[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2718
  • Last Modified:

Radius (NPS) Cisco Nexus 5xxx configuration

Greetings experts...

I have an environment that consists of several Cisco IOS devices and (currently) a single Nexus 5xxx device.  Radius is being provided by Windows Server 2008R2.  On the IOS devices Radius is authenticating properly but I can't seem to get the settings correct in the Nexus for it to log me in.

Below are the applicable lines from the Nexus configuration.  Please let me know what else you might need to help me finish configuring. Thanks in advance.


radius-server host 172.16.43.7 key 7 "Kwvw1sVieds1x" accounting
aaa group server radius radius
    use-vrf management
aaa group server radius ADAUTH
    server 172.16.43.7

Open in new window

0
jchauncey60
Asked:
jchauncey60
  • 3
  • 3
1 Solution
 
naderzCommented:
Nexus behaves differently than IOS devices. NX-OS works with Roles as opposed to IOS's privileges.

You need to configure the following attribute in your RADIUS server:

cisco-av-pair=shell:roles="network-admin"
0
 
jchauncey60Author Commented:
naderz,

Thanks for your quick response.  I added the 'Vendor Specific' pair you suggested but still it is not working.  When a use the 'test' command it returns Status=7, which I can't find much on.

Any other ideas?


[BEGIN]
SOANXS(config)# sh run

!Command: show running-config
!Time: Fri Mar 22 15:48:32 2013

version 5.0(3)N1(1c)
no feature telnet
no telnet server enable
cfs eth distribute
feature interface-vlan
feature lacp
feature vpc
feature lldp
feature fex

....

radius-server host 172.16.43.7 key 7 "Kwvw1sasVieds1x" accounting
aaa group server radius radius
    use-vrf management
aaa group server radius ADAUTH
    server 172.16.43.7
....
aaa authentication login default group ADAUTH
aaa authentication login console group ADAUTH local
aaa accounting default group ADAUTH
aaa authentication login error-enable
radius-server directed-request
...
line console
line vty
[END]

SOANXS(config)# test aaa server radius 172.16.43.7 <username> <password>
error authenticating to server, status=7

SOANXS(config)# ping 172.16.43.7
PING 172.16.43.7 (172.16.43.7): 56 data bytes
64 bytes from 172.16.43.7: icmp_seq=0 ttl=127 time=5.057 ms
64 bytes from 172.16.43.7: icmp_seq=1 ttl=127 time=1.044 ms
64 bytes from 172.16.43.7: icmp_seq=2 ttl=127 time=0.882 ms
64 bytes from 172.16.43.7: icmp_seq=3 ttl=127 time=0.958 ms
64 bytes from 172.16.43.7: icmp_seq=4 ttl=127 time=0.954 ms

--- 172.16.43.7 ping statistics ---
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min/avg/max = 0.882/1.778/5.057 ms

Open in new window

0
 
naderzCommented:
Well, Status=7 means the user name and password used is not recognized by the Radius server.

Would you post the "show radius all" and "show aaa all" command outputs? Please scrub the username/passwords (or, use fake ones) before posting.
0
Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

 
jchauncey60Author Commented:
Thanks for your assistance.  The commands you asked for were not supported, hopefully this is what you need.

show radius-server
   retransmission count:1
   timeout value:5
   deadtime value:0
   source interface:Vlan643
   total number of servers:1
   following RADIUS servers are configured:
        172.16.43.7:
                available for accounting on port:1813
                RADIUS shared secret:********

show aaa authe
         default: group ADAUTH
         console: group ADAUTH local

sh aaa groups
radius
ADAUTH
0
 
naderzCommented:
Sorry about that! I meant "show run radius all" and "show run aaa all".

Questions:

1) have you double checked theRadius server configs to make sure that the correct AD group is mapped for the new policy for Nexus? Your IOS devices should have their own mapping.

2) Can you try these commands one more time?

radius-server host 172.16.43.7 authentication accounting
radius-server key "your key here"

3) And, then run the test aaa command one more time?
0
 
jchauncey60Author Commented:
Quick response and helpful!
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now