RADIUS is an authentication protocol that Cisco NX-OS devices can use for authentication of management users against a remote AAA server. These management users can access the Cisco NX-OS device through any protocol and use this back-end authentication. Using a central authentication store (such as Active Directory) ensures that all administrative actions are tied to named users, making the tracking of changes much easier. It also makes tracking compromised accounts and malicious activities much easier. Rationale: Central authentication is key as it minimizes the effort in managing named user accounts. Keeping local admin accounts opens the door to all the issues inherent in shared accounts, namely: Errors in implementation being done by generic admin accounts, which can then be denied by all. Shared credentials staying unchanged when administrative staff leave the organization or change roles. Giving malicious actors the ability to recover shared credentials from saved device backups RADIUS is the most widely used protocol for this purpose, since it is a requirement for secure wireless authentication (EAP-TLS). Just as important, RADIUS is much better supported by most non-Cisco vendors for back-end authentication. Impact: Implementing RADIUS (or any central authentication solution) ensures that only named users are allowed to gain an administrative session to the device. This allows: Tracking of all changes to named users Simplification of reconciling changes to a change management process Off-loading password change cycles and password complexity requirements to that central authentication store Simplification of removing admin access as administrators leave the organization or change their roles in the organization
Solution
First define two or more RADIUS Servers switch(config)#radius-server host 3.4.5.6 key somekey authentication accounting switch(config)#radius-server host 4.5.6.7 key someotherkey authentication accounting Then create an AAA group for RADIUS switch(config)# aaa group server radius RADIUSGROUP server 3.4.5.6 server 4.5.6.7 Finally, create the authentication lists in the correct order - to be effective the RADIUS group needs to appear first in the list. Both the default and console access should be secured in the same way: switch(config)# aaa authentication login default group RADIUSGROUP local switch(config)# aaa authentication login console group RADIUSGROUP local It is common to include 'local' as the last entry in the list, to allow access to administer the device even if the RADIUS server is offline. Note that while this ensures access in the case of the device or the RADIUS server being offline, it also means that if an attacker can DOS the RADIUS Servers, they can authenticate locally as well. Default Value: By default RADIUS is not implemented