Configuring and Querying AAA Information
This section uses payloads and CLIs to demonstrate how to configure AAA.
Setting AAA Authentication Configuration
Setting AAA Authentication Configuration
POST http://<IP_Address>/api/node/mo/sys/userext/authrealm/defaultauth.json
{
"aaaDefaultAuth": {
"attributes": {
"authProtocol": "pap",
"childAction": "",
"descr": "",
"dn": "sys/userext/authrealm/defaultauth",
"errEn": "no",
"fallback": "yes",
"lcOwn": "local",
"local": "no",
"modTs": "2015-04-11T11:20:05.347+00:00",
"name": "",
"none": "no",
"ownerKey": "",
"ownerTag": "",
"providerGroup": "tac1",
"providerGroup2": "",
"providerGroup3": "",
"providerGroup4": "",
"providerGroup5": "",
"providerGroup6": "",
"providerGroup7": "",
"providerGroup8": "",
"realm": "local",
"status": "",
"uid": "0"
}}}
{
imdata": []
}
Enables ASCII authentication. The default is disabled.
The /sys/userext/authrealm.defaultauth object contains AAA configuration for the switch. Using this API you can set AAA authentication configuration on the switch.
CLI Commands
The CLI command below is the equivalent of the payload example displayed in the pane on the right.
aaa authentication login default group tac1
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference: http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html
Querying AAA Authentication Configuration
Querying AAA Authentication Configuration
GET http://<IP_Address>/api/node/mo/sys/userext/authrealm/defaultauth.json
{
"totalCount": "1",
"imdata": [
{
"aaaDefaultAuth": {
"attributes": {
"authProtocol": "pap",
"childAction": "",
"descr": "",
"dn": "sys/userext/authrealm/defaultauth",
"errEn": "no",
"fallback": "yes",
"lcOwn": "local",
"local": "yes",
"modTs": "2015-07-06T22:15:33.689+00:00",
"name": "",
"none": "no",
"ownerKey": "",
"ownerTag": "",
"providerGroup": "",
"providerGroup2": "",
"providerGroup3": "",
"providerGroup4": "",
"providerGroup5": "",
"providerGroup6": "",
"providerGroup7": "",
"providerGroup8": "",
"realm": "local",
"status": "",
"uid": "0"
}}}]}
The /sys/userext/authrealm.defaultauth object contains AAA configuration for the switch. Using this API, you can query AAA authentication configuration on the switch.
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html
Setting AAA Authorization Configuration (config-commands)
Setting AAA Authorization Configuration (config-commands)
POST http://<IP_Address>/api/mo/sys/userext/authrealm.json
{
"aaaAuthRealm": {
"children": [
{
"aaaDefaultAuthor": {
"attributes": {
"authorMethodNone": "no",
"cmdType": "config",
"localRbac": "no",
"providerGroup": "tac1",
"providerGroup2": "",
"providerGroup3": "",
"providerGroup4": "",
"providerGroup5": "",
"providerGroup6": "",
"providerGroup7": "",
"providerGroup8": ""
}}}]}}
<System>
<userext-items>
<authrealm-items>
<defaultauthor-items>
<DefaultAuthor-list>
<cmdType>config</cmdType>
<authorMethodNone>false</authorMethodNone>
<localRbac>false</localRbac>
<providerGroup>tac1</providerGroup>
<providerGroup2></providerGroup2>
<providerGroup3></providerGroup3>
<providerGroup4></providerGroup4>
<providerGroup5></providerGroup5>
<providerGroup6></providerGroup6>
<providerGroup7></providerGroup7>
<providerGroup8></providerGroup8>
</DefaultAuthor-list>
</defaultauthor-items>
</authrealm-items>
</userext-items>
</System>
Sets the AAA authorization configuration.
If AAA authorization is configured on the switch, the /sys/userext/authrealm/ object contains one or more authorization objects that enable AAA authorization for the switch. Using this API you can set AAA authorization configuration on the switch.
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
aaa authorization config-commands default group tac1
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference: http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html
Setting AAA Authorization Configuration (commands)
Setting AAA Authorization Configuration (commands)
POST http://<IP_Address>/api/node/mo/sys/userext/authrealm.json
{
"aaaAuthRealm": {
"children": [
{
"aaaDefaultAuthor": {
"attributes": {
"authorMethodNone": "no",
"cmdType": "exec",
"localRbac": "no",
"providerGroup": "tac1",
"providerGroup2": "",
"providerGroup3": "",
"providerGroup4": "",
"providerGroup5": "",
"providerGroup6": "",
"providerGroup7": "",
"providerGroup8": ""
}}}]}}
{
"imdata": []
}
<System>
<userext-items>
<authrealm-items>
<defaultauthor-items>
<DefaultAuthor-list>
<cmdType>exec</cmdType>
<authorMethodNone>false</authorMethodNone>
<localRbac>false</localRbac>
<providerGroup>tac1</providerGroup>
<providerGroup2></providerGroup2>
<providerGroup3></providerGroup3>
<providerGroup4></providerGroup4>
<providerGroup5></providerGroup5>
<providerGroup6></providerGroup6>
<providerGroup7></providerGroup7>
<providerGroup8></providerGroup8>
</DefaultAuthor-list>
</defaultauthor-items>
</authrealm-items>
</userext-items>
</System>
Configures the command authorization method for specific roles on a TACACS+ server. The commands keyword configures authorization sources for all EXEC commands. The default keyword configures command authorization for a non-console session.
Note: This example was added in Release 7.0(3)I7(2).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
aaa authorization commands default group tac1
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference: http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html
Querying AAA Authorization Configuration
Querying AAA Authorization Configuration
GET http://<IP_Address>/api/node/mo/sys/userext/authrealm/defaultauthor-1.json
{
"totalCount": "1",
"imdata": [
{
"aaaDefaultAuthor": {
"attributes": {
"authorMethodNone": "no",
"childAction": "",
"cmdType": "exec",
"descr": "",
"dn": "sys/userext/authrealm/defaultauthor-exec",
"lcOwn": "local",
"localRbac": "no",
"modTs": "2015-06-25T01:50:06.232+00:00",
"name": "Author",
"ownerKey": "",
"ownerTag": "",
"providerGroup": "",
"providerGroup2": "",
"providerGroup3": "",
"providerGroup4": "",
"providerGroup5": "",
"providerGroup6": "",
"providerGroup7": "",
"providerGroup8": "",
"realm": "tacacs",
"status": "",
"uid": "0"
}}}]}
The /sys/userext/authrealm/defaultrealm object contains one or more authorization objects that enable AAA authorization for the switch.
Using this API you can query AAA authorization configuration on the switch.
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html
Setting AAA Accounting Configuration
Setting AAA Accounting Configuration
POST http://<IP_Address>/api/node/mo/sys/userext/authrealm/defaultacc.json
{
"aaaAuthRealm": {
"children": [
{
"aaaDefaultAcc": {
"attributes": {
"accMethodNone": "no",
"localRbac": "no",
"providerGroup": "tac1",
"providerGroup2": "",
"providerGroup3": "",
"providerGroup4": "",
"providerGroup5": "",
"providerGroup6": "",
"providerGroup7": "",
"providerGroup8": ""
}}}]}}
{
"imdata": []
}
<System>
<userext-items>
<authrealm-items>
<defaultacc-items>
<accMethodNone>false</accMethodNone>
<localRbac>false</localRbac>
<providerGroup>tac1</providerGroup>
<providerGroup2></providerGroup2>
<providerGroup3></providerGroup3>
<providerGroup4></providerGroup4>
<providerGroup5></providerGroup5>
<providerGroup6></providerGroup6>
<providerGroup7></providerGroup7>
<providerGroup8></providerGroup8>
</defaultacc-items>
</authrealm-items>
</userext-items>
</System>
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload. Configures the default accounting method.
aaa accounting default group tac1
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference: http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html
Enabling AAA Accounting
Enabling AAA Accounting
POST http://<IP_Address>/api/node/mo/sys/userext/authrealm/defaultacc.json
{
"aaaAuthRealm": {
"children": [
{
"aaaDefaultAcc": {
"attributes": {
"accMethodNone": "no",
"localRbac": "yes",
"providerGroup": "",
"providerGroup2": "",
"providerGroup3": "",
"providerGroup4": "",
"providerGroup5": "",
"providerGroup6": "",
"providerGroup7": "",
"providerGroup8": ""
}}}]}}
{
"imdata": []
}
<System>
<userext-items>
<authrealm-items>
<defaultacc-items>
<accMethodNone>false</accMethodNone>
<localRbac>true</localRbac>
<providerGroup></providerGroup>
<providerGroup2></providerGroup2>
<providerGroup3></providerGroup3>
<providerGroup4></providerGroup4>
<providerGroup5></providerGroup5>
<providerGroup6></providerGroup6>
<providerGroup7></providerGroup7>
<providerGroup8></providerGroup8>
</defaultacc-items>
</authrealm-items>
</userext-items>
</System>
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload. Configures the default accounting method.
aaa accounting default local
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference: http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html
Querying AAA Accounting Configuration
Querying AAA Accounting Configuration
GET http://<IP_Address>/api/node/mo/sys/userext/authrealm/defaultacc.json
{
"totalCount": "1",
"imdata": [
{
"aaaDefaultAcc": {
"attributes": {
"accMethodNone": "no",
"childAction": "",
"descr": "",
"dn": "sys/userext/authrealm/defaultacc",
"lcOwn": "local",
"localRbac": "yes",
"modTs": "2015-07-02T20:45:51.932+00:00",
"name": "Accounting",
"ownerKey": "",
"ownerTag": "",
"providerGroup": "",
"providerGroup2": "",
"providerGroup3": "",
"providerGroup4": "",
"providerGroup5": "",
"providerGroup6": "",
"providerGroup7": "",
"providerGroup8": "",
"realm": "local",
"status": "",
"uid": "0"
}}}]}
The /sys/userext/authrealm.defaultacc object contains AAA accounting configuration for the switch. Using this API you can query the AAA accounting configuration.
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html
Authorize EXEC Mode Commands
Authorize EXEC Mode Commands
POST http://<IP_Address>/api/node/mo/sys/userext/authrealm/defaultauthor-exec.json
{
"aaaAuthRealm": {
"children": [
{
"aaaDefaultAuthor": {
"attributes": {
"authorMethodNone": "no",
"cmdType": "exec",
"localRbac": "yes",
"providerGroup": "",
"providerGroup2": "",
"providerGroup3": "",
"providerGroup4": "",
"providerGroup5": "",
"providerGroup6": "",
"providerGroup7": "",
"providerGroup8": ""
}}}]}}
{
"imdata": []
}
<System>
<userext-items>
<authrealm-items>
<defaultauthor-items>
<DefaultAuthor-list>
<cmdType>exec</cmdType>
<authorMethodNone>false</authorMethodNone>
<localRbac>true</localRbac>
<providerGroup></providerGroup>
<providerGroup2></providerGroup2>
<providerGroup3></providerGroup3>
<providerGroup4></providerGroup4>
<providerGroup5></providerGroup5>
<providerGroup6></providerGroup6>
<providerGroup7></providerGroup7>
<providerGroup8></providerGroup8>
</DefaultAuthor-list>
</defaultauthor-items>
</authrealm-items>
</userext-items>
</System>
Configures the command authorization method for specific roles on a TACACS+ server. The commands keyword configures authorization sources for all EXEC commands. The default keyword configures command authorization for a non-console session.
The local method uses the local database for accounting.
The default method is local, which is used when no server groups are configured or when all the configured server groups fail to respond.
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
aaa authorization commands default local
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference: http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html
Authorize Configuration Mode Commands
Authorize Configuration Mode Commands
POST http://<IP_Address>/api/node/mo/sys/userext/authrealm/defaultauthor-config.json
{
"aaaDefaultAuthor": {
"attributes": {
"authorMethodNone": "no",
"cmdType": "config",
"localRbac": "yes",
"providerGroup": "",
"providerGroup2": "",
"providerGroup3": "",
"providerGroup4": "",
"providerGroup5": "",
"providerGroup6": "",
"providerGroup7": "",
"providerGroup8": ""
}}}
{
"imdata": []
}
<System>
<userext-items>
<authrealm-items>
<defaultauthor-items>
<DefaultAuthor-list>
<cmdType>config</cmdType>
<authorMethodNone>false</authorMethodNone>
<localRbac>true</localRbac>
<providerGroup></providerGroup>
<providerGroup2></providerGroup2>
<providerGroup3></providerGroup3>
<providerGroup4></providerGroup4>
<providerGroup5></providerGroup5>
<providerGroup6></providerGroup6>
<providerGroup7></providerGroup7>
<providerGroup8></providerGroup8>
</DefaultAuthor-list>
</defaultauthor-items>
</authrealm-items>
</userext-items>
</System>
Configures the command authorization method for specific roles on a TACACS+ server.
The commands keyword configures authorization sources for all EXEC commands, and the config-commands keyword configures authorization sources for all configuration commands.
CLI Commands
The CLI command below is the equivalent of the payload example displayed in the pane on the right.
aaa authorization config-commands default local
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference: http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html
Configuring the Default Authentication Method
Configuring the Default Authentication Method
POST http://<IP_Address>/api/mo/sys/userext/authrealm.json
{
"aaaAuthRealm": {
"children": [
{
"aaaDefaultAuth": {
"attributes": {
"local": "yes",
"none": "no",
"providerGroup": "",
"providerGroup2": "",
"providerGroup3": "",
"providerGroup4": "",
"providerGroup5": "",
"providerGroup6": "",
"providerGroup7": "",
"providerGroup8": ""
}}}]}}
{
"imdata": []
}
<System>
<userext-items>
<authrealm-items>
<defaultauth-items>
<local>yes</local>
<none>no</none>
<providerGroup></providerGroup>
<providerGroup2></providerGroup2>
<providerGroup3></providerGroup3>
<providerGroup4></providerGroup4>
<providerGroup5></providerGroup5>
<providerGroup6></providerGroup6>
<providerGroup7></providerGroup7>
<providerGroup8></providerGroup8>
</defaultauth-items>
</authrealm-items>
</userext-items>
</System>
Enables the default authentication.
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
aaa authentication login default local
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference: http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html
Enabling Login Authentication Failure Messages
Enabling Login Authentication Failure Messages
POST http://<IP_Address>/api/node/mo/sys/userext.json
{
"aaaUserEp": {
"children": [
{
"aaaAuthRealm": {
"children": [
{
"aaaDefaultAuth": {
"attributes": {
"errEn": "yes"
}}}]}}]}}
{
"imdata": []
}
<System>
<userext-items>
<authrealm-items>
<defaultauth-items>
<errEn>true</errEn>
</defaultauth-items>
</authrealm-items>
</userext-items>
</System>
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload. Enables failure messages for login authentication.
aaa authentication login error-enable
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference: http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html
Enabling MS-CHAP Authentication
Enabling MS-CHAP Authentication
POST http://<IP_Address>/api/mo/sys/userext/authrealm.json
{
"aaaAuthRealm": {
"children": [
{
"aaaDefaultAuth": {
"attributes": {
"authProtocol": "mschap"
}}}]}}
{
"imdata": []
}
<System>
<userext-items>
<authrealm-items>
<defaultauth-items>
<authProtocol>mschap</authProtocol>
</defaultauth-items>
</authrealm-items>
</userext-items>
</System>
Enables MSCHAP or MSCHAP V2 authentication. The default is disabled.
Note: You cannot enable both MSCHAP and MSCHAP V2 on your Cisco NX-OS device.
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
aaa authentication login mschap enable
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference: http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html
Enabling ASCII Authentication
Enabling ASCII Authentication
POST http://<IP_Address>/api/node/mo/sys/userext/authrealm/defaultauth.json
{
"aaaAuthRealm": {
"children": [
{
"aaaDefaultAuth": {
"attributes": {
"authProtocol": "ascii"
}}}]}}
{
"imdata": []
}
<System>
<userext-items>
<authrealm-items>
<defaultauth-items>
<authProtocol>ascii</authProtocol>
</defaultauth-items>
</authrealm-items>
</userext-items>
</System>
Enables ASCII authentication. The default is disabled.
CLI Commands
The CLI command below is the equivalent of the payload example displayed in the pane on the right.
aaa authentication login ascii-authentication
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference: http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html