Cisco NX-OS default roles using SSH/Radius

when we ssh into our new nexus 5k series using Radius for authentication the default role is network-operator which does NOT allow the 'enable' command. I cannot modify the system-pre-defined role, nor figure out how to 'default' the radius authenticated user to be able to either come in as a network-admin or have the 'enable' command.

I see that in NX-OS they have futher separated the roles, however in my Radius config, I already define which AD groups can even login, that is my 'network admins'. Having the Network-Admin role on the Nexus as a default is thus ok for me.

I've been reading and reading and trying things but I keep running into the wall that they want me to use TACACS. I don't want to buy another expensive Cisco server for simple authentication.

There is probably an easy fix for this, but I can't seem to figure it out. any help is appreciated. thanks!

show run code attached.

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2010.12.27 10:07:52 =~=~=~=~=~=~=~=~=~=~=~=
sh run

!Command: show running-config
!Time: Mon Dec 27 10:06:02 2010

version 5.0(2)N1(1)
feature privilege
no feature telnet
no telnet server enable
feature interface-vlan
feature lacp
feature lldp
feature vtp
feature fex

username admin password 5 $1$uG0yQM7U$v/MypXU1eGw9ntNbGMIe..  role network-admin
enable secret 5 $1$9a80304$7fa1a581048f9563 priv-lvl 1
enable secret 5 $1$9a80304$7fa1a581048f9563 priv-lvl 2
enable secret 5 $1$9a80304$7fa1a581048f9563 priv-lvl 3
enable secret 5 $1$9a80304$7fa1a581048f9563 priv-lvl 4
enable secret 5 $1$9a80304$7fa1a581048f9563 priv-lvl 5
enable secret 5 $1$9a80304$7fa1a581048f9563 priv-lvl 6
enable secret 5 $1$9a80304$7fa1a581048f9563 priv-lvl 7
enable secret 5 $1$9a80304$7fa1a581048f9563 priv-lvl 8
enable secret 5 $1$9a80304$7fa1a581048f9563 priv-lvl 9
enable secret 5 $1$9a80304$7fa1a581048f9563 priv-lvl 10
enable secret 5 $1$9a80304$7fa1a581048f9563 priv-lvl 11
enable secret 5 $1$9a80304$7fa1a581048f9563 priv-lvl 12
enable secret 5 $1$9a80304$7fa1a581048f9563 priv-lvl 13
enable secret 5 $1$9a80304$7fa1a581048f9563 priv-lvl 14
enable secret 5 $1$9a80304$7fa1a581048f9563
ip domain-lookup
ip domain-lookup
ip domain-name
ip domain-list
ip domain-list caseys.local
ip name-server
radius-server host autha01 key 7 "Fewhg11" authentication accounting 
radius-server host authb01 key 7 "Fewhg11" authentication accounting 
aaa group server radius caseysaaa 
    server autha01 
    server authb01 
hostname NX5548-A-01
logging event link-status default
errdisable recovery interval 32
ip access-list vtyAccess
  10 permit ip any
  20 permit ip any
  30 permit ip any
  40 permit ip any
  50 permit ip any
  60 permit ip any
  70 permit ip any
  80 permit ip any
  90 permit ip any
  100 deny ip any any
class-map type qos class-fcoe
class-map type queuing class-fcoe
  match qos-group 1
class-map type queuing class-all-flood
  match qos-group 2
class-map type queuing class-ip-multicast
  match qos-group 2
class-map type network-qos class-fcoe
  match qos-group 1
class-map type network-qos class-all-flood
  match qos-group 2
class-map type network-qos class-ip-multicast
  match qos-group 2
vtp mode transparent
vtp domain Caseys-A
fex 100
  pinning max-links 1
  description "FEX0100"
  type N2248T
snmp-server user admin network-admin auth md5 0xb7175c279e6f269f0a4e4bd94452bdd1
 priv 0xb7175c279e6f269f0a4e4bd94452bdd1 localizedkey
aaa authentication login default group caseysaaa 
aaa authentication login console local 

vrf context management
vlan 1
vlan 2
  name Device-mgmt
vlan 199
  name SERVERS
vlan 200
  name Servers-old
vlan 250
  name CREDIT
vlan 255
  name iSCSI

interface Vlan1
  no shutdown
  ip address

interface port-channel4
  description FEX to 2248TP
  switchport mode fex-fabric
  fex associate 100

interface Ethernet1/1

interface Ethernet1/2

interface Ethernet1/3

interface Ethernet1/4

interface Ethernet1/5

interface Ethernet1/6

interface Ethernet1/7

interface Ethernet1/8

interface Ethernet1/9

interface Ethernet1/10

interface Ethernet1/11

interface Ethernet1/12

interface Ethernet1/13

interface Ethernet1/14

interface Ethernet1/15

interface Ethernet1/16

interface Ethernet1/17

interface Ethernet1/18

interface Ethernet1/19

interface Ethernet1/20

interface Ethernet1/21

interface Ethernet1/22

interface Ethernet1/23

interface Ethernet1/24

interface Ethernet1/25

interface Ethernet1/26

interface Ethernet1/27

interface Ethernet1/28

interface Ethernet1/29

interface Ethernet1/30

interface Ethernet1/31
  fex associate 100
  switchport mode fex-fabric
  channel-group 4

interface Ethernet1/32
  fex associate 100
  switchport mode fex-fabric
  channel-group 4

interface mgmt0
  description Management

interface Ethernet100/1/1

interface Ethernet100/1/2

interface Ethernet100/1/3

interface Ethernet100/1/4

interface Ethernet100/1/5

interface Ethernet100/1/6

interface Ethernet100/1/7

interface Ethernet100/1/8

interface Ethernet100/1/9

interface Ethernet100/1/10

interface Ethernet100/1/11

interface Ethernet100/1/12

interface Ethernet100/1/13

interface Ethernet100/1/14

interface Ethernet100/1/15

interface Ethernet100/1/16

interface Ethernet100/1/17

interface Ethernet100/1/18

interface Ethernet100/1/19

interface Ethernet100/1/20

interface Ethernet100/1/21

interface Ethernet100/1/22

interface Ethernet100/1/23

interface Ethernet100/1/24

interface Ethernet100/1/25

interface Ethernet100/1/26

interface Ethernet100/1/27

interface Ethernet100/1/28

interface Ethernet100/1/29

interface Ethernet100/1/30

interface Ethernet100/1/31

interface Ethernet100/1/32

interface Ethernet100/1/33

interface Ethernet100/1/34

interface Ethernet100/1/35

interface Ethernet100/1/36

interface Ethernet100/1/37

interface Ethernet100/1/38

interface Ethernet100/1/39

interface Ethernet100/1/40

interface Ethernet100/1/41

interface Ethernet100/1/42

interface Ethernet100/1/43

interface Ethernet100/1/44

interface Ethernet100/1/45

interface Ethernet100/1/46

interface Ethernet100/1/47

interface Ethernet100/1/48
  switchport mode trunk
  spanning-tree guard root
clock timezone CST -6 0
clock summer-time CDT 2 Sun Mar 02:00 1 Sun Nov 02:00 60
line console
  exec-timeout 15
line vty
  session-limit 5
  exec-timeout 15
  access-class vtyAccess in
boot kickstart bootflash:/n5000-uk9-kickstart.5.0.2.N1.1.bin
boot system bootflash:/n5000-uk9.5.0.2.N1.1.bin 
ip route
logging level local1 6


Open in new window

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


Unfortunately, you can't do command authorization with RADIUS. You need TACACS+ server for it (for example Cisco ACS).

eah6122Author Commented:
So you are basically saying that if I want to remotely configure my Nexus switch I have to either 1, create a LOCAL account to login as, or 2, pay for an overly expensive TACACS+ server instead of how we've been able to use radius with all of our IOS switches, authenticate, then run the 'enable' command?

Here is description of succesfull authentication process for Nexus 7000, I assume same possibilities apply for 5000:

3. If the NX-OS device successfully authenticates you through a remote AAA server, then the following possibilities apply:
–If the AAA server protocol is RADIUS, then user roles specified in the cisco-av-pair attribute are downloaded with an authentication response.
–If the AAA server protocol is TACACS+, then another request is sent to the same server to get the user roles specified as custom attributes for the shell.
–If the user roles are not successfully retrieved from the remote AAA server, then the user is assigned with the vdc-operator role.

In case of 5000, default role is network-operator.
"If you do not specify the role option in the cisco-av-pair attribute, the default user role is network-operator."

So, to use RADIUS, you will need to configure cisco-av-pair attribute to select role you want to use upon successful authentication:
cisco-avpair = "shell:roles=network-admin"

You can find more details here:

Hope it helps!


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
eah6122Author Commented:
Awesome. in the ias remote-access policies for the device, go to 'edit-profile' the advanced tab, 'add', select Cisco-AV-Pair, and put(no quotes) "shell:roles=network-admin" in the value box.
works perfectly.

thank you!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.