- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-27-2014 11:24 AM - edited 03-10-2019 09:45 PM
I have a Nexus 7010 running
Just wondering if you can help me with something. I'm having an issue with command authorization thru our aaa config. We don't have a problem authenticating its command authorization that is not working. From what I have seen and read Nexus NX-OS 6.x does not have any commands for aaa authorization unless you are configuring TACACS+. My basic config is below if you can help it would be much appreciated.
>>ip radius source-interface mgmt 0
>>radius-server key XXXXX
>>radius-server host X.X.X.X key XXXXX authentication accounting
>>radius-server host X.X.X.X key XXXXX authentication accounting aaa
>>authentication login default group Radius_Group aaa authentication
>>login console local aaa group server radius Radius_Group
>> server X.X.X.X
>> server X.X.X.X
>> source-interface mgmt0
Also does anyone know how to configure Microsoft 2008 NPS as a Raduis server to work with Nexus? I have read a few post that suggest changing the
shell:roles="vdc-admin" in the Attribute Value field in the RADIUS server
Does anyone know if this works????
Thanks
Solved! Go to Solution.
- Labels:
-
AAA
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-28-2014 10:31 AM
I have not used NPS before but it looks like you are on the right track. As Ed mentioned in his post, in ACS you can define the type of protocols that you will accept during an authentication session. Nexus authentication sessions should be seen as PAP/ASCII so you should be good to go. I don't have a Nexus switch to test with but if you do you can use wireshark and capture the session and see the exact protocol/method used. However, I am pretty sure PAP is the way to go:
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_nx-os-cfg/sec_tacacsplus.html
I also found the following link that you might find helpful:
http://www.802101.com/2013/08/cisco-nexus-and-aaa-authentication.html
Thank you for rating helpful posts!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-27-2014 02:24 PM
I have never done this before with ACS but not with NPS. However, you are in the right path. Nexus uses NX-OS which is different in some regards to regular IOS. One of those differences is the AAA setup. In NX-OS you assign users to roles. So for full access you will need to return the following attributes from your Radius server:
Attribute: cisco-av-pair
Requirement: Mandatory
Value: shell:roles*"network-admin vdc-admin"
For more information take a look at this link:
http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115925-nexus-integration-acs-00.html
Hope this helps
Thank you for rating helpful posts!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-28-2014 07:39 AM
That is what I plan on trying today and I hope is works. Another question is under the NPS setup I have Configure Authentication Methods they advise using PAP and SPAP. Does Cisco ACS advise what authenication method to use?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-28-2014 08:04 AM
Cisco ACS will not advise you to use a protocol, it is administrator's choice to allow the required protocols.
Rate if Useful :)
Sharing knowledge makes you Immortal.
Regards,
Ed
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-29-2014 08:51 AM
FYI gentlemen it worked!!!!!
Thanks for all the guidance
Brian
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-29-2014 10:41 AM
Awesome! Good to hear! :)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-28-2014 10:31 AM
I have not used NPS before but it looks like you are on the right track. As Ed mentioned in his post, in ACS you can define the type of protocols that you will accept during an authentication session. Nexus authentication sessions should be seen as PAP/ASCII so you should be good to go. I don't have a Nexus switch to test with but if you do you can use wireshark and capture the session and see the exact protocol/method used. However, I am pretty sure PAP is the way to go:
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_nx-os-cfg/sec_tacacsplus.html
I also found the following link that you might find helpful:
http://www.802101.com/2013/08/cisco-nexus-and-aaa-authentication.html
Thank you for rating helpful posts!
