Showing results for 
Search instead for 
Did you mean: 




    This  document provides an example on how to provide limited access to the  users on Nexus, So that they can run only few commands using Radius.

    For  example if you want that user should login to privileged or config mode  and still not been able to run any other command except Interface  command. You will create a custom role for the user and push it through  ACS or radius server.


    It is useful in cases, where in you want to restrict the access of the users to run only few commands using Radius. Since "command authorization"  its an exclusive feature of tacacs and it’s not really possible with Radius.

    However, We have a workaround that could accomplish his task in slightly different way.

    We can create a custom role on Nexus, and permits only few commands under that role. Push the role through Radius server and you will be good to go.


    ACS(Radius server) and Nexus should be reachable and able to authenticate each other.

    Components Used

    1. ACS
    2. Nexus 7000

    Configuration of Custom Role on Nexus

    switch(config)# role name Limited-Access 
    switch(config-role)# rule 1 permit read-write feature interface
    In case if you want to permit more access, you can add multiple rules like below:
    "switch(config-role)# rule 1 permit read-write feature snmp 
    switch(config-role)# rule 2 permit read-write feature snmpTargetParamsEntry 
    switch(config-role)# rule 3 permit read-write feature snmpTargetAddrEntry" 

    Configure Nexus Device for Authentication and Authorization

    1.Create a local user on the switch with full privileges for fallback with the username command as shown here:

              Switch(config)#username admin privilege 15 password 0 cisco123!

    2. provide the IP address of the Radius server (Free Radius)

    switch# conf  terminalswitch(config)# Radius-server host key cisco123 authenticationaccountingswitch(config)# aaa group server radius RadServer switch(config-radius)#server switch(config-radius)# use-vrf Management

    Note: The key must match the Shared Secret configured on the free radius for this Nexus device.

    3. Test the RADIUS server availability with the test aaa command as shown.

             switch# test aaa server Radius user1 Ur2Gd2BH

    Test authentication will fail with a Reject from the server since it is not configured, However, it will confirms that  server is reachable

    4. Configure login authentications as shown here:

    Switch(config)#aaa authentication login default group Radserver       

     Switch(config)#aaa accounting default group Radserver 
      Switch(config)#aaa authentication login error-enable

    Note:  We dont have to worry  about the local fallback method here, Because,  Nexus fallback to local  on its own if the radius is not available.

    Configuration on ACS

    Complete these steps:

    Navigate to Policy Elements > Authentication and Permissions > Network Access> Authorization profile

    in order to create a Authorization Profile.



    1. Enter a name for the profile.
    2. Under the Custom Attributes tab, enter these values
          Dictionary Type: Radius-Cisco
          Attribute: cisco-av-pair
          Requirement: Mandatory
          Value: shell:roles=Limited_Access


    Submit the changes in order to create an attribute-based role for the Nexus switch.


    Create  a new authorization rule, or edit an existing rule, in the  correct  access policy. By default, Radius requests are processed by the   Network  access policy.

    In the Conditions area, choose the appropriate conditions. In the Results area, choose the Limited_Access profile.




    Click Ok.

    Nexus CLI

    Login  to the nexus box with username password configured on the ACS. when you  will login run the following command to verify if the test user has got  the limited_Access role or not:

    switch# show user-account
            this user account has no expiry date
          this user account has no expiry date

    It confirms that user is now a limited access user.


    Run any command except interface under configuration mode: You will get permission deny access.


    Use this section to confirm that your configuration works properly.

    switch# show role  (Will display all the roles including custom role that you have created and what all permissions does that role have )

    Role: network-admin
      Description: Predefined network admin role has access to all commands on the switch
       Rule    Perm    Type        Scope               Entity                  
        1       permit  read-write  
      Description: Predefined Limited_Access role has access to following commands.
      Rule    Perm    Type        Scope               Entity                  
      1       permit  read-write  feature             Interface      
    Switch# show user-account
    Output below: switch# show user-account
            this user account has no expiry date
          this user account has no expiry date



    Perform the following steps for role assignment:

    1.Check which AAA group is being used for authentication with the show running-config aaa and show aaa authentication commands.

    2.For RADIUS, check the VRF association with the AAA group with the show radius-server groups and show running-

    config radius commands.

    3.If the above commands show that the association is correct, then use the debug Radius all command to enable the trace

    4.Check if the correct attributes are being pushed from the ACS.

    Related Information

    Technical Support & Documentation - Cisco Systems

    Getting Started

    Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

    Recognize Your Peers