Radius (NPS) Cisco Nexus 5xxx configuration

Greetings experts...

I have an environment that consists of several Cisco IOS devices and (currently) a single Nexus 5xxx device.  Radius is being provided by Windows Server 2008R2.  On the IOS devices Radius is authenticating properly but I can't seem to get the settings correct in the Nexus for it to log me in.

Below are the applicable lines from the Nexus configuration.  Please let me know what else you might need to help me finish configuring. Thanks in advance.


radius-server host 172.16.43.7 key 7 "Kwvw1sVieds1x" accounting
aaa group server radius radius
    use-vrf management
aaa group server radius ADAUTH
    server 172.16.43.7

Open in new window

jchauncey60Asked:
Who is Participating?
 
naderzConnect With a Mentor Commented:
Sorry about that! I meant "show run radius all" and "show run aaa all".

Questions:

1) have you double checked theRadius server configs to make sure that the correct AD group is mapped for the new policy for Nexus? Your IOS devices should have their own mapping.

2) Can you try these commands one more time?

radius-server host 172.16.43.7 authentication accounting
radius-server key "your key here"

3) And, then run the test aaa command one more time?
0
 
naderzCommented:
Nexus behaves differently than IOS devices. NX-OS works with Roles as opposed to IOS's privileges.

You need to configure the following attribute in your RADIUS server:

cisco-av-pair=shell:roles="network-admin"
0
 
jchauncey60Author Commented:
naderz,

Thanks for your quick response.  I added the 'Vendor Specific' pair you suggested but still it is not working.  When a use the 'test' command it returns Status=7, which I can't find much on.

Any other ideas?


[BEGIN]
SOANXS(config)# sh run

!Command: show running-config
!Time: Fri Mar 22 15:48:32 2013

version 5.0(3)N1(1c)
no feature telnet
no telnet server enable
cfs eth distribute
feature interface-vlan
feature lacp
feature vpc
feature lldp
feature fex

....

radius-server host 172.16.43.7 key 7 "Kwvw1sasVieds1x" accounting
aaa group server radius radius
    use-vrf management
aaa group server radius ADAUTH
    server 172.16.43.7
....
aaa authentication login default group ADAUTH
aaa authentication login console group ADAUTH local
aaa accounting default group ADAUTH
aaa authentication login error-enable
radius-server directed-request
...
line console
line vty
[END]

SOANXS(config)# test aaa server radius 172.16.43.7 <username> <password>
error authenticating to server, status=7

SOANXS(config)# ping 172.16.43.7
PING 172.16.43.7 (172.16.43.7): 56 data bytes
64 bytes from 172.16.43.7: icmp_seq=0 ttl=127 time=5.057 ms
64 bytes from 172.16.43.7: icmp_seq=1 ttl=127 time=1.044 ms
64 bytes from 172.16.43.7: icmp_seq=2 ttl=127 time=0.882 ms
64 bytes from 172.16.43.7: icmp_seq=3 ttl=127 time=0.958 ms
64 bytes from 172.16.43.7: icmp_seq=4 ttl=127 time=0.954 ms

--- 172.16.43.7 ping statistics ---
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min/avg/max = 0.882/1.778/5.057 ms

Open in new window

0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
naderzCommented:
Well, Status=7 means the user name and password used is not recognized by the Radius server.

Would you post the "show radius all" and "show aaa all" command outputs? Please scrub the username/passwords (or, use fake ones) before posting.
0
 
jchauncey60Author Commented:
Thanks for your assistance.  The commands you asked for were not supported, hopefully this is what you need.

show radius-server
   retransmission count:1
   timeout value:5
   deadtime value:0
   source interface:Vlan643
   total number of servers:1
   following RADIUS servers are configured:
        172.16.43.7:
                available for accounting on port:1813
                RADIUS shared secret:********

show aaa authe
         default: group ADAUTH
         console: group ADAUTH local

sh aaa groups
radius
ADAUTH
0
 
jchauncey60Author Commented:
Quick response and helpful!
0
All Courses

From novice to tech pro — start learning today.