Solved

Radius (NPS) Cisco Nexus 5xxx configuration

Posted on 2013-05-10
6
2,367 Views
Last Modified: 2013-05-13
Greetings experts...

I have an environment that consists of several Cisco IOS devices and (currently) a single Nexus 5xxx device.  Radius is being provided by Windows Server 2008R2.  On the IOS devices Radius is authenticating properly but I can't seem to get the settings correct in the Nexus for it to log me in.

Below are the applicable lines from the Nexus configuration.  Please let me know what else you might need to help me finish configuring. Thanks in advance.


radius-server host 172.16.43.7 key 7 "Kwvw1sVieds1x" accounting
aaa group server radius radius
    use-vrf management
aaa group server radius ADAUTH
    server 172.16.43.7

Open in new window

0
Comment
Question by:jchauncey60
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 11

Expert Comment

by:naderz
ID: 39157677
Nexus behaves differently than IOS devices. NX-OS works with Roles as opposed to IOS's privileges.

You need to configure the following attribute in your RADIUS server:

cisco-av-pair=shell:roles="network-admin"
0
 

Author Comment

by:jchauncey60
ID: 39157907
naderz,

Thanks for your quick response.  I added the 'Vendor Specific' pair you suggested but still it is not working.  When a use the 'test' command it returns Status=7, which I can't find much on.

Any other ideas?


[BEGIN]
SOANXS(config)# sh run

!Command: show running-config
!Time: Fri Mar 22 15:48:32 2013

version 5.0(3)N1(1c)
no feature telnet
no telnet server enable
cfs eth distribute
feature interface-vlan
feature lacp
feature vpc
feature lldp
feature fex

....

radius-server host 172.16.43.7 key 7 "Kwvw1sasVieds1x" accounting
aaa group server radius radius
    use-vrf management
aaa group server radius ADAUTH
    server 172.16.43.7
....
aaa authentication login default group ADAUTH
aaa authentication login console group ADAUTH local
aaa accounting default group ADAUTH
aaa authentication login error-enable
radius-server directed-request
...
line console
line vty
[END]

SOANXS(config)# test aaa server radius 172.16.43.7 <username> <password>
error authenticating to server, status=7

SOANXS(config)# ping 172.16.43.7
PING 172.16.43.7 (172.16.43.7): 56 data bytes
64 bytes from 172.16.43.7: icmp_seq=0 ttl=127 time=5.057 ms
64 bytes from 172.16.43.7: icmp_seq=1 ttl=127 time=1.044 ms
64 bytes from 172.16.43.7: icmp_seq=2 ttl=127 time=0.882 ms
64 bytes from 172.16.43.7: icmp_seq=3 ttl=127 time=0.958 ms
64 bytes from 172.16.43.7: icmp_seq=4 ttl=127 time=0.954 ms

--- 172.16.43.7 ping statistics ---
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min/avg/max = 0.882/1.778/5.057 ms

Open in new window

0
 
LVL 11

Expert Comment

by:naderz
ID: 39163162
Well, Status=7 means the user name and password used is not recognized by the Radius server.

Would you post the "show radius all" and "show aaa all" command outputs? Please scrub the username/passwords (or, use fake ones) before posting.
0
The Ultimate Checklist to Optimize Your Website

Websites are getting bigger and complicated by the day. Video, images, custom fonts are all great for showcasing your product/service. But the price to pay in terms of reduced page load times and ultimately, decreased sales, can lead to some difficult decisions about what to cut.

 

Author Comment

by:jchauncey60
ID: 39163262
Thanks for your assistance.  The commands you asked for were not supported, hopefully this is what you need.

show radius-server
   retransmission count:1
   timeout value:5
   deadtime value:0
   source interface:Vlan643
   total number of servers:1
   following RADIUS servers are configured:
        172.16.43.7:
                available for accounting on port:1813
                RADIUS shared secret:********

show aaa authe
         default: group ADAUTH
         console: group ADAUTH local

sh aaa groups
radius
ADAUTH
0
 
LVL 11

Accepted Solution

by:
naderz earned 500 total points
ID: 39163288
Sorry about that! I meant "show run radius all" and "show run aaa all".

Questions:

1) have you double checked theRadius server configs to make sure that the correct AD group is mapped for the new policy for Nexus? Your IOS devices should have their own mapping.

2) Can you try these commands one more time?

radius-server host 172.16.43.7 authentication accounting
radius-server key "your key here"

3) And, then run the test aaa command one more time?
0
 

Author Closing Comment

by:jchauncey60
ID: 39163312
Quick response and helpful!
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question