AAA

AAA (Authentication, Authorization, and Accounting) on NX-OS encompasses TACACS+ server integration for centralized device management access, local user account management with role-based access control, and AAA method configuration for login authentication, command authorization, and accounting. TACACS+ configuration includes shared secret keys with encryption, timeout/retry/deadtime settings, source interface binding, individual server definitions with per-server authentication protocols (PAP, CHAP, MSCHAP, MSCHAPv2, ASCII), idle-time testing, and server groups with VRF-aware source interfaces and server member references. User management provides password strength policies, secure mode, passphrase length/lifetime/gracetime/warntime constraints, maximum concurrent login sessions, and individual user accounts with role assignments, password encryption types (clear, encrypt, pbkdf2, scrypt), account expiration, and shell type selection. Authentication settings control default and console login methods with group-based fallback, authorization defines config and exec command methods, and accounting tracks command usage via server groups.

Diagram

Classes

configuration (nxos.devices)

Name	Type	Constraint	Mandatory	Default Value
aaa	Class	`[aaa]`	No

aaa (nxos.devices.configuration)

Name	Type	Constraint	Mandatory
tacacs	Class	`[tacacs]`	No
users	Class	`[users]`	No
authentication	Class	`[authentication]`	No
authorization	List	`[authorization]`	No
accounting	Class	`[accounting]`	No

tacacs (nxos.devices.configuration.aaa)

Name	Type	Constraint	Mandatory
deadtime	Integer	min: `0`, max: `1440`	No
description	String		No
key	String		No
key_encryption	Choice	`0`, `6`, `7`	No
retries	Integer	min: `0`, max: `5`	No
source_interface_type	Choice	`ethernet`, `loopback`, `mgmt`, `port-channel`, `vlan`, `vni`	No
source_interface_id	String		No
timeout	Integer	min: `1`, max: `60`	No
servers	List	`[servers]`	No
server_groups	List	`[server_groups]`	No

users (nxos.devices.configuration.aaa)

Name	Type	Constraint	Mandatory
password_strength_check	Boolean	`true`, `false`	No
password_secure_mode	Boolean	`true`, `false`	No
service_password_recovery	Boolean	`true`, `false`	No
max_logins	Integer	min: `0`, max: `7`	No
description	String		No
userpassphrase	Class	`[userpassphrase]`	No
accounts	List	`[accounts]`	No

authentication (nxos.devices.configuration.aaa)

Name	Type	Constraint	Mandatory
default_role	Choice	`no-login`, `assign-default-role`	No
radius_directed_request	Boolean	`true`, `false`	No
tacacs_directed_request	Boolean	`true`, `false`	No
login_default_groups	List	String	No
login_default_realm	Choice	`local`, `radius`, `tacacs`, `ldap`	No
login_default_fallback	Boolean	`true`, `false`	No
login_default_local	Boolean	`true`, `false`	No
login_default_none	Boolean	`true`, `false`	No
login_default_error_enable	Boolean	`true`, `false`	No
login_default_invalid_username_log	Boolean	`true`, `false`	No
login_console_groups	List	String	No
login_console_realm	Choice	`local`, `radius`, `tacacs`, `ldap`	No
login_console_fallback	Boolean	`true`, `false`	No
login_console_local	Boolean	`true`, `false`	No
login_console_none	Boolean	`true`, `false`	No
login_console_error_enable	Boolean	`true`, `false`	No
login_console_invalid_username_log	Boolean	`true`, `false`	No

authorization (nxos.devices.configuration.aaa)

Name	Type	Constraint	Mandatory
command_type	Choice	`config`, `exec`	Yes
groups	List	String	No
none	Boolean	`true`, `false`	No
local	Boolean	`true`, `false`	No

accounting (nxos.devices.configuration.aaa)

Name	Type	Constraint	Mandatory
groups	List	String	No
realm	Choice	`local`, `radius`, `tacacs`, `ldap`	No
none	Boolean	`true`, `false`	No
local	Boolean	`true`, `false`	No

servers (nxos.devices.configuration.aaa.tacacs)

Name	Type	Constraint	Mandatory
host	String		Yes
description	String		No
authentication_protocol	Choice	`pap`, `chap`, `mschap`, `mschapv2`, `ascii`	No
key	String		No
key_encryption	Choice	`0`, `6`, `7`	No
test_idle_time	Integer	min: `0`, max: `1440`	No
test_password	String		No
test_password_type	Choice	`0`, `7`	No
test_username	String		No
port	Integer	min: `1`, max: `65535`	No
retries	Integer	min: `0`, max: `5`	No
single_connection	Boolean	`true`, `false`	No
timeout	Integer	min: `0`, max: `60`	No

server_groups (nxos.devices.configuration.aaa.tacacs)

Name	Type	Constraint	Mandatory
name	String		Yes
description	String		No
deadtime	Integer	min: `0`, max: `1440`	No
source_interface_type	Choice	`ethernet`, `loopback`, `mgmt`, `port-channel`, `vlan`, `vni`	No
source_interface_id	String		No
vrf	String		No
servers	List	`[servers]`	No

userpassphrase (nxos.devices.configuration.aaa.users)

Name	Type	Constraint	Mandatory
min_length	Integer	min: `0`, max: `65535`	No
max_length	Integer	min: `0`, max: `65535`	No
default_lifetime	Integer	min: `0`, max: `99999`	No
default_gracetime	Integer	min: `0`, max: `99999`	No
default_warntime	Integer	min: `0`, max: `99999`	No
sequence_alphabet_length	Integer	min: `0`, max: `10`	No
sequence_keyboard_length	Integer	min: `0`, max: `10`	No
min_unique	Integer	min: `0`, max: `10`	No

accounts (nxos.devices.configuration.aaa.users)

Name	Type	Constraint	Mandatory
username	String		Yes
description	String		No
account_status	Boolean	`true`, `false`	No
allow_expired	Boolean	`true`, `false`	No
clear_password_history	Boolean	`true`, `false`	No
email	String		No
expiration	String		No
expires	Boolean	`true`, `false`	No
first_name	String		No
force	Boolean	`true`, `false`	No
last_name	String		No
password	String		No
password_encryption_type	Choice	`clear`, `encrypt`, `pbkdf2`, `scrypt`, `unspecified`	No
password_hash	Choice	`unspecified`, `pbkdf2`, `scrypt`	No
phone	String		No
shell_type	Choice	`vsh`, `bash`	No
unix_user_id	Integer	min: `99`, max: `15999`	No
roles	List	`[roles]`	No

servers (nxos.devices.configuration.aaa.tacacs.server_groups)

Name	Type	Constraint	Mandatory
host	String		Yes
description	String		No
order	Integer	min: `0`, max: `16`	No

roles (nxos.devices.configuration.aaa.users.accounts)

Name	Type	Constraint	Mandatory
name	String		Yes
description	String		No
privilege_type	Choice	`no-data-priv`, `read-priv`, `write-priv`	No

Examples

Example 1: TACACS+ with single server and basic user account

nxos:
  devices:
    - name: LEAF1
      configuration:
        aaa:
          tacacs:
            timeout: 5
            deadtime: 10
            source_interface_type: mgmt
            source_interface_id: "0"
            servers:
              - host: 10.50.100.10
                description: Primary TACACS Server
                key: "T@c@csK3y!"
                key_encryption: "7"
          users:
            password_strength_check: true
            accounts:
              - username: admin
                description: Network Admin
                password: "N3tw0rkAdm!n"
                password_encryption_type: scrypt
                roles:
                  - name: network-admin

Example 2: Redundant TACACS+ with server group and multiple user accounts with RBAC

nxos:
  devices:
    - name: SPINE1
      configuration:
        aaa:
          tacacs:
            timeout: 5
            deadtime: 15
            source_interface_type: mgmt
            source_interface_id: "0"
            key: "Gl0b@lT@c@cs"
            key_encryption: "7"
            servers:
              - host: 10.50.100.10
                description: Primary TACACS Server
                timeout: 3
              - host: 10.50.100.11
                description: Secondary TACACS Server
                timeout: 3
            server_groups:
              - name: TACACS_SERVERS
                description: Production TACACS+ Server Group
                vrf: management
                source_interface_type: mgmt
                source_interface_id: "0"
                servers:
                  - host: 10.50.100.10
                    order: 1
                  - host: 10.50.100.11
                    order: 2
          users:
            password_strength_check: true
            password_secure_mode: true
            max_logins: 4
            accounts:
              - username: admin
                description: Primary Admin
                password: "S3cur3P@ss!"
                password_encryption_type: scrypt
                roles:
                  - name: network-admin
              - username: noc-operator
                description: NOC Read-Only Operator
                password: "N0cR3@d0nly!"
                password_encryption_type: scrypt
                roles:
                  - name: network-operator
                    privilege_type: read-priv
              - username: backup-svc
                description: Backup Service Account
                password: "B@ckupSvc2025!"
                password_encryption_type: scrypt
                shell_type: bash
                roles:
                  - name: network-operator

Example 3: Full AAA with authentication protocols, idle testing, passphrase policy, and account expiration

nxos:
  devices:
    - name: BORDER-LEAF1
      configuration:
        aaa:
          tacacs:
            timeout: 5
            deadtime: 20
            retries: 2
            source_interface_type: mgmt
            source_interface_id: "0"
            key: "F@br!cT@c@cs"
            key_encryption: "7"
            servers:
              - host: 10.50.100.10
                description: DC1 Primary TACACS Server
                authentication_protocol: chap
                single_connection: true
                test_idle_time: 5
                test_username: test
                test_password: "t3stP@ss"
                test_password_type: "7"
              - host: 10.50.100.11
                description: DC1 Secondary TACACS Server
                authentication_protocol: chap
                single_connection: true
                test_idle_time: 5
                test_username: test
                test_password: "t3stP@ss"
                test_password_type: "7"
            server_groups:
              - name: TACACS_PRIMARY
                description: Primary TACACS+ Server Group
                vrf: management
                source_interface_type: mgmt
                source_interface_id: "0"
                deadtime: 10
              - name: TACACS_FALLBACK
                description: Fallback TACACS+ Server Group
                vrf: management
                source_interface_type: mgmt
                source_interface_id: "0"
          users:
            password_strength_check: true
            password_secure_mode: true
            userpassphrase:
              min_length: 12
              max_length: 127
              default_lifetime: 180
              default_gracetime: 7
              default_warntime: 14
              sequence_alphabet_length: 3
              sequence_keyboard_length: 3
            max_logins: 3
            accounts:
              - username: admin
                description: Primary Admin
                password: "Adm!nP@ss2025"
                password_encryption_type: scrypt
                roles:
                  - name: network-admin
              - username: auditor
                description: Security Auditor
                password: "Aud!t0rAcc3ss"
                password_encryption_type: scrypt
                expires: true
                expiration: "2026-12-31"
                roles:
                  - name: network-operator
                    privilege_type: read-priv

Example 4: AAA authentication, authorization, and accounting with TACACS+ server groups

nxos:
  devices:
    - name: LEAF1
      configuration:
        aaa:
          tacacs:
            timeout: 5
            deadtime: 10
            source_interface_type: mgmt
            source_interface_id: "0"
            servers:
              - host: 10.50.100.10
              - host: 10.50.100.11
            server_groups:
              - name: TACACS_PRIMARY
                vrf: management
                servers:
                  - host: 10.50.100.10
                    order: 1
                  - host: 10.50.100.11
                    order: 2
          authentication:
            default_role: no-login
            tacacs_directed_request: true
            login_default_groups:
              - TACACS_PRIMARY
            login_default_realm: tacacs
            login_default_fallback: true
            login_default_local: true
            login_default_error_enable: true
            login_default_invalid_username_log: true
            login_console_groups:
              - TACACS_PRIMARY
            login_console_realm: tacacs
            login_console_local: true
          authorization:
            - command_type: config
              groups:
                - TACACS_PRIMARY
              local: true
            - command_type: exec
              groups:
                - TACACS_PRIMARY
              local: true
          accounting:
            groups:
              - TACACS_PRIMARY
            realm: tacacs
            local: true

AAA (Authentication, Authorization, and Accounting) on NX-OS encompasses TACACS+ server integration for centralized device management access and local user account management with role-based access control. TACACS+ configuration includes shared secret keys with encryption, timeout/retry/deadtime settings, source interface binding, individual server definitions with per-server authentication protocols (PAP, CHAP, MSCHAP, MSCHAPv2, ASCII), idle-time testing, and server groups with VRF-aware source interfaces. User management provides password strength policies, secure mode, passphrase length/lifetime/gracetime/warntime constraints, maximum concurrent login sessions, and individual user accounts with role assignments, password encryption types (clear, encrypt, pbkdf2, scrypt), account expiration, and shell type selection.