aaa group server radius GEN_AAA server [server] server [server] use-vrf management source-interface mgmt0
aaa authentication login default group GEN_AAA aaa authentication login console group GEN_AAA aaa accounting default group GEN_AAA aaa authentication login error-enable
On the Steel Belted RADIUS server the client is setup as a basic IOS 11.1 or later (Nexus is not an option). The group setup for the relevant user group has a return code of:
When I authenticate from a Catalyst 6509 with IOS 12.2 the authorization based on the shell:priv-lvl works fine. Only those users in the 'special' group have admin (lvl 15) access.
With the Nexus gear I authenticate fine but the RADIUS user is always put in the network-operator role (default) regardless of the 'special' group shell:roles*"network-admin" return code defined.
In other words it seems to work fine for IOS devices (Catalyst 6500 and 3750E so far) but not at all for Nexus gear. Unfortunately I am not in a position to suggest and implement ACS or another AAA server that supports TACACS.
Re: Nexus 5K and 7K RADIUS Authorization with Steel Belted RADIU
I appreciate the pointer. If I was using TACACS for AAA, authorization sets would be a consideration. However, authorization is not permitted when using RADIUS for AAA on the Nexus platform.
In any case I was able to resolve the issue with the assistance of the customer and their support contact at Juniper. For the VSA feature to begin working a change to the INI file and a restart of the SBR services was required. Placing the desired group of users in the network-admin group is functioning as desired.
In addition to the configuration in the original post the following should be added to stop any 'standard' users defined on the SBR server from logging in with network-operator privileges:
no aaa user default-role
If no role is provided from the RADIUS server via the Cisco-AVPAIR VSA (ex. Cisco-AVPAIR = shell:roles*network-admin) by default a Nexus box places the user in the network-operator role. This role has complete read access on the system allowing, among other things, a read view of the configuration. The above command stops any role mapping resulting in non-configured users / groups on the RADIUS box not being able to log in period.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...