?
Solved

Radius (NPS) Cisco Nexus 5xxx configuration

Posted on 2013-05-10
6
Medium Priority
?
2,483 Views
Last Modified: 2013-05-13
Greetings experts...

I have an environment that consists of several Cisco IOS devices and (currently) a single Nexus 5xxx device.  Radius is being provided by Windows Server 2008R2.  On the IOS devices Radius is authenticating properly but I can't seem to get the settings correct in the Nexus for it to log me in.

Below are the applicable lines from the Nexus configuration.  Please let me know what else you might need to help me finish configuring. Thanks in advance.


radius-server host 172.16.43.7 key 7 "Kwvw1sVieds1x" accounting
aaa group server radius radius
    use-vrf management
aaa group server radius ADAUTH
    server 172.16.43.7

Open in new window

0
Comment
Question by:jchauncey60
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 11

Expert Comment

by:naderz
ID: 39157677
Nexus behaves differently than IOS devices. NX-OS works with Roles as opposed to IOS's privileges.

You need to configure the following attribute in your RADIUS server:

cisco-av-pair=shell:roles="network-admin"
0
 

Author Comment

by:jchauncey60
ID: 39157907
naderz,

Thanks for your quick response.  I added the 'Vendor Specific' pair you suggested but still it is not working.  When a use the 'test' command it returns Status=7, which I can't find much on.

Any other ideas?


[BEGIN]
SOANXS(config)# sh run

!Command: show running-config
!Time: Fri Mar 22 15:48:32 2013

version 5.0(3)N1(1c)
no feature telnet
no telnet server enable
cfs eth distribute
feature interface-vlan
feature lacp
feature vpc
feature lldp
feature fex

....

radius-server host 172.16.43.7 key 7 "Kwvw1sasVieds1x" accounting
aaa group server radius radius
    use-vrf management
aaa group server radius ADAUTH
    server 172.16.43.7
....
aaa authentication login default group ADAUTH
aaa authentication login console group ADAUTH local
aaa accounting default group ADAUTH
aaa authentication login error-enable
radius-server directed-request
...
line console
line vty
[END]

SOANXS(config)# test aaa server radius 172.16.43.7 <username> <password>
error authenticating to server, status=7

SOANXS(config)# ping 172.16.43.7
PING 172.16.43.7 (172.16.43.7): 56 data bytes
64 bytes from 172.16.43.7: icmp_seq=0 ttl=127 time=5.057 ms
64 bytes from 172.16.43.7: icmp_seq=1 ttl=127 time=1.044 ms
64 bytes from 172.16.43.7: icmp_seq=2 ttl=127 time=0.882 ms
64 bytes from 172.16.43.7: icmp_seq=3 ttl=127 time=0.958 ms
64 bytes from 172.16.43.7: icmp_seq=4 ttl=127 time=0.954 ms

--- 172.16.43.7 ping statistics ---
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min/avg/max = 0.882/1.778/5.057 ms

Open in new window

0
 
LVL 11

Expert Comment

by:naderz
ID: 39163162
Well, Status=7 means the user name and password used is not recognized by the Radius server.

Would you post the "show radius all" and "show aaa all" command outputs? Please scrub the username/passwords (or, use fake ones) before posting.
0
Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

 

Author Comment

by:jchauncey60
ID: 39163262
Thanks for your assistance.  The commands you asked for were not supported, hopefully this is what you need.

show radius-server
   retransmission count:1
   timeout value:5
   deadtime value:0
   source interface:Vlan643
   total number of servers:1
   following RADIUS servers are configured:
        172.16.43.7:
                available for accounting on port:1813
                RADIUS shared secret:********

show aaa authe
         default: group ADAUTH
         console: group ADAUTH local

sh aaa groups
radius
ADAUTH
0
 
LVL 11

Accepted Solution

by:
naderz earned 2000 total points
ID: 39163288
Sorry about that! I meant "show run radius all" and "show run aaa all".

Questions:

1) have you double checked theRadius server configs to make sure that the correct AD group is mapped for the new policy for Nexus? Your IOS devices should have their own mapping.

2) Can you try these commands one more time?

radius-server host 172.16.43.7 authentication accounting
radius-server key "your key here"

3) And, then run the test aaa command one more time?
0
 

Author Closing Comment

by:jchauncey60
ID: 39163312
Quick response and helpful!
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OfficeMate Freezes on login or does not load after login credentials are input.
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question