Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2708
Views
0
Helpful
4
Replies

NX-OS LDAP Issue

sisqo
Level 1
Level 1

‎01-29-2020 11:34 AM

Hi girls and guys, I'm having some trouble configuring LDAP authentication (via Windows AD) when connecting via ssh on our CISCO. I replaced some information from the switch, you will see it in bold here.

 

Currently we only have one shared user, and the goal is to have users login with their own AD accounts and passwords.

I've verified connectivity to the AD Domain Controller using telnet with the IP on port 389.

 

Here's the revelant (aaa, ldap, user) info when I look at the running config:

sh running-config

username admin password 5 PASSWORD role network-admin

feature ldap
ldap-server host NAMEOFSERVER rootDN "cn=USERACCT,DC=EXAMPLE,DC=COM" password
7 PASSWORD timeout 60
aaa group server ldap GROUPNAME

server NAMEOFSERVER
no ldap-search-map

aaa authentication login default group GROUPNAME

aaa authentication login console local
aaa authorization ssh-publickey default group GROUPNAME
aaa accounting default group GROUPNAME

 

 

Here's some additional info:

version 7.0(3)I6(1)

The user I'm logging in with is in a different ou, but this rootDN user should see all of the accounts. This set-up works fine for other non-Cisco devices.

 

show aaa authorization all
pki-ssh-cert: local
pki-ssh-pubkey: group GROUPNAME
AAA command authorization:
default authorization for config-commands: local
default authorization for commands: local
console authorization for config-commands: local
console authorization for commands: local 

 

Here's some debug information:

2020 Jan 29 14:14:25.830661 ldap: Src: 0x00000101/111 Dst: 0x00000101/0 ID: 0x3FF5CACC Size: 398 [REQ] Opc: 4093 (MTS_OPC_LDAP_AAA_REQ) RR: 0x3FF5CACC HA_SEQNO: 0x00000000 TS: Wed Jan 29 14:16:02 2020 at msecs 752 REJ:0 SYNC:0 OPTIONS:0x0 Trx Id: 0
2020 Jan 29 14:14:25.830685 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830697 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830708 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830718 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830728 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830743 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830757 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830770 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830784 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830797 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830810 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830820 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830831 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830844 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830857 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830870 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830884 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830897 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830910 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830924 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830937 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830950 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830967 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830980 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830993 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.831009 ldap: mts_ldap_aaa_request_handler: entering for aaa session id 0
2020 Jan 29 14:14:25.831029 ldap: mts_ldap_aaa_request_handler: user :MYACCOUNT@EXAMPLE.COM:, user_len 30, user_data_len 13
2020 Jan 29 14:14:25.831043 ldap: ldap_authenticate: user MYACCOUNT@EXAMPLE.COM servergroup GROUPNAME
2020 Jan 29 14:14:25.831059 ldap: ldap_global_config: entering ...
2020 Jan 29 14:14:25.831103 ldap: ldap_global_config: GET_REQ...
2020 Jan 29 14:14:25.831115 ldap: ldap_global_config: got back the return value of global configuration operation: SUCCESS
2020 Jan 29 14:14:25.831124 ldap: ldap_global_config: REQ - num server 1 num group 2 timeout 5 deadtime 0
2020 Jan 29 14:14:25.831134 ldap: ldap_global_config: returning retval 0
2020 Jan 29 14:14:25.831143 ldap: ldap_servergroup_config: GET_REQ for LDAP servergroup index 0 name GROUPNAME
2020 Jan 29 14:14:25.831162 ldap: ldap_pss_move2key: rcode = 0 syserr2str = SUCCESS
2020 Jan 29 14:14:25.831183 ldap: ldap_servergroup_config: GET_REQ got protocol server group index 2 name GROUPNAME
2020 Jan 29 14:14:25.831193 ldap: ldap_servergroup_config: returning retval 0 for server group GROUPNAME
2020 Jan 29 14:14:25.831205 ldap: IN FUNCTION ldap_search_map.... for name
2020 Jan 29 14:14:25.831214 ldap: ldap_search_map: entering for search_map , index 0
2020 Jan 29 14:14:25.831222 ldap: ldap_search_map: key size 532, value size 2200
2020 Jan 29 14:14:25.831230 ldap: ldap_search_map: GET_REQ: search_index: 0, search_map:
2020 Jan 29 14:14:25.831237 ldap: find_search_map: entering for search map
2020 Jan 29 14:14:25.831258 ldap: ldap_pss_move2key: rcode = 40480003 syserr2str = no such pss key
2020 Jan 29 14:14:25.831269 ldap: ldap_pss_move2key: calling pss2_getkey
2020 Jan 29 14:14:25.831276 ldap: find_search_map: search map not in PSS
2020 Jan 29 14:14:25.831284 ldap: ldap_search_map: no search map with Protocol search map:
2020 Jan 29 14:14:25.831294 ldap: ldap_search_map: got back the return value of Protocol server operation: can not find the LDAP server, desc: can not find the LDAP server
2020 Jan 29 14:14:25.831307 ldap: ldap_authenticate: ldap_read_config failed for server group GROUPNAME
2020 Jan 29 14:14:25.831320 ldap: ldap_send_response_to_aaa: entering for user MYACCOUNT@EXAMPLE.COM auth_result 7
2020 Jan 29 14:14:25.831349 ldap: ldap_send_response_to_aaa: (user MYACCOUNT@EXAMPLE.COM) - mts_send_response success
2020 Jan 29 14:14:27 NAMEOFSWITCH %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed from IPOFSWITCH - dcos_sshd[6734]

 

It accepts the following commands:

aaa authorization ssh-publickey default group GROUPNAME

 

but anytime I try to do:

aaa authorization commands default group GROUPNAME
Command failed to apply

 

I'm sure I just don't know too much about the roles, I'm missing something from the docs, or I don’t know which attribute Cisco looks for by default for role access. I’m going to try a different rootDN user that does not have a comma in its password.

 

Resources Used:

AAA Section
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/security/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_7x/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_7x_chapter_011.html

LDAP Section
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/security/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_7x/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_7x_chapter_0110.html

2 people had this problem
Labels:
0 Helpful
4 Replies 4

Georg Pauwen
VIP
VIP

‎01-29-2020 12:09 PM

Hello,

 

try and use the IP address of the LDAP server instead of the name; also add the port:

 

feature ldap
ldap-server host ldap_server_ip_address rootDN "cn=USERACCT,DC=EXAMPLE,DC=COM" password
7 PASSWORD timeout 60 port 389
aaa group server ldap GROUPNAME

server ldap_server_ip_address

 

Also, what if you test locally ?

 

NX9000#test aaa group GROUPNAME pam password

 

Also, post the output of:

 

show ldap-server

0 Helpful

sisqo
Level 1
Level 1
In response to Georg Pauwen

‎01-29-2020 12:29 PM

Georg,

I changed it to IP, but this did not fix it. It can resolve the name fine when pinging.


test aaa group GROUPNAME USERNAME PASSWORD
error authenticating to server, status=7

 

show ldap-server
ERROR: cmd_prt: bad handle
timeout : 5
port : 389
deadtime : 0
total number of servers : 1

following LDAP servers are configured:
IPADDRESSOFDC:
idle time:0
test user:test
test password:********
timeout: 60 port: 389 rootDN: cn=ROOTDNACCT,DC=EXAMPLE,DC=COM
enable-ssl: false

0 Helpful

sisqo
Level 1
Level 1

‎01-31-2020 10:57 AM

I don't know if it helps anyone figure it out but when I run the command

ldap-server statistics SERVERIP

They are all zeroes, it's like aaa is not even triggered to try to authenticate a user.

0 Helpful

brittonv
Level 1
Level 1

‎08-31-2021 12:16 PM

Did you ever resolve this, I am seeing something similar on my UCS.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card