InformationRADIUS is an authentication protocol that Cisco NX-OS devices can use for authentication of management users against a remote AAA server. These management users can access the Cisco NX-OS device through any protocol and use this back-end authentication. Using a central authentication store (such as Active Directory) ensures that all administrative actions are tied to named users, making the tracking of changes much easier. It also makes tracking compromised accounts and malicious activities much easier.
Central authentication is key as it minimizes the effort in managing named user accounts. Keeping local admin accounts opens the door to all the issues inherent in shared accounts, namely:
Errors in implementation being done by generic admin accounts, which can then be denied by all.
Shared credentials staying unchanged when administrative staff leave the organization or change roles.
Giving malicious actors the ability to recover shared credentials from saved device backups
RADIUS is the most widely used protocol for this purpose, since it is a requirement for secure wireless authentication (EAP-TLS). Just as important, RADIUS is much better supported by most non-Cisco vendors for back-end authentication.
Implementing RADIUS (or any central authentication solution) ensures that only named users are allowed to gain an administrative session to the device. This allows:
Tracking of all changes to named users
Simplification of reconciling changes to a change management process
Off-loading password change cycles and password complexity requirements to that central authentication store
Simplification of removing admin access as administrators leave the organization or change their roles in the organization
SolutionFirst define two or more RADIUS Servers
switch(config)#radius-server host 220.127.116.11 key somekey authentication accounting
switch(config)#radius-server host 18.104.22.168 key someotherkey authentication accounting
Then create an AAA group for RADIUS
switch(config)# aaa group server radius RADIUSGROUP
Finally, create the authentication lists in the correct order - to be effective the RADIUS group needs to appear first in the list. Both the default and console access should be secured in the same way:
switch(config)# aaa authentication login default group RADIUSGROUP local
switch(config)# aaa authentication login console group RADIUSGROUP local
It is common to include 'local' as the last entry in the list, to allow access to administer the device even if the RADIUS server is offline. Note that while this ensures access in the case of the device or the RADIUS server being offline, it also means that if an attacker can DOS the RADIUS Servers, they can authenticate locally as well.
By default RADIUS is not implemented