cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
463
Views
0
Helpful
4
Replies

NDFC and RADIUS

I am working on an NDFC deployment for a customer and I have run into a road block regarding user authentication. The customer wants to use RADIUS to a windows NPS server for user authentication which makes sense. NDFC would prefer to use local credentials so it doesn't depend on anything else which also makes sense. I have done different VTY ports in IOS to listen on different ports for different authentication methods, but the doesn't seem to be an option. The switches are Nexus 9K's running NXOS 10.3(4a). I haven't been able to figure out how to use two auth methods at the same time.

4 Replies 4

M02@rt37
VIP
VIP

Hello @Elliot Dierksen 

I suggest to the custumer to use TACACS+ that allows more granular control over command authorization, showing they could control exactly which commands a user can execute on a device. RADIUS does not have this level of granularity as you know.

NDFC would prefer to use local credentials: for what ? You could bind NDFC to AD for user loging to NDFC GUI. As concerned Nexus auth, TACACS or RADIUS config can be push from NDFC during the Fabric edition or later using a freeform or an edition. 

The client wants to use local credentials as concerned NDFC ?

Sorry, I dont understand...

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

It is all totally clear in my head, but not in my text.... I am actually talking about interactive CLI logins to Nexus switches that are being managed by NDFC. Human users logging in to the Nexus switches should be using an AD account authenticated via NPS. NDFC logging in to the Nexus switches to manage them and make changes would be preferred using credentials local to the Nexus switch that aren't available to interactive humans. Sorry for the confusion M02@rt37 . Does that make more sense?

Thanks for that clarification @Elliot Dierksen 

NDFC wouldn't be able to use local credentials while RADIUS is available. 

Nexus doesn't support having different login methods for different users out-of-the-box based on login sources.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

What I was hoping was that I could do different sets of vty devices with different authentication methods like I can in IOS. It appears that isn't possible in NX-OS.

Review Cisco Networking for a $25 gift card