05-15-2013 12:09 PM - edited 02-21-2020 09:59 PM
This document provides an example on how to provide limited access to the users on Nexus, So that they can run only few commands using Radius.
For example if you want that user should login to privileged or config mode and still not been able to run any other command except Interface command. You will create a custom role for the user and push it through ACS or radius server.
NOTE:
It is useful in cases, where in you want to restrict the access of the users to run only few commands using Radius. Since "command authorization" its an exclusive feature of tacacs and it’s not really possible with Radius.
However, We have a workaround that could accomplish his task in slightly different way.
We can create a custom role on Nexus, and permits only few commands under that role. Push the role through Radius server and you will be good to go.
ACS(Radius server) and Nexus should be reachable and able to authenticate each other.
switch(config)# role name Limited-Access
switch(config-role)# rule 1 permit read-write feature interface
Note:
In case if you want to permit more access, you can add multiple rules like below:
"switch(config-role)# rule 1 permit read-write feature snmp
switch(config-role)# rule 2 permit read-write feature snmpTargetParamsEntry
switch(config-role)# rule 3 permit read-write feature snmpTargetAddrEntry"
1.Create a local user on the switch with full privileges for fallback with the username command as shown here:
Switch(config)#username admin privilege 15 password 0 cisco123!
2. provide the IP address of the Radius server (Free Radius)
switch# conf terminalswitch(config)# Radius-server host 10.10.1.1 key cisco123 authenticationaccountingswitch(config)# aaa group server radius RadServer switch(config-radius)#server 10.10.1.1 switch(config-radius)# use-vrf Management
Note: The key must match the Shared Secret configured on the free radius for this Nexus device.
3. Test the RADIUS server availability with the test aaa command as shown.
switch# test aaa server Radius 10.10.1.1 user1 Ur2Gd2BH
Test authentication will fail with a Reject from the server since it is not configured, However, it will confirms that server is reachable
4. Configure login authentications as shown here:
Switch(config)#aaa authentication login default group Radserver
Switch(config)#aaa accounting default group Radserver
Switch(config)#aaa authentication login error-enable
Note: We dont have to worry about the local fallback method here, Because, Nexus fallback to local on its own if the radius is not available.
Complete these steps:
Navigate to Policy Elements > Authentication and Permissions > Network Access> Authorization profile
in order to create a Authorization Profile.
Dictionary Type: Radius-Cisco
Attribute: cisco-av-pair
Requirement: Mandatory
Value: shell:roles=Limited_Access
Submit the changes in order to create an attribute-based role for the Nexus switch.
Create a new authorization rule, or edit an existing rule, in the correct access policy. By default, Radius requests are processed by the Network access policy.
In the Conditions area, choose the appropriate conditions. In the Results area, choose the Limited_Access profile.
Click Ok.
Login to the nexus box with username password configured on the ACS. when you will login run the following command to verify if the test user has got the limited_Access role or not:
switch# show user-account
user:admin
this user account has no expiry date
roles:network-admin
user:Test
this user account has no expiry date
roles:Limited_Access
It confirms that user is now a limited access user.
Note:
Run any command except interface under configuration mode: You will get permission deny access.
Use this section to confirm that your configuration works properly.
switch# show role (Will display all the roles including custom role that you have created and what all permissions does that role have )
Role: network-admin
Description: Predefined network admin role has access to all commands on the switch
-------------------------------------------------------------------
Rule Perm Type Scope Entity
-------------------------------------------------------------------
1 permit read-write
Role:Limited_Access
Description: Predefined Limited_Access role has access to following commands.
-------------------------------------------------------------------
Rule Perm Type Scope Entity
-------------------------------------------------------------------
1 permit read-write feature Interface
Switch# show user-account
Output below: switch# show user-account
user:admin
this user account has no expiry date
roles:network-admin
user:Test
this user account has no expiry date
roles:Limited_Access
Perform the following steps for role assignment:
1.Check which AAA group is being used for authentication with the show running-config aaa and show aaa authentication commands.
2.For RADIUS, check the VRF association with the AAA group with the show radius-server groups and show running-
config radius commands.
3.If the above commands show that the association is correct, then use the debug Radius all command to enable the trace
4.Check if the correct attributes are being pushed from the ACS.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: