Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
755
Views
1
Helpful
9
Replies

radius not working on nexus 9k

gxs
Level 1
Level 1

‎06-28-2024 09:01 PM

Help,

We purchased a Nexus 9K and I'm trying to configure Radius and I can't seem to be able to make it work no matter what I do.

Questions,

Is it required to have the vrf mgmt 0 interface configured in order for radius to work on the Nexus 9K?

Do I need to have a source-interface configured?

I'm using Ivanti pulse policy secure as the Radius server and Cisco 9200l switches on the network configured with radius and is working just fine. I just can't get the Nexus 9k switch to work with Radius. 

Any help would be greatly appreciated.

Thanks,

GXS

 

 

Labels:
0 Helpful
9 Replies 9

Kasun Bandara
VIP
VIP

‎06-28-2024 09:08 PM

@gxs hello, try configuring the source interface and malmanagement vrf as you stated. and check if your management IP in nexus switch is configured as client and allowed in policies in radius server. radius server must receive the auth request via the configured client IP. additionally do packet capture to see if traffic correctly receive and processed in radius server. 

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB
0 Helpful

gxs
Level 1
Level 1
In response to Kasun Bandara

‎07-01-2024 07:25 AM

Thanks for the Info I do appreciate it.

So can I connect a cable from the vrf mgmt 0 interface on the Nexus to a port that is configured for a vlan management on the Nexus?

0 Helpful

M02@rt37
VIP
VIP
In response to gxs

‎07-01-2024 08:31 AM

@gxs 

Mgmt0 interface is specifically designed as a routed interface for out-of-band management purposes. It is not possible to configure it as a switchport or assign VLANs to it. The mgmt0 interface is meant to be used for management traffic only, providing a dedicated path for management operations separate from the data plane traffic.

Add an ip address under this interface with it's still configured in a dedicated vrf.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

gxs
Level 1
Level 1
In response to M02@rt37

‎07-01-2024 05:03 PM

So if I understand this correctly, I don't need to connect any cables to the vrf mgmt 0 interface just assign an IP address to the interface.

0 Helpful

M02@rt37
VIP
VIP

‎06-29-2024 11:07 AM

Hello @gxs 

No, it is not strictly required to use the vrf mgmt interface for RADIUS to work. However, using this vrf can be beneficial for separating management traffic from data traffic, improving security and manageability.

If you choose not to use vrf mgmt, you can configure RADIUS to use the default VRF or any other VRF suitable for your network design.

It is recommended to configure a source-interface for RADIUS communications. This ensures that the nexus 9K uses a specific interface for RADIUS traffic, which can help with routing and security policies.

Example:

# Configure the management interface
interface mgmt0
ip address 192.168.0.10/24
no shutdown
vrf member management

# Configure the VRF
vrf context management
ip route 0.0.0.0/0 192.168.0.1

# Configure the RADIUS server
radius-server host 192.168.1.100 key mysecret use-vrf management
radius-server source-interface mgmt0

# Configure AAA group for RADIUS
aaa group server radius RADIUS-GROUP
server 192.168.1.100
use-vrf management
exit

# Configure AAA authentication for login
aaa authentication login default group RADIUS-GROUP local
aaa authentication login console group RADIUS-GROUP local

# Configure AAA accounting aaa accounting default group RADIUS-GROUP

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

paul driver
VIP
VIP

‎06-30-2024 09:49 PM

Hello
what device is supplying the radius authentication and is that device aware of this new 9K
Can you ping the radius server sourced from the interface specified for authentication?
Can you post you aaa configuration ?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

gxs
Level 1
Level 1
In response to paul driver

‎07-05-2024 06:42 AM

Hi Paul,

Sorry for the late reply.

Does it require AAA configuration since we're doing Radius on the Nexus?

This is what I have configured on the Nexus for Radius.

!Command: show running-config radius
!Running configuration last done at: Fri Jul 5 09:20:49 2024
!Time: Fri Jul 5 09:38:58 2024

version 10.3(4a) Bios:version 05.47
radius-server key 7 "Fewh@123"
radius-server test username cisco password 7 fewhg
radius-server host x.x.x.x key 7 "Fewh@123" authentication accounting
radius-server host x.x.x.x authentication accounting  (2nd Radius server)
aaa group server radius PSA
server x.x.x.x
server x.x.x.x

ip radius source-interface Vlan1140

0 Helpful

MHM Cisco World
VIP
VIP
In response to gxs

‎07-05-2024 06:52 AM

first check ping between NSK and radius so use 
ping <radius server> source <vlan 1140>

if the ping failed then you have reachabilty issue 
it can routing 
or it can there is FW drop traffic

MHM

0 Helpful

ahmadkhalido585858
Level 1
Level 1

‎06-30-2024 11:35 PM

Yes, you need to configure the VRF management interface and set the source-interface for RADIUS to work on the Nexus 9K

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card