AAA - ACI -NPS Radius Authentication

gilou_1973 · ‎12-22-2021

Hello,

I'm running a Fabric with 3 APIC, some Leafs Spines and PODs devices.

I set a policy to authenticate to the Fabric through Radius, which are running on windows NPS servers.

Authentication to APICs succeeds without issues but I cannot authenticate through Radius to the other devices, Leafs and Spines.

I guess that the policies to set in the radius servers are different but I can't find relevant documentation concerning this issue.

For information I can see radius packets arriving to the NPS servers when I want to logon to a leaf or spine device, but the policy never match.

Any idea or a link to documentation?

Beforehand thanks

Kind regards

Gildas

Robert Burns · ‎01-06-2022

Gildas,

I've seen this before and it was due to a mis-config on the RADIUS side where the NPS server has a condition where the client name must be equal to the name of the APIC which would reject switch nodes resulting with the next subsequent policy being applied (which didn't contain the Cisco AV pair, and the Remote user policy on APIC having a default role assignment, resulting in a read-only role being issues which doesn't allow logon to fabric nodes).
Can you also change the default role to "no login" which should return an empty AV pair should there be no match. This will rule out the default policy being assign which is allowing you to log onto the APIC. You likely have an AV Pair issue you need to sort out if this is the case.
Robert

taskmanas · ‎09-21-2023

I have similar problem but in our case I cannot see any packets arriving to RADIUS sever when trying to login to a leaf or spine. When checking running config of a leaf it hasn't got any references to RADIUS server. APICs have RADIUS servers set up and its in APIC config ant it works to login to APICs but not the switches. Where is the policy controlling leaf and pine RADIUS logins?