Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11235
Views
27
Helpful
6
Replies

Cisco Nexus to use Radius AAA authentication using Microsoft 2008 NPS

Go to solution
jacksonb03
Level 1
Level 1

‎05-27-2014 11:24 AM - edited ‎03-10-2019 09:45 PM

I have a Nexus 7010 running

 

 

Just wondering if you can help me with something. I'm having an issue with command authorization thru our aaa config. We don't have a problem authenticating its command authorization that is not working. From what I have seen and read Nexus NX-OS 6.x does not have any commands for aaa authorization unless you are configuring TACACS+. My basic config is below if you can help it would be much appreciated.

 

>>ip radius source-interface mgmt 0

>>radius-server key XXXXX

>>radius-server host X.X.X.X key XXXXX authentication accounting

>>radius-server host X.X.X.X key XXXXX authentication accounting aaa

>>authentication login default group Radius_Group aaa authentication

>>login console local aaa group server radius Radius_Group

>>    server X.X.X.X

>>    server X.X.X.X

>>    source-interface mgmt0

 

Also does anyone know how to configure Microsoft 2008 NPS as a Raduis server to work with Nexus? I have read a few post that suggest changing the

shell:roles="vdc-admin" in the  Attribute Value field in the RADIUS server

Does anyone know if this works????

 

Thanks

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to jacksonb03

‎05-28-2014 10:31 AM

I have not used NPS before but it looks like you are on the right track. As Ed mentioned in his post, in ACS you can define the type of protocols that you will accept during an authentication session. Nexus authentication sessions should be seen as PAP/ASCII so you should be good to go. I don't have a Nexus switch to test with but if you do you can use wireshark and capture the session and see the exact protocol/method used. However, I am pretty sure PAP is the way to go:

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_nx-os-cfg/sec_tacacsplus.html

I also found the following link that you might find helpful:

http://www.802101.com/2013/08/cisco-nexus-and-aaa-authentication.html

Thank you for rating helpful posts!

View solution in original post

6 Replies 6

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎05-27-2014 02:24 PM

I have never done this before with ACS but not with NPS. However, you are in the right path. Nexus uses NX-OS which is different in some regards to regular IOS. One of those differences is the AAA setup. In NX-OS you assign users to roles. So for full access you will need to return the following attributes from your Radius server:

Attribute: cisco-av-pair

Requirement: Mandatory

Value: shell:roles*"network-admin vdc-admin"

For more information take a look at this link:

http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115925-nexus-integration-acs-00.html

Hope this helps

 

Thank you for rating helpful posts!

Go to solution
jacksonb03
Level 1
Level 1
In response to nspasov

‎05-28-2014 07:39 AM

That is what I plan on trying today and I hope is works. Another question is under the NPS setup I have Configure Authentication Methods they advise using PAP and SPAP. Does Cisco ACS advise what authenication method to use?

0 Helpful

Go to solution
edwardcollins7
Level 1
Level 1
In response to jacksonb03

‎05-28-2014 08:04 AM

Cisco ACS will not advise you to use a protocol, it is administrator's choice to allow the required protocols.

Rate if Useful :)

Sharing knowledge makes you Immortal.

Regards,

Ed

Go to solution
jacksonb03
Level 1
Level 1
In response to edwardcollins7

‎05-29-2014 08:51 AM

FYI gentlemen it worked!!!!!

 

Thanks for all the guidance

Brian

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to jacksonb03

‎05-29-2014 10:41 AM

Awesome! Good to hear! :)

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to jacksonb03

‎05-28-2014 10:31 AM

I have not used NPS before but it looks like you are on the right track. As Ed mentioned in his post, in ACS you can define the type of protocols that you will accept during an authentication session. Nexus authentication sessions should be seen as PAP/ASCII so you should be good to go. I don't have a Nexus switch to test with but if you do you can use wireshark and capture the session and see the exact protocol/method used. However, I am pretty sure PAP is the way to go:

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_nx-os-cfg/sec_tacacsplus.html

I also found the following link that you might find helpful:

http://www.802101.com/2013/08/cisco-nexus-and-aaa-authentication.html

Thank you for rating helpful posts!

Customers Also Viewed These Support Documents