I have configured Nexus 7000 for Radius authentication. Login is being shown successfull on RSA server However login on Nexus is not successful giving the below error.
C15F0DCCODS3# 2010 Nov 19 13:44:01 C15F0DCCODS3 %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user ankur4888 from 172.18.1.12 - login.
Below is the output of debug aaa aaa-requests :
C15F0DCCODS3# 2010 Nov 19 13:45:14.750183 aaa: mts_aaa_req_process 2010 Nov 19 13:45:14.750244 aaa: aaa_req_process for authentication. session no 0 2010 Nov 19 13:45:14.750283 aaa: aaa_req_process: General AAA request from appln : login appln_subtype: default 2010 Nov 19 13:45:14.750310 aaa: try_next_aaa_method 2010 Nov 19 13:45:14.750351 aaa: total methods configured is 1, current index to be tried is 0 2010 Nov 19 13:45:14.750379 aaa: handle_req_using_method 2010 Nov 19 13:45:14.750404 aaa: AAA_METHOD_SERVER_GROUP 2010 Nov 19 13:45:14.750429 aaa: aaa_sg_method_handler group = EXL-RADIUS 2010 Nov 19 13:45:14.750454 aaa: Using sg_protocol which is passed to this funct ion 2010 Nov 19 13:45:14.750483 aaa: Sending request to RADIUS service 2010 Nov 19 13:45:14.750553 aaa: Configured method group Succeeded 2010 Nov 19 13:45:16.788367 aaa: prot_daemon_reponse_handler 2010 Nov 19 13:45:16.788468 aaa: is_aaa_resp_status_success status = 1 2010 Nov 19 13:45:16.788496 aaa: is_aaa_resp_status_success is TRUE 2010 Nov 19 13:45:16.788523 aaa: aaa_send_client_response for authentication. session->flags=21. aaa_resp->flags=0. 2010 Nov 19 13:45:16.788549 aaa: AAA_REQ_FLAG_NORMAL 2010 Nov 19 13:45:16.788592 aaa: mts_send_response Successful 2010 Nov 19 13:45:16.788628 aaa: aaa_cleanup_session 2010 Nov 19 13:45:16.788655 aaa: mts_drop of request msg 2010 Nov 19 13:45:16.788683 aaa: aaa_req should be freed. 2010 Nov 19 13:45:16 C15F0DCCODS3 %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authenticationfailed for user ankur4888 from 172.18.1.12 - login
i have noticed one thing in debug logs that this is for Auth privilege 3 user. that has to be for lvl 7 for sucess. so let's try one thing:-
2010 Nov 19 13:45:16 C15F0DCCODS3 %AUTHPRIV-7-SYSTEM_MSG: pam_aaa:Authenticationfailed for user
ankur4888 from 172.18.1.12 - login
what can be done is t
o set logging level for authpriv to 7. at that point you will see logs
that look like this:
%AUTHPRIV-7-SYSTEM_MSG: user test authenticated - login
This is the best that can be done for aaa local login authentication
logging level authpriv 7
logging level auth 7
Please try that and share the results.
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
It din work work. However i applied the command aaa user default-role & it started to login. Nexus expects the AAA server to send the autorization for the user & if that is not there in reply from the RSA, the login is failed. This was the problem is my case so as soon as i applied "aaa user default-role ". The user is able to login with default role i.e operator.
I am using RSA as AAA server. I am not able to find any option in RSA wherein i can enable to to send network-admin role with auhentication.
Is there any compatiablity problem in integrating Nexus with RSA as AAA srver
On the other hand, Nexus, Cisco ACE and Cisco CRS are very different. They have "users and passwords" but also "roles" and "domains". If you don't specify a role or a domain you will get default role and default domain.
Your radius server should be customizable enough to set these attributes. Cisco ACS 5.x is a great AAA server. I have configured AAA between Cisco ACE and Cisco ACS using customized roles without problems.
In your scenario I would recommend to use TACACS+ between Nexus and ACS 5.x and SecurID protocol between ACS 5.x and RSA server.
But if you want to use RADIUS between Nexus and RSA server then you will have to find and set the right attributes in your RSA server.
A packet capture from Cisco ACE shows the following attribute:
AVP: L=39 t=vendor-specific(26) v=Cisco(9)
VSA: L=33 t=Cisco-AVPair(1)
I'm taking is something similar for Cisco Nexus. If you find the right attribute you have to set that attribute to something like the following:
"shell:Cnt1=admin default-domain" , where "Cnt1" is the ACE context, "admin" is the role, and default-domain is the domain.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :