05-27-2014 11:24 AM - edited 03-10-2019 09:45 PM
I have a Nexus 7010 running
Just wondering if you can help me with something. I'm having an issue with command authorization thru our aaa config. We don't have a problem authenticating its command authorization that is not working. From what I have seen and read Nexus NX-OS 6.x does not have any commands for aaa authorization unless you are configuring TACACS+. My basic config is below if you can help it would be much appreciated.
>>ip radius source-interface mgmt 0
>>radius-server key XXXXX
>>radius-server host X.X.X.X key XXXXX authentication accounting
>>radius-server host X.X.X.X key XXXXX authentication accounting aaa
>>authentication login default group Radius_Group aaa authentication
>>login console local aaa group server radius Radius_Group
>> server X.X.X.X
>> server X.X.X.X
>> source-interface mgmt0
Also does anyone know how to configure Microsoft 2008 NPS as a Raduis server to work with Nexus? I have read a few post that suggest changing the
shell:roles="vdc-admin" in the Attribute Value field in the RADIUS server
Does anyone know if this works????
Thanks
Solved! Go to Solution.
05-28-2014 10:31 AM
I have not used NPS before but it looks like you are on the right track. As Ed mentioned in his post, in ACS you can define the type of protocols that you will accept during an authentication session. Nexus authentication sessions should be seen as PAP/ASCII so you should be good to go. I don't have a Nexus switch to test with but if you do you can use wireshark and capture the session and see the exact protocol/method used. However, I am pretty sure PAP is the way to go:
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_nx-os-cfg/sec_tacacsplus.html
I also found the following link that you might find helpful:
http://www.802101.com/2013/08/cisco-nexus-and-aaa-authentication.html
Thank you for rating helpful posts!
05-27-2014 02:24 PM
I have never done this before with ACS but not with NPS. However, you are in the right path. Nexus uses NX-OS which is different in some regards to regular IOS. One of those differences is the AAA setup. In NX-OS you assign users to roles. So for full access you will need to return the following attributes from your Radius server:
Attribute: cisco-av-pair
Requirement: Mandatory
Value: shell:roles*"network-admin vdc-admin"
For more information take a look at this link:
http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115925-nexus-integration-acs-00.html
Hope this helps
Thank you for rating helpful posts!
05-28-2014 07:39 AM
That is what I plan on trying today and I hope is works. Another question is under the NPS setup I have Configure Authentication Methods they advise using PAP and SPAP. Does Cisco ACS advise what authenication method to use?
05-28-2014 08:04 AM
Cisco ACS will not advise you to use a protocol, it is administrator's choice to allow the required protocols.
Rate if Useful :)
Sharing knowledge makes you Immortal.
Regards,
Ed
05-29-2014 08:51 AM
FYI gentlemen it worked!!!!!
Thanks for all the guidance
Brian
05-29-2014 10:41 AM
Awesome! Good to hear! :)
05-28-2014 10:31 AM
I have not used NPS before but it looks like you are on the right track. As Ed mentioned in his post, in ACS you can define the type of protocols that you will accept during an authentication session. Nexus authentication sessions should be seen as PAP/ASCII so you should be good to go. I don't have a Nexus switch to test with but if you do you can use wireshark and capture the session and see the exact protocol/method used. However, I am pretty sure PAP is the way to go:
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_nx-os-cfg/sec_tacacsplus.html
I also found the following link that you might find helpful:
http://www.802101.com/2013/08/cisco-nexus-and-aaa-authentication.html
Thank you for rating helpful posts!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide