
  "imdata": []
}

<System>
  <userext-items>
    <authrealm-items>
      <defaultauth-items>
        <local>yes</local>
        <none>no</none>
        <providerGroup></providerGroup>
        <providerGroup2></providerGroup2>
        <providerGroup3></providerGroup3>
        <providerGroup4></providerGroup4>
        <providerGroup5></providerGroup5>
        <providerGroup6></providerGroup6>
        <providerGroup7></providerGroup7>
        <providerGroup8></providerGroup8>
      </defaultauth-items>
    </authrealm-items>
  </userext-items>
</System>

Enables the default authentication.

CLI Commands

aaa authentication login default local

Note: The property information for this example was added in Release 9.3(3).

MO	DN
aaaAuthRealm	sys/userext/authrealm
aaaDefaultAuth	sys/userext/authrealm/defaultauth

aaaDefaultAuth Properties

Property Name	Data Type	Description	Values
local	aaa:Boolean (scalar:Enum8)	Use local username authentication	SELECTION: 0 - no 1 - yes DEFAULT: yes
none	aaa:Boolean (scalar:Enum8)	No authentication	SELECTION: 0 - no 1 - yes DEFAULT: no
providerGroup	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup2	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup3	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup4	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup5	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup6	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup7	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127
providerGroup8	aaa:ProviderGroupName (string:Basic)	Provider Group	MAX SIZE: 127

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Enabling Login Authentication Failure Messages

POST http://<IP_Address>/api/node/mo/sys/userext.json

{
 "aaaUserEp": {
   "children": [
    {
      "aaaAuthRealm": {
        "children": [
          {
            "aaaDefaultAuth": {
              "attributes": {
                "errEn": "yes"
}}}]}}]}}

{
  "imdata": []
}

<System>
  <userext-items>
    <authrealm-items>
      <defaultauth-items>
        <errEn>true</errEn>
      </defaultauth-items>
    </authrealm-items>
  </userext-items>
</System>

CLI Commands

aaa authentication login error-enable

Note: The property information for this example was added in Release 9.3(3).

MO	DN
aaaUserEp	sys/userext
aaaAuthRealm	sys/userext/authrealm
aaaDefaultAuth	sys/userext/authrealm/defaultauth

aaaDefaultAuth Properties

Property Name	Data Type	Description	Values
errEn	scalar:Bool	Enable display of error message on login failures	SELECTION: true or false DEFAULT: no

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Enabling MS-CHAP Authentication

Enabling MS-CHAP Authentication

POST http://<IP_Address>/api/mo/sys/userext/authrealm.json

{
 "aaaAuthRealm": {
    "children": [
      {
        "aaaDefaultAuth": {
          "attributes": {
            "authProtocol": "mschap"
}}}]}}

{
  "imdata": []
}

<System>
  <userext-items>
    <authrealm-items>
      <defaultauth-items>
        <authProtocol>mschap</authProtocol>
      </defaultauth-items>
    </authrealm-items>
  </userext-items>
</System>

Enables MSCHAP or MSCHAP V2 authentication. The default is disabled.

Note: You cannot enable both MSCHAP and MSCHAP V2 on your Cisco NX-OS device.

CLI Commands

aaa authentication login mschap enable

Note: The property information for this example was added in Release 9.3(3).

MO	DN
aaaAuthRealm	sys/userext/authrealm
aaaDefaultAuth	sys/userext/authrealm/defaultauth

aaaDefaultAuth Properties

Property Name	Data Type	Description	Values
authProtocol	aaa:authenticationProtocol (scalar:Enum8)	Authentication Protocol	SELECTION: 0 - pap 1 - chap 2 - mschap 3 - mschapv2 4 - ascii DEFAULT: pap

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Enabling ASCII Authentication

Enabling ASCII Authentication

POST http://<IP_Address>/api/node/mo/sys/userext/authrealm/defaultauth.json

{
  "aaaAuthRealm": {
    "children": [
      {
        "aaaDefaultAuth": {
          "attributes": {
            "authProtocol": "ascii"
}}}]}}

{
  "imdata": []
}

<System>
  <userext-items>
    <authrealm-items>
      <defaultauth-items>
        <authProtocol>ascii</authProtocol>
      </defaultauth-items>
    </authrealm-items>
  </userext-items>
</System>

Enables ASCII authentication. The default is disabled.

CLI Commands

The CLI command below is the equivalent of the payload example displayed in the pane on the right.

aaa authentication login ascii-authentication

Note: The property information for this example was added in Release 9.3(3).

MO	DN
aaaAuthRealm	sys/userext/authrealm
aaaDefaultAuth	sys/userext/authrealm/defaultauth

aaaDefaultAuth Properties

Property Name	Data Type	Description	Values
authProtocol	aaa:authenticationProtocol (scalar:Enum8)	Authentication Protocol	SELECTION: 0 - pap 1 - chap 2 - mschap 3 - mschapv2 4 - ascii DEFAULT: pap

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring the Max Number of Failed Attempts

Configuring the Max Number of Failed Attempts

POST http://<mgmt0_IP>/api/mo/sys/userext/authrealm.json

{
  "aaaAuthRealm": {
    "children": [
      {
        "aaaAuthReject": {
          "attributes": {
            "blockTime": "45655",
            "failAttempt": "45655",
            "timeIntervel": "45655"
}}}]}}

{
    imdata:[]
}

<System>
  <userext-items>
    <authrealm-items>
      <authreject-items>
        <blockTime>45655</blockTime>
        <failAttempt>45655</failAttempt>
        <timeIntervel>45655</timeIntervel>
      </authreject-items>
    </authrealm-items>
  </userext-items>
</System>

Note: This example was added in Release 9.3(3).

CLI Commands

aaa authentication rejected 45655 in 45655 ban 45655

Verifying a DME Configuration

The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MO	DN
aaaAuthRealm	sys/userext/authrealm
aaaAuthReject	sys/userext/authrealm/authreject

aaaAuthReject Properties

The following table contains information about the aaaAuthReject properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
blockTime	scalar:Uint16	Block time period in seconds	RANGE: [0 , 65535]
failAttempt	scalar:Uint16	Maximum number of failed attempts	RANGE: [0 , 65535]
timeIntervel	scalar:Uint16	Time period for failed attempts	RANGE: [0 , 65535]

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Deleting the Max Number of Failed Attempts

Deleting the Max Number of Failed Attempts

POST http://<mgmt0_IP>/api/mo/sys/userext/authrealm.json

{
  "aaaAuthRealm": {
    "children": [
      {
        "aaaAuthReject": {
          "attributes": {
            "status": "deleted"
}}}]}}

{
    imdata:[]
}

<System>
  <userext-items>
    <authrealm-items>
      <authreject-items nc:operation="delete">
      </authreject-items>
    </authrealm-items>
  </userext-items>
</System>

Note: This example was added in Release 9.3(3).

CLI Commands

no aaa authentication rejected 45655 in 45655 ban 45655

Verifying a DME Configuration

MO	DN
aaaAuthRealm	sys/userext/authrealm
aaaAuthReject	sys/userext/authrealm/authreject

aaaAuthReject Properties

Property Name	Data Type	Description	Values
status	mo:ModificationStatus (scalar:Bitmask32)	The upgrade status. This property is for internal use only.	SELECTION: 2 - created 4 - modified 8 - deleted 16 - replaced

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring Authorization and Accounting Bypass

Configuring Authorization and Accounting Bypass

POST http://<mgmt0_IP>/api/mo/sys/userext/authrealm.json

{
  "aaaAuthRealm": {
    "children": [
      {
        "aaaByPassUser": {
          "attributes": {
            "accounting": "yes",
            "authorization": "yes",
            "userName": "SampleString_123"
}}}]}}

{
    imdata:[]
}

<System>
  <userext-items>
    <authrealm-items>
      <bypassuser-items>
        <ByPassUser-list>
          <userName>SampleString_123</userName>
          <accounting>true</accounting>
          <authorization>true</authorization>
        </ByPassUser-list>
      </bypassuser-items>
    </authrealm-items>
  </userext-items>
</System>

Note: This example was added in Release 9.3(3).

