LDAP Authorization and Authentication

Rem Markov · ‎09-28-2023

Hey Fellows!

I'm not gonna lie but the Cisco Documentation of LDAP is quite bad and not useful. (And I'm still only in NX-OS I don't think catalyst is better)

I have successfully set an Authentication using this site:
https://ccierants.blogspot.com/2013/07/ccie-dc-sort-of-ldap-authentication-to.html

But I have ran into something and I can't find any answer why.
I have the local user admin but when im configuring the aaa authentication, admin is unable to access the switch.
`aaa authentication login default group local LDAP `

I suspect it is because it tries first in the AD and only then in the Local rather the the other way. Is there a way to change it?
So it will first check the local and only then the AD?

The other thing is Authorization. The documentation is even worse.
I want to make lets say the group "network-administrators" in our AD have admin access in the switch but I can't find any way to change which group has what access, it just gives me by default "network-operator" and I'm unable to do anything.

Is there a way to change it ?
(We use IDM/IPA as our LDAP/AD)

marce1000 · ‎09-28-2023

>...I suspect it is because it tries first in the AD and only then in the Local rather the the other way.
- You may find out by examining the LDAP server's authentication logs and compare logs in the switch (time stamps)

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Rem Markov · ‎09-28-2023

If I find this to be true, is there something to do about it ?

MHM Cisco World · ‎09-28-2023

Can you more elaborate the issue here.

You config nsk to ask aaa server (ladp) to check user/password for any one login to NSK.

What is not work here?

Rem Markov · ‎09-28-2023

I want to access with Admin permissions, but I'm unable, I get by default 'network-operator'. I want to have 'network-admin' but I can't find a way to change it.

Because of that the LDAP is useless

Rem Markov · ‎09-28-2023

@MHM Cisco World wrote:
Can you more elaborate the issue here.
You config nsk to ask aaa server (ladp) to check user/password for any one login to NSK.
What is not work here?

Also, I want to find a way for the Switch to search the LDAP and then the Local or the other way around but it only looks in the LDAP.

MHM Cisco World · ‎09-28-2023

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/security/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_7x/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_7x_chapter_0110.html

Ladp search-map you need for integration ladp with NSK.

For SW as I know it have no command to directly integrate ladp with SW' only NSK have.

Rem Markov · ‎09-28-2023

I don't quite understand what you mean, I have many n9k switches and some catalysts.

MHM Cisco World · ‎09-28-2023

N9k can direct connect to ladp

Catalyst can not direct connect to ladp' it need to connect to server (ise) and server connect to ladp.

Rem Markov · ‎09-28-2023

The main problem remain,

I want to access with Admin permissions, but I'm unable, I get by default 'network-operator'. I want to have 'network-admin' but I can't find a way to change it.

Because of that the LDAP is useless

LDAP Authorization and Authentication

ASA： aaa authorization exec authentication-server auto-enable 機能

ISE Authentication and Authorization Policy Reference

Configure Anyconnect with LDAP Authentication

Re: How To: Troubleshoot ISE Failed Authentications & Authorizations

Authentication, Authorization, Accounting