Link to home
Start Free TrialLog in
Avatar of jchauncey60
jchauncey60Flag for United States of America

asked on

Radius (NPS) Cisco Nexus 5xxx configuration

Greetings experts...

I have an environment that consists of several Cisco IOS devices and (currently) a single Nexus 5xxx device.  Radius is being provided by Windows Server 2008R2.  On the IOS devices Radius is authenticating properly but I can't seem to get the settings correct in the Nexus for it to log me in.

Below are the applicable lines from the Nexus configuration.  Please let me know what else you might need to help me finish configuring. Thanks in advance.


radius-server host 172.16.43.7 key 7 "Kwvw1sVieds1x" accounting
aaa group server radius radius
    use-vrf management
aaa group server radius ADAUTH
    server 172.16.43.7

Open in new window

Avatar of naderz
naderz
Flag of United States of America image
Nexus behaves differently than IOS devices. NX-OS works with Roles as opposed to IOS's privileges.

You need to configure the following attribute in your RADIUS server:

cisco-av-pair=shell:roles="network-admin"
Avatar of jchauncey60
jchauncey60
Flag of United States of America image

ASKER

naderz,

Thanks for your quick response.  I added the 'Vendor Specific' pair you suggested but still it is not working.  When a use the 'test' command it returns Status=7, which I can't find much on.

Any other ideas?


[BEGIN]
SOANXS(config)# sh run

!Command: show running-config
!Time: Fri Mar 22 15:48:32 2013

version 5.0(3)N1(1c)
no feature telnet
no telnet server enable
cfs eth distribute
feature interface-vlan
feature lacp
feature vpc
feature lldp
feature fex

....

radius-server host 172.16.43.7 key 7 "Kwvw1sasVieds1x" accounting
aaa group server radius radius
    use-vrf management
aaa group server radius ADAUTH
    server 172.16.43.7
....
aaa authentication login default group ADAUTH
aaa authentication login console group ADAUTH local
aaa accounting default group ADAUTH
aaa authentication login error-enable
radius-server directed-request
...
line console
line vty
[END]

SOANXS(config)# test aaa server radius 172.16.43.7 <username> <password>
error authenticating to server, status=7

SOANXS(config)# ping 172.16.43.7
PING 172.16.43.7 (172.16.43.7): 56 data bytes
64 bytes from 172.16.43.7: icmp_seq=0 ttl=127 time=5.057 ms
64 bytes from 172.16.43.7: icmp_seq=1 ttl=127 time=1.044 ms
64 bytes from 172.16.43.7: icmp_seq=2 ttl=127 time=0.882 ms
64 bytes from 172.16.43.7: icmp_seq=3 ttl=127 time=0.958 ms
64 bytes from 172.16.43.7: icmp_seq=4 ttl=127 time=0.954 ms

--- 172.16.43.7 ping statistics ---
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min/avg/max = 0.882/1.778/5.057 ms

Open in new window

Avatar of naderz
naderz
Flag of United States of America image
Well, Status=7 means the user name and password used is not recognized by the Radius server.

Would you post the "show radius all" and "show aaa all" command outputs? Please scrub the username/passwords (or, use fake ones) before posting.
Avatar of jchauncey60
jchauncey60
Flag of United States of America image

ASKER

Thanks for your assistance.  The commands you asked for were not supported, hopefully this is what you need.

show radius-server
   retransmission count:1
   timeout value:5
   deadtime value:0
   source interface:Vlan643
   total number of servers:1
   following RADIUS servers are configured:
        172.16.43.7:
                available for accounting on port:1813
                RADIUS shared secret:********

show aaa authe
         default: group ADAUTH
         console: group ADAUTH local

sh aaa groups
radius
ADAUTH
ASKER CERTIFIED SOLUTION
Avatar of naderz
naderz
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of jchauncey60
jchauncey60
Flag of United States of America image

ASKER

Quick response and helpful!