Showing results for 
Search instead for 
Did you mean: 

Nexus Integration (For admin access) With Free Radius






This  document provides an example of configuring  Radius Authentication on a  Nexus switch. By default, if you configure the Nexus to authenticate  through Radius, you'll automatically be placed in to the  network-operator/vdc-operator role, which provides read-only access.If  you want that user to be placed in the network-admin/vdc-admin role, you  need to push the following cisco-av-pair.


cisco-avpair := "shell:roles*\"network-admin vdc-admin\""




Ensure that you  have your Nexus switch defined as a client in free radius with the ip  address and same shared secret key defined on the free radius and Nexus.


Note:  On Nexus, Create a checkpoint or a backup before making any changes in  order to avoid any potential issues related to a misconfiguration.


Components Used:


  • Free Radius
  • Nexus 5000, 5.2(1)N1(1)


Configure Nexus Device for Authentication and Authorization:


1. Create a local user on the switch with full privileges for fallback with the username command as shown here:


      Switch(config)#username admin privilege 15 password 0 cisco123!


2. Provide the IP address of the Radius server (Free Radius)


image 1.png

Note: The key must match the Shared Secret configured on the free radius for this Nexus device.


3. Test the RADIUS server availability with the test aaa command as shown.


switch# test aaa server Radius user1 Ur2Gd2BH


Test authentication  will fail with a Reject from the server since it is not configured,  However, it will confirms that  server is reachable.


4. Configure login authentications as shown here:


image 2.png


Note: You dont have to worry  about the local fallback method here, Because, Nexus fallback to local on its own if the tacacs is not available.


Process to Configure free radius at Server side:


  • Configuration on FreeRadius Server:
  • Defining Client on the Free Radius server:
  • Move to the config directory:

cd /etc/freeradius

  • Edit the clients.conf file:

sudo nano clients.conf

  • Add each device (router or switch), which is identified by its hostname and requires secret key:

client {secret = secretkeynastype = ciscoshortname = switch}

  • Restart the FreeRADIUS service:

sudo /etc/init.d/freeradius restart


Push  the below role, The user in the nexus will get the network-admin role.  This one is applicable for the whole group. As you have defined Default  group=cisco-rw.


DEFAULT Group == cisco-rw, Auth-Type = System

        Service-Type = NAS-Prompt-User,

        cisco-avpair := "shell:roles*\"network-admin vdc-admin\"",


Note:The configuration of Free Radius is done  on Ubuntu(Linux) Server. The commands may differ in any other Linux OS.




To verify the configuration on Nexus use the following commands:


  1.    switch# show Radius   
  2.    switch# show running-config aaa              
  3.    switch# show startup-config Radius        



#Please post comments if there are any queries and rate if useful




Content for Community-Ad