CLI Commands

aaa bypass-user SampleString_123 authorization accounting

Verifying a DME Configuration

MO	DN
aaaAuthRealm	sys/userext/authrealm
aaaByPassUser	sys/userext/authrealm/bypassuser-SampleString_123

aaaByPassUser Properties

The following table contains information about the aaaByPassUser properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
accounting	scalar:Bool	By pass aaa accounting	SELECTION: true or false
authorization	scalar:Bool	By pass aaa authorization	SELECTION: true or false
userName	string:Basic	Username to include for bypassing AAA	RANGE: [1 , 28]

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Deleting Authorization and Accounting Bypass

Deleting Authorization and Accounting Bypass

POST http://<mgmt0_IP>/api/mo/sys/userext/authrealm.json

{
  "aaaAuthRealm": {
    "children": [
      {
        "aaaByPassUser": {
          "attributes": {
            "accounting": "no",
            "authorization": "no",
            "userName": "SampleString_123"
}}}]}}

{
    imdata:[]
}

<System>
  <userext-items>
    <authrealm-items>
      <bypassuser-items>
        <ByPassUser-list>
          <userName>SampleString_123</userName>
          <accounting>false</accounting>
          <authorization>false</authorization>
        </ByPassUser-list>
      </bypassuser-items>
    </authrealm-items>
  </userext-items>
</System>

Note: This example was added in Release 9.3(3).

CLI Commands

no aaa bypass-user SampleString_123 authorization accounting

Verifying a DME Configuration

MO	DN
aaaAuthRealm	sys/userext/authrealm
aaaByPassUser	sys/userext/authrealm/bypassuser-SampleString_123

aaaByPassUser Properties

Property Name	Data Type	Description	Values
accounting	scalar:Bool	By pass aaa accounting	SELECTION: true or false
authorization	scalar:Bool	By pass aaa authorization	SELECTION: true or false
userName	string:Basic	Username to include for bypassing AAA	RANGE: [1 , 28]

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring Invalid Username Log

Configuring Invalid Username Log

POST http://<mgmt0_IP>/api/mo/sys/userext/authrealm.json

{
  "aaaAuthRealm": {
    "children": [
      {
        "aaaDefaultAuth": {
          "attributes": {
            "invalidUserLog": "yes"
}}}]}}

{
    imdata:[]
}

<System>
  <userext-items>
    <authrealm-items>
      <defaultauth-items>
        <invalidUserLog>true</invalidUserLog>
      </defaultauth-items>
    </authrealm-items>
  </userext-items>
</System>

Note: This example was added in Release 9.3(3).

CLI Commands

aaa authentication login invalid-username-log

Verifying a DME Configuration

MO	DN
aaaAuthRealm	sys/userext/authrealm
aaaDefaultAuth	sys/userext/authrealm/defaultauth

aaaDefaultAuth Properties

Property Name	Data Type	Description	Values
invalidUserLog	scalar:Bool	Enable logging for invalid users	SELECTION: true or false DEFAULT: no

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Deleting Invalid Username Log

Deleting Invalid Username Log

POST http://<mgmt0_IP>/api/mo/sys/userext/authrealm.json

{
  "aaaAuthRealm": {
    "children": [
      {
        "aaaDefaultAuth": {
          "attributes": {
            "invalidUserLog": "no"
}}}]}}

{
    imdata:[]
}

<System>
  <userext-items>
    <authrealm-items>
      <defaultauth-items>
        <invalidUserLog>false</invalidUserLog>
      </defaultauth-items>
    </authrealm-items>
  </userext-items>
</System>

Note: This example was added in Release 9.3(3).

CLI Commands

no aaa authentication login invalid-username-log

Verifying a DME Configuration

MO	DN
aaaAuthRealm	sys/userext/authrealm
aaaDefaultAuth	sys/userext/authrealm/defaultauth

aaaDefaultAuth Properties

Property Name	Data Type	Description	Values
invalidUserLog	scalar:Bool	Enable logging for invalid users	SELECTION: true or false DEFAULT: no

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring Syslogs for Failed Logins

Configuring Syslogs for Failed Logins

POST http://<mgmt0_IP>/api/mo/sys/userext/authrealm.json

{
  "aaaAuthRealm": {
    "children": [
      {
        "aaaLoginStatusLogging": {
          "attributes": {
            "enableLoginFailureLogging": "yes"
}}}]}}

{
    imdata:[]
}

<System>
  <userext-items>
    <authrealm-items>
      <loginstatuslogging-items>
        <enableLoginFailureLogging>true</enableLoginFailureLogging>
      </loginstatuslogging-items>
    </authrealm-items>
  </userext-items>
</System>

Note: This example was added in Release 9.3(3).

CLI Commands

login on-failure log

Verifying a DME Configuration

MO	DN
aaaAuthRealm	sys/userext/authrealm
aaaLoginStatusLogging	sys/userext/authrealm/loginstatuslogging

aaaLoginStatusLogging Properties

The following table contains information about the aaaLoginStatusLogging properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
enableLoginFailureLogging	scalar:Bool	Syslog message on failed login attempt	SELECTION: true or false

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Deleting Syslogs for Failed Logins

Deleting Syslogs for Failed Logins

POST http://<mgmt0_IP>/api/mo/sys/userext/authrealm.json

{
  "aaaAuthRealm": {
    "children": [
      {
        "aaaLoginStatusLogging": {
          "attributes": {
            "enableLoginFailureLogging": "no"
}}}]}}

{
    imdata:[]
}

<System>
  <userext-items>
    <authrealm-items>
      <loginstatuslogging-items>
        <enableLoginFailureLogging>false</enableLoginFailureLogging>
      </loginstatuslogging-items>
    </authrealm-items>
  </userext-items>
</System>

Note: This example was added in Release 9.3(3).

CLI Commands

no login on-failure log

Verifying a DME Configuration

MO	DN
aaaAuthRealm	sys/userext/authrealm
aaaLoginStatusLogging	sys/userext/authrealm/loginstatuslogging

aaaLoginStatusLogging Properties

Property Name	Data Type	Description	Values
enableLoginFailureLogging	scalar:Bool	Syslog message on failed login attempt	SELECTION: true or false

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring Syslogs for Successful Logins

Configuring Syslogs for Successful Logins

POST http://<mgmt0_IP>/api/mo/sys/userext/authrealm.json

{
  "aaaAuthRealm": {
    "children": [
      {
        "aaaLoginStatusLogging": {
          "attributes": {
            "enableLoginSuccessLogging": "yes"
}}}]}}

{
    imdata:[]
}

<System>
  <userext-items>
    <authrealm-items>
      <loginstatuslogging-items>
        <enableLoginSuccessLogging>true</enableLoginSuccessLogging>
      </loginstatuslogging-items>
    </authrealm-items>
  </userext-items>
</System>

Note: This example was added in Release 9.3(3).

CLI Commands

login on-success log

Verifying a DME Configuration

MO	DN
aaaAuthRealm	sys/userext/authrealm
aaaLoginStatusLogging	sys/userext/authrealm/loginstatuslogging

aaaLoginStatusLogging Properties

Property Name	Data Type	Description	Values
enableLoginSuccessLogging	scalar:Bool	Syslog message on successful login attempt	SELECTION: true or false

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Deleting Syslogs for Successful Logins

Deleting Syslogs for Successful Logins

POST http://<mgmt0_IP>/api/mo/sys/userext/authrealm.json

{
  "aaaAuthRealm": {
    "children": [
      {
        "aaaLoginStatusLogging": {
          "attributes": {
            "enableLoginSuccessLogging": "no"
}}}]}}

{
    imdata:[]
}

<System>
  <userext-items>
    <authrealm-items>
      <loginstatuslogging-items>
        <enableLoginSuccessLogging>false</enableLoginSuccessLogging>
      </loginstatuslogging-items>
    </authrealm-items>
  </userext-items>
</System>

Note: This example was added in Release 9.3(3).

CLI Commands

no login on-success log

Verifying a DME Configuration

MO	DN
aaaAuthRealm	sys/userext/authrealm
aaaLoginStatusLogging	sys/userext/authrealm/loginstatuslogging

aaaLoginStatusLogging Properties

Property Name	Data Type	Description	Values
enableLoginSuccessLogging	scalar:Bool	Syslog message on successful login attempt	SELECTION: true or false

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html