cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Nexus Integration (For admin access) With Free Radius

5005
Views
15
Helpful
0
Comments

 

 

 

Introduction:

This  document provides an example of configuring  Radius Authentication on a  Nexus switch. By default, if you configure the Nexus to authenticate  through Radius, you'll automatically be placed in to the  network-operator/vdc-operator role, which provides read-only access.If  you want that user to be placed in the network-admin/vdc-admin role, you  need to push the following cisco-av-pair.

 

cisco-avpair := "shell:roles*\"network-admin vdc-admin\""

 

Prerequisites:

 

Ensure that you  have your Nexus switch defined as a client in free radius with the ip  address and same shared secret key defined on the free radius and Nexus.

 

Note:  On Nexus, Create a checkpoint or a backup before making any changes in  order to avoid any potential issues related to a misconfiguration.

 

Components Used:

 

  • Free Radius
  • Nexus 5000, 5.2(1)N1(1)

 

Configure Nexus Device for Authentication and Authorization:

 

1. Create a local user on the switch with full privileges for fallback with the username command as shown here:

 

      Switch(config)#username admin privilege 15 password 0 cisco123!

 

2. Provide the IP address of the Radius server (Free Radius)

 

image 1.png

Note: The key must match the Shared Secret configured on the free radius for this Nexus device.

 

3. Test the RADIUS server availability with the test aaa command as shown.

 

switch# test aaa server Radius 10.10.1.1 user1 Ur2Gd2BH

 

Test authentication  will fail with a Reject from the server since it is not configured,  However, it will confirms that  server is reachable.

 

4. Configure login authentications as shown here:

 

image 2.png

 

Note: You dont have to worry  about the local fallback method here, Because, Nexus fallback to local on its own if the tacacs is not available.

 

Process to Configure free radius at Server side:

 

  • Configuration on FreeRadius Server:
  • Defining Client on the Free Radius server:
  • Move to the config directory:

cd /etc/freeradius

  • Edit the clients.conf file:

sudo nano clients.conf

  • Add each device (router or switch), which is identified by its hostname and requires secret key:

client 192.168.179.152 {secret = secretkeynastype = ciscoshortname = switch}

  • Restart the FreeRADIUS service:

sudo /etc/init.d/freeradius restart

 

Push  the below role, The user in the nexus will get the network-admin role.  This one is applicable for the whole group. As you have defined Default  group=cisco-rw.

 

DEFAULT Group == cisco-rw, Auth-Type = System

        Service-Type = NAS-Prompt-User,

        cisco-avpair := "shell:roles*\"network-admin vdc-admin\"",

 

Note:The configuration of Free Radius is done  on Ubuntu(Linux) Server. The commands may differ in any other Linux OS.

 

Verification:

 

To verify the configuration on Nexus use the following commands:

 

  1.    switch# show Radius   
  2.    switch# show running-config aaa              
  3.    switch# show startup-config Radius        

 

 

#Please post comments if there are any queries and rate if useful

 

 

 

Content for Community-Ad