Introduction

This  document provides an example on how to provide limited access to the  users on Nexus, So that they can run only few commands using Radius.

For  example if you want that user should login to privileged or config mode  and still not been able to run any other command except Interface  command. You will create a custom role for the user and push it through  ACS or radius server.

NOTE:

It is useful in cases, where in you want to restrict the access of the users to run only few commands using Radius. Since "command authorization"  its an exclusive feature of tacacs and it’s not really possible with Radius.

However, We have a workaround that could accomplish his task in slightly different way.

We can create a custom role on Nexus, and permits only few commands under that role. Push the role through Radius server and you will be good to go.

Prerequisites

ACS(Radius server) and Nexus should be reachable and able to authenticate each other.

Components Used

1. ACS
2. Nexus 7000

Configuration of Custom Role on Nexus

switch(config)# role name Limited-Access 
switch(config-role)# rule 1 permit read-write feature interface
Note:
In case if you want to permit more access, you can add multiple rules like below:
"switch(config-role)# rule 1 permit read-write feature snmp 
switch(config-role)# rule 2 permit read-write feature snmpTargetParamsEntry 
switch(config-role)# rule 3 permit read-write feature snmpTargetAddrEntry" 

Configure Nexus Device for Authentication and Authorization

1.Create a local user on the switch with full privileges for fallback with the username command as shown here:

          Switch(config)#username admin privilege 15 password 0 cisco123!

2. provide the IP address of the Radius server (Free Radius)

switch# conf  terminalswitch(config)# Radius-server host 10.10.1.1 key cisco123 authenticationaccountingswitch(config)# aaa group server radius RadServer switch(config-radius)#server 10.10.1.1 switch(config-radius)# use-vrf Management

Note: The key must match the Shared Secret configured on the free radius for this Nexus device.

3. Test the RADIUS server availability with the test aaa command as shown.

         switch# test aaa server Radius 10.10.1.1 user1 Ur2Gd2BH

Test authentication will fail with a Reject from the server since it is not configured, However, it will confirms that  server is reachable

4. Configure login authentications as shown here:

Switch(config)#aaa authentication login default group Radserver       

 Switch(config)#aaa accounting default group Radserver 
  Switch(config)#aaa authentication login error-enable

Note:  We dont have to worry  about the local fallback method here, Because,  Nexus fallback to local  on its own if the radius is not available.

Configuration on ACS

Complete these steps:

Navigate to Policy Elements > Authentication and Permissions > Network Access> Authorization profile

in order to create a Authorization Profile.

1. Enter a name for the profile.
2. Under the Custom Attributes tab, enter these values

      Dictionary Type: Radius-Cisco
      Attribute: cisco-av-pair
      Requirement: Mandatory
      Value: shell:roles=Limited_Access

Submit the changes in order to create an attribute-based role for the Nexus switch.

Create  a new authorization rule, or edit an existing rule, in the  correct  access policy. By default, Radius requests are processed by the   Network  access policy.

In the Conditions area, choose the appropriate conditions. In the Results area, choose the Limited_Access profile.

Click Ok.

Nexus CLI

Login  to the nexus box with username password configured on the ACS. when you  will login run the following command to verify if the test user has got  the limited_Access role or not:

switch# show user-account
        user:admin
        this user account has no expiry date
        roles:network-admin

user:Test
      this user account has no expiry date
      roles:Limited_Access

It confirms that user is now a limited access user.

Note:

Run any command except interface under configuration mode: You will get permission deny access.

Verify

Use this section to confirm that your configuration works properly.

switch# show role  (Will display all the roles including custom role that you have created and what all permissions does that role have )

Role: network-admin

  Description: Predefined network admin role has access to all commands on the switch
  -------------------------------------------------------------------
   Rule    Perm    Type        Scope               Entity                  
  -------------------------------------------------------------------
    1       permit  read-write  

Role:Limited_Access
  Description: Predefined Limited_Access role has access to following commands.
  -------------------------------------------------------------------
  Rule    Perm    Type        Scope               Entity                  
  -------------------------------------------------------------------
  1       permit  read-write  feature             Interface      

Switch# show user-account

Output below: switch# show user-account
        user:admin
        this user account has no expiry date
        roles:network-admin

user:Test
      this user account has no expiry date
      roles:Limited_Access

Troubleshooting

Perform the following steps for role assignment:

1.Check which AAA group is being used for authentication with the show running-config aaa and show aaa authentication commands.

2.For RADIUS, check the VRF association with the AAA group with the show radius-server groups and show running-

config radius commands.

3.If the above commands show that the association is correct, then use the debug Radius all command to enable the trace

4.Check if the correct attributes are being pushed from the ACS.

Related Information

Technical Support & Documentation - Cisco Systems