Configuring AAA
Step 3
Step 4
Step 5
Using AAA Server VSAs
About VSAs
You can use vendor-specific attributes (VSAs) to specify the Cisco Nexus 5000 Series user roles and SNMPv3
parameters on AAA servers.
The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating VSAs
between the network access server and the RADIUS server. The IETF uses attribute 26. VSAs allow vendors
to support their own extended attributes that are not suitable for general use. The Cisco RADIUS implementation
supports one vendor-specific option using the format recommended in the specification. The Cisco vendor
ID is 9, and the supported option is vendor type 1, which is named cisco-av-pair. The value is a string with
the following format:
protocol : attribute seperator value *
The protocol is a Cisco attribute for a particular type of authorization, separator is an equal sign (=) for
mandatory attributes, and an asterisk (* ) indicates optional attributes.
When you use RADIUS servers for authentication on a Nexus 5000 Series switch, the RADIUS protocol
directs the RADIUS server to return user attributes, such as authorization information, along with authentication
results. This authorization information is specified through VSAs.
VSA Format
The following VSA protocol options are supported by the Cisco Nexus 5000 Series switches:
• Shell— Used in access-accept packets to provide user profile information.
• Accounting—Used in accounting-request packets. If a value contains any white spaces, put it within
The following attributes are supported by the Cisco Nexus 5000 Series switches:
• roles—Lists all the roles assigned to the user. The value field is a string that stores the list of group
OL-16597-01
Command or Action
switch(config)# exit
switch# show aaa accounting
switch# copy running-config
startup-config
double quotation marks.
names delimited by white space.
Purpose
• named-group —Uses a named subset of TACACS+ or
RADIUS servers for accounting.
The local method uses the local database for accounting.
The default method is local , which is used when no server
groups are configured or when all the configured server group
do not respond.
Exits configuration mode.
(Optional)
Displays the configuration AAA accounting default methods.
(Optional)
Copies the running configuration to the startup configuration.
Cisco Nexus 5000 Series Switch CLI Software Configuration Guide
Using AAA Server VSAs
237