Solved: privilege level support for authorization on radius on nexus 9000 running 7.0(3)I1(3)

mohdtaamneh · ‎12-21-2015

Dear Expert,

I am trying to configure privilege level support for authorization on radius on nexus 9000 running 7.0(3)I1(3) and I am getting the following message:

TOR-SW-CAB-B(config)# aaa authorization commands default group radius local

Radius group is not supported for command authorization
could not update aaa configuration

Also, command "authorization exec RBAC" not supported.

I want to configure privilege level so the user add "enable" password after login to the switch. And based on his privilege, he can/can't change the configuration.

I am using ISE/RADIUS for authentication, authorization and accounting. The configuration as follow:

aaa authentication login default group radius
aaa accounting default group radius

Same ISE/RADIUS configuration is working fine with other cisco switches/routers in the network.

Any feedback on how to solve this issue is highly appreciated.

Best Regards,

Mohammad Taamneh

nspasov · ‎12-21-2015

Hi Mohammad,

A couple of things to note:

1. Command Authorization is not available with RADIUS. Thus, if you want to use that feature you will have to use TACACS+

2. NX-OS does not "understand" privilege level. Instead, user roles are used. For example,

shell:roles=network-operator vdc-admin

For more info check out the following document:

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/6_x/nx-os/security/configuration/guide/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_6-x/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_6-x_chapter_0101.html

Thank you for rating helpful posts!

Thank you for rating helpful posts!

View solution in original post

nspasov · ‎12-21-2015