Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Cisco Nexus to use Radius AAA authentication using Microsoft 2008 NPS

I have a Nexus 7010 running

 

 

Just wondering if you can help me with something. I'm having an issue with command authorization thru our aaa config. We don't have a problem authenticating its command authorization that is not working. From what I have seen and read Nexus NX-OS 6.x does not have any commands for aaa authorization unless you are configuring TACACS+. My basic config is below if you can help it would be much appreciated.

 

>>ip radius source-interface mgmt 0

>>radius-server key XXXXX

>>radius-server host X.X.X.X key XXXXX authentication accounting

>>radius-server host X.X.X.X key XXXXX authentication accounting aaa

>>authentication login default group Radius_Group aaa authentication

>>login console local aaa group server radius Radius_Group

>>    server X.X.X.X

>>    server X.X.X.X

>>    source-interface mgmt0

 

Also does anyone know how to configure Microsoft 2008 NPS as a Raduis server to work with Nexus? I have read a few post that suggest changing the

shell:roles="vdc-admin" in the  Attribute Value field in the RADIUS server

Does anyone know if this works????

 

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

I have not used NPS before

I have not used NPS before but it looks like you are on the right track. As Ed mentioned in his post, in ACS you can define the type of protocols that you will accept during an authentication session. Nexus authentication sessions should be seen as PAP/ASCII so you should be good to go. I don't have a Nexus switch to test with but if you do you can use wireshark and capture the session and see the exact protocol/method used. However, I am pretty sure PAP is the way to go:

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_nx-os-cfg/sec_tacacsplus.html

I also found the following link that you might find helpful:

http://www.802101.com/2013/08/cisco-nexus-and-aaa-authentication.html

Thank you for rating helpful posts!

6 REPLIES
Cisco Employee

I have never done this before

I have never done this before with ACS but not with NPS. However, you are in the right path. Nexus uses NX-OS which is different in some regards to regular IOS. One of those differences is the AAA setup. In NX-OS you assign users to roles. So for full access you will need to return the following attributes from your Radius server:

Attribute: cisco-av-pair

Requirement: Mandatory

Value: shell:roles*"network-admin vdc-admin"

For more information take a look at this link:

http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115925-nexus-integration-acs-00.html

Hope this helps

 

Thank you for rating helpful posts!

New Member

That is what I plan on trying

That is what I plan on trying today and I hope is works. Another question is under the NPS setup I have Configure Authentication Methods they advise using PAP and SPAP. Does Cisco ACS advise what authenication method to use?

Cisco ACS will not advise you

Cisco ACS will not advise you to use a protocol, it is administrator's choice to allow the required protocols.

Rate if Useful :)

Sharing knowledge makes you Immortal.

Regards,

Ed

New Member

FYI gentlemen it worked!!!!!

FYI gentlemen it worked!!!!!

 

Thanks for all the guidance

Brian

Cisco Employee

Awesome! Good to hear! :)

Awesome! Good to hear! :)

Cisco Employee

I have not used NPS before

I have not used NPS before but it looks like you are on the right track. As Ed mentioned in his post, in ACS you can define the type of protocols that you will accept during an authentication session. Nexus authentication sessions should be seen as PAP/ASCII so you should be good to go. I don't have a Nexus switch to test with but if you do you can use wireshark and capture the session and see the exact protocol/method used. However, I am pretty sure PAP is the way to go:

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_nx-os-cfg/sec_tacacsplus.html

I also found the following link that you might find helpful:

http://www.802101.com/2013/08/cisco-nexus-and-aaa-authentication.html

Thank you for rating helpful posts!

2922
Views
17
Helpful
6
Replies
CreatePlease to create content