AAA

AAA (Authentication, Authorization, and Accounting) on NX-OS encompasses TACACS+ server integration for centralized device management access and local user account management with role-based access control. TACACS+ configuration includes shared secret keys with encryption, timeout/retry/deadtime settings, source interface binding, individual server definitions with per-server authentication protocols (PAP, CHAP, MSCHAP, MSCHAPv2, ASCII), idle-time testing, and server groups with VRF-aware source interfaces. User management provides password strength policies, secure mode, passphrase length/lifetime/gracetime/warntime constraints, maximum concurrent login sessions, and individual user accounts with role assignments, password encryption types (clear, encrypt, pbkdf2, scrypt), account expiration, and shell type selection.

Diagram

Classes

configuration (nxos.devices)

Name	Type	Constraint	Mandatory	Default Value
aaa	Class	`[aaa]`	No

aaa (nxos.devices.configuration)

Name	Type	Constraint	Mandatory	Default Value
tacacs	Class	`[tacacs]`	No
users	Class	`[users]`	No

tacacs (nxos.devices.configuration.aaa)

Name	Type	Constraint	Mandatory
deadtime	Integer	min: `0`, max: `1440`	No
description	String		No
key	String		No
key_encryption	Choice	`0`, `6`, `7`	No
retries	Integer	min: `0`, max: `5`	No
source_interface_type	Choice	`ethernet`, `loopback`, `mgmt`, `port-channel`, `vlan`, `vni`	No
source_interface_id	String		No
timeout	Integer	min: `1`, max: `60`	No
servers	List	`[servers]`	No
server_groups	List	`[server_groups]`	No

users (nxos.devices.configuration.aaa)

Name	Type	Constraint	Mandatory
password_strength_check	Boolean	`true`, `false`	No
password_secure_mode	Boolean	`true`, `false`	No
service_password_recovery	Boolean	`true`, `false`	No
max_logins	Integer	min: `0`, max: `7`	No
description	String		No
userpassphrase	Class	`[userpassphrase]`	No
accounts	List	`[accounts]`	No

servers (nxos.devices.configuration.aaa.tacacs)

Name	Type	Constraint	Mandatory
host	String		Yes
description	String		No
authentication_protocol	Choice	`pap`, `chap`, `mschap`, `mschapv2`, `ascii`	No
key	String		No
key_encryption	Choice	`0`, `6`, `7`	No
test_idle_time	Integer	min: `0`, max: `1440`	No
test_password	String		No
test_password_type	Choice	`0`, `7`	No
test_username	String		No
port	Integer	min: `1`, max: `65535`	No
retries	Integer	min: `0`, max: `5`	No
single_connection	Boolean	`true`, `false`	No
timeout	Integer	min: `0`, max: `60`	No

server_groups (nxos.devices.configuration.aaa.tacacs)

Name	Type	Constraint	Mandatory
name	String		Yes
description	String		No
deadtime	Integer	min: `0`, max: `1440`	No
source_interface_type	Choice	`ethernet`, `loopback`, `mgmt`, `port-channel`, `vlan`, `vni`	No
source_interface_id	String		No
vrf	String		No

userpassphrase (nxos.devices.configuration.aaa.users)

Name	Type	Constraint	Mandatory
min_length	Integer	min: `0`, max: `65535`	No
max_length	Integer	min: `0`, max: `65535`	No
default_lifetime	Integer	min: `0`, max: `99999`	No
default_gracetime	Integer	min: `0`, max: `99999`	No
default_warntime	Integer	min: `0`, max: `99999`	No
sequence_alphabet_length	Integer	min: `0`, max: `10`	No
sequence_keyboard_length	Integer	min: `0`, max: `10`	No
min_unique	Integer	min: `0`, max: `10`	No

accounts (nxos.devices.configuration.aaa.users)

Name	Type	Constraint	Mandatory
username	String		Yes
description	String		No
account_status	Boolean	`true`, `false`	No
allow_expired	Boolean	`true`, `false`	No
clear_password_history	Boolean	`true`, `false`	No
email	String		No
expiration	String		No
expires	Boolean	`true`, `false`	No
first_name	String		No
force	Boolean	`true`, `false`	No
last_name	String		No
password	String		No
password_encryption_type	Choice	`clear`, `encrypt`, `pbkdf2`, `scrypt`, `unspecified`	No
password_hash	Choice	`unspecified`, `pbkdf2`, `scrypt`	No
phone	String		No
shell_type	Choice	`vsh`, `bash`	No
unix_user_id	Integer	min: `99`, max: `15999`	No
roles	List	`[roles]`	No

roles (nxos.devices.configuration.aaa.users.accounts)

Name	Type	Constraint	Mandatory
name	String		Yes
description	String		No
privilege_type	Choice	`no-data-priv`, `read-priv`, `write-priv`	No

Examples

Example 1: TACACS+ with single server and basic user account

nxos:
  devices:
    - name: LEAF1
      configuration:
        aaa:
          tacacs:
            timeout: 5
            deadtime: 10
            source_interface_type: mgmt
            source_interface_id: "0"
            servers:
              - host: 10.50.100.10
                description: Primary TACACS Server
                key: "T@c@csK3y!"
                key_encryption: "7"
          users:
            password_strength_check: true
            accounts:
              - username: admin
                description: Network Admin
                password: "N3tw0rkAdm!n"
                password_encryption_type: scrypt
                roles:
                  - name: network-admin

Example 2: Redundant TACACS+ with server group and multiple user accounts with RBAC

nxos:
  devices:
    - name: SPINE1
      configuration:
        aaa:
          tacacs:
            timeout: 5
            deadtime: 15
            source_interface_type: mgmt
            source_interface_id: "0"
            key: "Gl0b@lT@c@cs"
            key_encryption: "7"
            servers:
              - host: 10.50.100.10
                description: Primary TACACS Server
                timeout: 3
              - host: 10.50.100.11
                description: Secondary TACACS Server
                timeout: 3
            server_groups:
              - name: TACACS_SERVERS
                description: Production TACACS+ Server Group
                vrf: management
                source_interface_type: mgmt
                source_interface_id: "0"
          users:
            password_strength_check: true
            password_secure_mode: true
            max_logins: 4
            accounts:
              - username: admin
                description: Primary Admin
                password: "S3cur3P@ss!"
                password_encryption_type: scrypt
                roles:
                  - name: network-admin
              - username: noc-operator
                description: NOC Read-Only Operator
                password: "N0cR3@d0nly!"
                password_encryption_type: scrypt
                roles:
                  - name: network-operator
                    privilege_type: read-priv
              - username: backup-svc
                description: Backup Service Account
                password: "B@ckupSvc2025!"
                password_encryption_type: scrypt
                shell_type: bash
                roles:
                  - name: network-operator

Example 3: Full AAA with authentication protocols, idle testing, passphrase policy, and account expiration

nxos:
  devices:
    - name: BORDER-LEAF1
      configuration:
        aaa:
          tacacs:
            timeout: 5
            deadtime: 20
            retries: 2
            source_interface_type: mgmt
            source_interface_id: "0"
            key: "F@br!cT@c@cs"
            key_encryption: "7"
            servers:
              - host: 10.50.100.10
                description: DC1 Primary TACACS Server
                authentication_protocol: chap
                single_connection: true
                test_idle_time: 5
                test_username: test
                test_password: "t3stP@ss"
                test_password_type: "7"
              - host: 10.50.100.11
                description: DC1 Secondary TACACS Server
                authentication_protocol: chap
                single_connection: true
                test_idle_time: 5
                test_username: test
                test_password: "t3stP@ss"
                test_password_type: "7"
            server_groups:
              - name: TACACS_PRIMARY
                description: Primary TACACS+ Server Group
                vrf: management
                source_interface_type: mgmt
                source_interface_id: "0"
                deadtime: 10
              - name: TACACS_FALLBACK
                description: Fallback TACACS+ Server Group
                vrf: management
                source_interface_type: mgmt
                source_interface_id: "0"
          users:
            password_strength_check: true
            password_secure_mode: true
            userpassphrase:
              min_length: 12
              max_length: 127
              default_lifetime: 180
              default_gracetime: 7
              default_warntime: 14
              sequence_alphabet_length: 3
              sequence_keyboard_length: 3
            max_logins: 3
            accounts:
              - username: admin
                description: Primary Admin
                password: "Adm!nP@ss2025"
                password_encryption_type: scrypt
                roles:
                  - name: network-admin
              - username: auditor
                description: Security Auditor
                password: "Aud!t0rAcc3ss"
                password_encryption_type: scrypt
                expires: true
                expiration: "2026-12-31"
                roles:
                  - name: network-operator
                    privilege_type: read-priv