Nexus 5K and 7K RADIUS Authorization with Steel Belted RADIUS

Unanswered Question

I am attempting to provide very basic authorization via Steel Belted RADIUS for a Nexus deployment.

Here is the code from the Nexus:

radius-server host [server]  key [key]
radius-server host [server]  key [key]

ip radius source-interface mgmt0

aaa group server radius GEN_AAA
    server [server]
    server [server]
    use-vrf management
    source-interface mgmt0

aaa authentication login default group GEN_AAA
aaa authentication login console group GEN_AAA
aaa accounting default group GEN_AAA
aaa authentication login error-enable

On the Steel Belted RADIUS server the client is setup as a basic IOS 11.1 or later (Nexus is not an option).  The group setup for the relevant user group has a return code of:



When I authenticate from a Catalyst 6509 with IOS 12.2 the authorization based on the shell:priv-lvl works fine.  Only those users in the 'special' group have admin (lvl 15) access.

With the Nexus gear I authenticate fine but the RADIUS user is always put in the network-operator role (default) regardless of the 'special' group shell:roles*"network-admin" return code defined.

In other words it seems to work fine for IOS devices (Catalyst 6500 and 3750E so far) but not at all for Nexus gear.  Unfortunately I am not in a position to suggest and implement ACS or another AAA server that supports TACACS.

Is there any way to pull this off with SBR?

Any help is much appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)

Hello Nusrat,

I appreciate the pointer.  If I was using TACACS for AAA, authorization sets would be a consideration.  However, authorization is not permitted when using RADIUS for AAA on the Nexus platform.

In any case I was able to resolve the issue with the assistance of the customer and their support contact at Juniper.  For the VSA feature to begin working a change to the INI file and a restart of the SBR services was required.  Placing the desired group of users in the network-admin group is functioning as desired.


In addition to the configuration in the original post the following should be added to stop any 'standard' users defined on the SBR server from logging in with network-operator privileges:

no aaa user default-role

If no role is provided from the RADIUS server via the Cisco-AVPAIR VSA (ex. Cisco-AVPAIR = shell:roles*network-admin) by default a Nexus box places the user in the network-operator role.  This role has complete read access on the system allowing, among other things, a read view of the configuration.  The above command stops any role mapping resulting in non-configured users / groups on the RADIUS box not being able to log in period.

rthakker Wed, 01/11/2012 - 06:02
User Badges:

Hello Jeff

Did you manage to resolve this issue?

I am currently working to implement Nexus 5k and 3k with SBR and come accross your post so I am wondering do I need to still worry about this or not?

Your help is much appriciated.




This Discussion