cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
768
Views
1
Helpful
9
Replies

radius not working on nexus 9k

gxs
Level 1
Level 1

Help,

We purchased a Nexus 9K and I'm trying to configure Radius and I can't seem to be able to make it work no matter what I do.

Questions,

Is it required to have the vrf mgmt 0 interface configured in order for radius to work on the Nexus 9K?

Do I need to have a source-interface configured?

I'm using Ivanti pulse policy secure as the Radius server and Cisco 9200l switches on the network configured with radius and is working just fine. I just can't get the Nexus 9k switch to work with Radius. 

Any help would be greatly appreciated.

Thanks,

GXS

 

 

9 Replies 9

@gxs hello, try configuring the source interface and malmanagement vrf as you stated. and check if your management IP in nexus switch is configured as client and allowed in policies in radius server. radius server must receive the auth request via the configured client IP. additionally do packet capture to see if traffic correctly receive and processed in radius server. 

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

Thanks for the Info I do appreciate it.

So can I connect a cable from the vrf mgmt 0 interface on the Nexus to a port that is configured for a vlan management on the Nexus?

@gxs 

Mgmt0 interface is specifically designed as a routed interface for out-of-band management purposes. It is not possible to configure it as a switchport or assign VLANs to it. The mgmt0 interface is meant to be used for management traffic only, providing a dedicated path for management operations separate from the data plane traffic.

Add an ip address under this interface with it's still configured in a dedicated vrf.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

So if I understand this correctly, I don't need to connect any cables to the vrf mgmt 0 interface just assign an IP address to the interface.

M02@rt37
VIP
VIP

Hello @gxs 

No, it is not strictly required to use the vrf mgmt interface for RADIUS to work. However, using this vrf can be beneficial for separating management traffic from data traffic, improving security and manageability.

If you choose not to use vrf mgmt, you can configure RADIUS to use the default VRF or any other VRF suitable for your network design.

It is recommended to configure a source-interface for RADIUS communications. This ensures that the nexus 9K uses a specific interface for RADIUS traffic, which can help with routing and security policies.

Example:

# Configure the management interface
interface mgmt0
ip address 192.168.0.10/24
no shutdown
vrf member management

# Configure the VRF
vrf context management
ip route 0.0.0.0/0 192.168.0.1

# Configure the RADIUS server
radius-server host 192.168.1.100 key mysecret use-vrf management
radius-server source-interface mgmt0

# Configure AAA group for RADIUS
aaa group server radius RADIUS-GROUP
server 192.168.1.100
use-vrf management
exit

# Configure AAA authentication for login
aaa authentication login default group RADIUS-GROUP local
aaa authentication login console group RADIUS-GROUP local

# Configure AAA accounting aaa accounting default group RADIUS-GROUP

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Hello
what device is supplying the radius authentication and is that device aware of this new 9K
Can you ping the radius server sourced from the interface specified for authentication?
Can you post you aaa configuration ?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi Paul,

Sorry for the late reply.

Does it require AAA configuration since we're doing Radius on the Nexus?

This is what I have configured on the Nexus for Radius.

!Command: show running-config radius
!Running configuration last done at: Fri Jul 5 09:20:49 2024
!Time: Fri Jul 5 09:38:58 2024

version 10.3(4a) Bios:version 05.47
radius-server key 7 "Fewh@123"
radius-server test username cisco password 7 fewhg
radius-server host x.x.x.x key 7 "Fewh@123" authentication accounting
radius-server host x.x.x.x authentication accounting  (2nd Radius server)
aaa group server radius PSA
server x.x.x.x
server x.x.x.x

ip radius source-interface Vlan1140

first check ping between NSK and radius so use 
ping <radius server> source <vlan 1140>

if the ping failed then you have reachabilty issue 
it can routing 
or it can there is FW drop traffic

MHM

Yes, you need to configure the VRF management interface and set the source-interface for RADIUS to work on the Nexus 9K

 

Review Cisco Networking for a $25 gift card