11-11-2016 10:35 AM - edited 03-01-2019 04:33 AM
I am encountering an issue where I am trying to setup AAA for login to the APIC-EM web console. I have added the APIC-EM to my freeradius server and I see an authorization request come through from APIC-EM to the server. My radius server does an LDAP check to see if the user belongs to a group _netops in this case and the user matches and is granted access.
When attempting to login from the web the response I get on the web is "Invalid Login Credentials".
I have noticed on the configuration page of External Authentication there is an AAA Attribute as defined as Cisco-AVPair with the following defined “cisco-av-pair= Scope=group-1,group-2:Role=ROLE_OBSERVER&Scope=group-3,group-4:Role=ROLE_ADMIN”.
Is it the recommendation to add Cisco-AVPair to the AD schema with the definitions? If so what would that look like as I have seen many different Cisco-AVPair definitions online.
One example is:
Properties Value
Common Name CiscoAVPair
LDAP Display Name CiscoAVPair
Unique X500 Object ID 1.3.6.1.4.1.9.287247.1
Description CiscoAVPair
Syntax Case Sensitive String
Also in freeradius I am assuming I would add the following to my ldap.attrmap:
checkItem Cisco-AVPair Cisco-AVPair
replyItem Cisco-AVPair Cisco-AVPair
Attached is an example of a login attempt as seen from the freeradius server.
12-07-2016 01:22 PM
Have you tried: cisco-av-pair Scope=ALL:Role=ROLE_ADMIN
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide