Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1074
Views
0
Helpful
2
Replies

ACI and Freeradius

lnrdnl78d
Level 1
Level 1

‎06-10-2020 10:35 PM

Hi Dears,

did someone meet troubles to deploy authentication of ACI using Freeradius ?
We're deploying it for a customer but ever receive "authentcation reject".
On Freeradius (owner is customer) as av-pairs we asked to configure
following, as we need only one role with full privilege.

 

file:/etc/freeradius/clients.conf

client *.*.*.* {
        type            = acct
        secret          = *****************
        shortname       = Cisco
        nastype         = cisco
        require_message_authenticator = no
}

________________________________________

file: /etc/freeradius/users

User_User                      MD5-Password := ""**************************""
                                Service-Type = NAS-Prompt-User,
                                cisco-avpair = 'shell:roles=\"network-admin\"',
                                Cisco-avpair += "shell:domains = all/aaa/read-all(16001)",
                                cisco-avpair += "shell:priv-lvl=15"

User_User.aci                  MD5-Password := "**************************"
                                Cisco-avpair = "shell:domains = all/admin"



That Freeradius is already used to authenticate access to other device (Cisco too) and at begin customer tried to add av-pair to user but then He created a new user (User_User.aci) for test purpose.

 

Some Idea ?

Thanks in advance

Daniele

 

Labels:
0 Helpful
2 Replies 2

Francesco Molino
VIP Alumni
VIP Alumni

‎06-11-2020 08:57 PM

Hi

Have you tried to return shell:domains = all//admin instead of single /.

Also can you check the file /var/log/dme/log/nginx.bin.log to see what it shows when you try to authenticate?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Sig Nine
Level 1
Level 1

‎06-15-2020 08:50 PM

Hello, Daniele.

Is it possible to try the following settings?

User_User       MD5-Password := ""**************************""
                Service-Type = NAS-Prompt-User,
                cisco-avpair = 'shell:roles=\"network-admin\"',
                Cisco-avpair += "shell:domains = all/aaa/read-all/(16001)",
                cisco-avpair += "shell:priv-lvl=15"

User_User.aci   MD5-Password := "**************************"
                Cisco-avpair = "shell:domains = all/admin/(16002)"
 
Regards,
0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License