05-09-2023 03:56 AM
Hi,
I have configured radius on some N5K-C5672UP switches. Running 7.3(13)N1(1).
I can login using my AD credentials but for some reason I seem to have a reduced privilege level and cannot see all commands when doing a conf t.
L1N5K02-P(config)# ?
no Negate a command or set its defaults
username Configure user information.
end Go to exec mode
exit Exit from command interpreter
L1N5K02-P(config)#
When I login as a local admin I can configure more of the device but I am unable to set the VTY line to 15
L1N5K02-P(config)# line vty
L1N5K02-P(config-line)# ?
absolute-timeout Configure absolute timeout
access-class Specify IPv4 access control for packets
exec-timeout Configure exec timeout
ip Configure IP features
ipv6 Configure IPv6 features
logout-warning Configure logout warning
no Negate a command or set its defaults
session-limit Set the max no of concurrent vsh sessions
end Go to exec mode
exit Exit from command interpreter
pop Pop mode from stack or restore from name
push Push current mode to stack or save it under name
where Shows the cli context you are in
L1N5K02-P(config-line)#
I believe the NPS server is setup correct as my AD account is working correctly for other network devices.
Solved! Go to Solution.
05-10-2023 06:30 AM - edited 05-10-2023 06:49 AM
I am sorry but can you share good resolution image
you must use only network-admin not both.
the user either network-operator or admin here we need it to be admin
Cisco-AVPair = shell:roles=\network-operator network-admin\
OR select one that work for you not add both under attribute 5000
Cisco-AVPair = shell:roles*\network-operator network-admin\
thanks
MHM
05-09-2023 04:02 AM - edited 05-09-2023 06:55 AM
Hello support1@lima.co.uk,
Please share the output of the aaa configuration on your Nexus.
You perhaps need to adjust the privilege level settings in your RADIUS configuration. Do you have something like this ?
aaa group server radius radius-group
server <radius-server-ip-address>
use-vrf management
source-interface <management-interface>
!
aaa authentication login default group radius-group local
!
05-09-2023 05:10 AM
Hi, please see below
L1N5K02-P# show run | i radius
radius-server key 7 "swwxoomi"
radius-server retransmit 3
radius-server host 10.200.103.112 authentication accounting
radius-server host L1RADIUS04V authentication accounting
aaa group server radius RADIUS1
ip access-list copp-system-acl-tacacsradius
ip radius source-interface mgmt0
L1N5K02-P#
L1N5K02-P# show run | i aaa
aaa group server radius RADIUS1
aaa authentication login default group RADIUS1 local
aaa accounting default group RADIUS1 local
05-09-2023 05:16 AM
The radius retrun privilege level with accept message.
You need to return to radius server and add user admin with privilege 15.
05-09-2023 05:45 AM
Sorry I di not follow. Are you saying the configuration on the radius server is incorrect?
05-09-2023 05:54 AM
User is in the Cisco-Admin workgroup and priv is set to 15
05-09-2023 06:35 AM - edited 05-09-2023 06:52 AM
You need on your NPS another Cisco AV-Pair
shell:roles*network-admin
05-10-2023 03:13 AM
We are not using ISE in this deployment, does it still require the missing shell:roles=*network-admin
05-10-2023 03:20 AM
I have added the additional configuration the the NPS server
Still not able to have full level 15 priviledges when logging in.
05-10-2023 03:43 AM
Cisco-AVPair = shell:roles=\network-operator network-admin\
Cisco-AVPair = shell:roles*\network-operator network-admin\
this how you config the AVPair,
05-10-2023 05:35 AM
HI HMH,
I have change the settings to the below. Still have a reduced level of management.
This is my conf t ? output
05-10-2023 06:30 AM - edited 05-10-2023 06:49 AM
I am sorry but can you share good resolution image
you must use only network-admin not both.
the user either network-operator or admin here we need it to be admin
Cisco-AVPair = shell:roles=\network-operator network-admin\
OR select one that work for you not add both under attribute 5000
Cisco-AVPair = shell:roles*\network-operator network-admin\
thanks
MHM
05-10-2023 06:42 AM
Hi,
I have removed the network operator but is this required as on the switch it states my account is a network-operator. Should this be matching on NPS and switch?
roles:network-operator
user:mike.allen_adm
05-10-2023 06:48 AM
the attribute 5000 is only for the role and it accept only one value
I see three value under the attribute 5000 , am I correct ?
05-10-2023 06:52 AM
Yes there are 3 values in the 5000 attribute. Should it only have the shell:roles*\network-admin\
and remove the priv 15 and other shell role value? I thought you could have more than one value in the 5000 attribute..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide