topic Re: Radius Integration with Nexus in Network Access Control

Radius Integration with Nexus

rakesh.dutt — Mon, 11 Mar 2019 00:35:35 GMT

Hi,

I have configured Nexus 7000 for Radius authentication. Login is being shown successfull on RSA server However login on Nexus is not successful giving the below error.

C15F0DCCODS3# 2010 Nov 19 13:44:01 C15F0DCCODS3 %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user ankur4888 from 172.18.1.12 - login.

Below is the output of debug aaa aaa-requests :

C15F0DCCODS3# 2010 Nov 19 13:45:14.750183 aaa: mts_aaa_req_process
2010 Nov 19 13:45:14.750244 aaa: aaa_req_process for authentication. session no
0
2010 Nov 19 13:45:14.750283 aaa: aaa_req_process: General AAA request from appln
: login appln_subtype: default
2010 Nov 19 13:45:14.750310 aaa: try_next_aaa_method
2010 Nov 19 13:45:14.750351 aaa: total methods configured is 1, current index to
be tried is 0
2010 Nov 19 13:45:14.750379 aaa: handle_req_using_method
2010 Nov 19 13:45:14.750404 aaa: AAA_METHOD_SERVER_GROUP
2010 Nov 19 13:45:14.750429 aaa: aaa_sg_method_handler group = EXL-RADIUS
2010 Nov 19 13:45:14.750454 aaa: Using sg_protocol which is passed to this funct
ion
2010 Nov 19 13:45:14.750483 aaa: Sending request to RADIUS service
2010 Nov 19 13:45:14.750553 aaa: Configured method group Succeeded
2010 Nov 19 13:45:16.788367 aaa: prot_daemon_reponse_handler
2010 Nov 19 13:45:16.788468 aaa: is_aaa_resp_status_success status = 1
2010 Nov 19 13:45:16.788496 aaa: is_aaa_resp_status_success is TRUE
2010 Nov 19 13:45:16.788523 aaa: aaa_send_client_response for authentication. session->flags=21. aaa_resp->flags=0.
2010 Nov 19 13:45:16.788549 aaa: AAA_REQ_FLAG_NORMAL
2010 Nov 19 13:45:16.788592 aaa: mts_send_response Successful
2010 Nov 19 13:45:16.788628 aaa: aaa_cleanup_session
2010 Nov 19 13:45:16.788655 aaa: mts_drop of request msg
2010 Nov 19 13:45:16.788683 aaa: aaa_req should be freed.
2010 Nov 19 13:45:16 C15F0DCCODS3 %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authenticationfailed for user ankur4888 from 172.18.1.12 - login

Regards,

Rakesh

Re: Radius Integration with Nexus

Vinay Sharma — Fri, 19 Nov 2010 11:43:54 GMT

Hi Rakesh,

i have noticed one thing in debug logs that this is for Auth privilege 3 user. that has to be for lvl 7 for sucess. so let's try one thing:-

2010 Nov 19 13:45:16 C15F0DCCODS3 %AUTHPRIV-7-SYSTEM_MSG: pam_aaa:Authenticationfailed for user 
ankur4888 from 172.18.1.12 - login

what can be done is t
o set logging level for authpriv to 7. at that point you will see logs
 that look like this:

%AUTHPRIV-7-SYSTEM_MSG: user test authenticated  - login

This is the best that can be done for aaa local login authentication 
logging.

How:

   logging level authpriv 7
   logging level auth 7

Please try that and share the results.

thanks,

Vinay

-----

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

----------

Re: Radius Integration with Nexus

rakesh.dutt — Mon, 22 Nov 2010 08:20:13 GMT

hi,

It din work work. However i applied the command aaa user default-role & it started to login. Nexus expects the AAA server to send the autorization for the user & if that is not there in reply from the RSA, the login is failed. This was the problem is my case so as soon as i applied "aaa user default-role ". The user is able to login with default role i.e operator.

I am using RSA as AAA server. I am not able to find any option in RSA wherein i can enable to to send network-admin role with auhentication.

Is there any compatiablity problem in integrating Nexus with RSA as AAA srver

Regards,

Rakesh

Re: Radius Integration with Nexus

Eduardo Aliaga — Wed, 24 Nov 2010 16:03:49 GMT

Traditional IOS needs only user and password.

On the other hand, Nexus, Cisco ACE and Cisco CRS are very different. They have "users and passwords" but also "roles" and "domains". If you don't specify a role or a domain you will get default role and default domain.

Your radius server should be customizable enough to set these attributes. Cisco ACS 5.x is a great AAA server. I have configured AAA between Cisco ACE and Cisco ACS using customized roles without problems.

In your scenario I would recommend to use TACACS+ between Nexus and ACS 5.x and SecurID protocol between ACS 5.x and RSA server.

But if you want to use RADIUS between Nexus and RSA server then you will have to find and set the right attributes in your RSA server.

A packet capture from Cisco ACE shows the following attribute:

AVP: L=39 t=vendor-specific(26) v=Cisco(9)

VSA: L=33 t=Cisco-AVPair(1)

I'm taking is something similar for Cisco Nexus. If you find the right attribute you have to set that attribute to something like the following:

"shell:Cnt1=admin default-domain" , where "Cnt1" is the ACE context, "admin" is the role, and default-domain is the domain.