Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Providing Limited Access to User using Radius (ACS) on Nexus

     

     

    Introduction

    This  document provides an example on how to provide limited access to the  users on Nexus, So that they can run only few commands using Radius.

    For  example if you want that user should login to privileged or config mode  and still not been able to run any other command except Interface  command. You will create a custom role for the user and push it through  ACS or radius server.

    NOTE:

    It is useful in cases, where in you want to restrict the access of the users to run only few commands using Radius. Since "command authorization"  its an exclusive feature of tacacs and it’s not really possible with Radius.

    However, We have a workaround that could accomplish his task in slightly different way.

    We can create a custom role on Nexus, and permits only few commands under that role. Push the role through Radius server and you will be good to go.

    Prerequisites

    ACS(Radius server) and Nexus should be reachable and able to authenticate each other.

    Components Used

    1. ACS
    2. Nexus 7000

    Configuration of Custom Role on Nexus

    switch(config)# role name Limited-Access 
    switch(config-role)# rule 1 permit read-write feature interface
    Note:
    In case if you want to permit more access, you can add multiple rules like below:
    "switch(config-role)# rule 1 permit read-write feature snmp 
    switch(config-role)# rule 2 permit read-write feature snmpTargetParamsEntry 
    switch(config-role)# rule 3 permit read-write feature snmpTargetAddrEntry" 

    Configure Nexus Device for Authentication and Authorization

    1.Create a local user on the switch with full privileges for fallback with the username command as shown here:

              Switch(config)#username admin privilege 15 password 0 cisco123!

    2. provide the IP address of the Radius server (Free Radius)

    switch# conf  terminalswitch(config)# Radius-server host 10.10.1.1 key cisco123 authenticationaccountingswitch(config)# aaa group server radius RadServer switch(config-radius)#server 10.10.1.1 switch(config-radius)# use-vrf Management

    Note: The key must match the Shared Secret configured on the free radius for this Nexus device.

    3. Test the RADIUS server availability with the test aaa command as shown.

             switch# test aaa server Radius 10.10.1.1 user1 Ur2Gd2BH

    Test authentication will fail with a Reject from the server since it is not configured, However, it will confirms that  server is reachable

    4. Configure login authentications as shown here:

    Switch(config)#aaa authentication login default group Radserver       

     Switch(config)#aaa accounting default group Radserver 
      Switch(config)#aaa authentication login error-enable

    Note:  We dont have to worry  about the local fallback method here, Because,  Nexus fallback to local  on its own if the radius is not available.

    Configuration on ACS

    Complete these steps:

    Navigate to Policy Elements > Authentication and Permissions > Network Access> Authorization profile

    in order to create a Authorization Profile.

    profile.jpg

     

    1. Enter a name for the profile.
    2. Under the Custom Attributes tab, enter these values
          Dictionary Type: Radius-Cisco
          Attribute: cisco-av-pair
          Requirement: Mandatory
          Value: shell:roles=Limited_Access

    profile1.jpg

    Submit the changes in order to create an attribute-based role for the Nexus switch.

    profile2.jpg

    Create  a new authorization rule, or edit an existing rule, in the  correct  access policy. By default, Radius requests are processed by the   Network  access policy.

    In the Conditions area, choose the appropriate conditions. In the Results area, choose the Limited_Access profile.

    authorization.jpg

     

    authorization2.jpg

    Click Ok.

    Nexus CLI

    Login  to the nexus box with username password configured on the ACS. when you  will login run the following command to verify if the test user has got  the limited_Access role or not:

    switch# show user-account
            user:admin
            this user account has no expiry date
            roles:network-admin
    
    user:Test
          this user account has no expiry date
          roles:Limited_Access

    It confirms that user is now a limited access user.

    Note:

    Run any command except interface under configuration mode: You will get permission deny access.

    Verify

    Use this section to confirm that your configuration works properly.

    switch# show role  (Will display all the roles including custom role that you have created and what all permissions does that role have )

    Role: network-admin
    
      Description: Predefined network admin role has access to all commands on the switch
      -------------------------------------------------------------------
       Rule    Perm    Type        Scope               Entity                  
      -------------------------------------------------------------------
        1       permit  read-write  
    
    Role:Limited_Access
      Description: Predefined Limited_Access role has access to following commands.
      -------------------------------------------------------------------
      Rule    Perm    Type        Scope               Entity                  
      -------------------------------------------------------------------
      1       permit  read-write  feature             Interface      
    Switch# show user-account
    
    Output below: switch# show user-account
            user:admin
            this user account has no expiry date
            roles:network-admin
    
    user:Test
          this user account has no expiry date
          roles:Limited_Access
    

     

    Troubleshooting

    Perform the following steps for role assignment:

    1.Check which AAA group is being used for authentication with the show running-config aaa and show aaa authentication commands.

    2.For RADIUS, check the VRF association with the AAA group with the show radius-server groups and show running-

    config radius commands.

    3.If the above commands show that the association is correct, then use the debug Radius all command to enable the trace

    4.Check if the correct attributes are being pushed from the ACS.

    Related Information

    Technical Support & Documentation - Cisco Systems

    1451
    Views
    15
    Helpful
    0
    Comments