Nexus Configurations

David Mitchell mitchell at ucar.edu
Thu May 5 16:35:23 CEST 2011


On May 5, 2011, at 4:47 AM, Darren Shaw wrote:

> Hello David,
> 
> Thanks for the syntax. Sadly this still does not work. The free radius server will authenticate me as a user but the 5K wants me as an operator and not admin.
> 
> If you have the 5K working, could I be cheeky and ask if you could mail me the radius config on your 5K

There isn't anything in the radius config that enables this as far as I can tell. Do you have a
local account on the 5K? That might override the info from the RADIUS server. Run the command
'show user-account' after logging in. For me, it indicates that the account was created via remote
authentication. I assume you have run the radius server in debug mode to verify that the attributes
are actually in the access accept packets sent back to the switch?


-David Mitchell

> 
> thanks
> 
> Rgds
> Darren Shaw
> The Network Team
> Computing Services
> University of Huddersfield
> Queensgate
> Huddersfield
> HD1 3DH
> 
> TEL: 01484 471317
> MOBILE: 07792 773807
> 
> -----Original Message-----
> From: freeradius-users-bounces+d.shaw=hud.ac.uk at lists.freeradius.org [mailto:freeradius-users-bounces+d.shaw=hud.ac.uk at lists.freeradius.org] On Behalf Of David Mitchell
> Sent: 04 May 2011 15:14
> To: FreeRadius users mailing list
> Subject: Re: Nexus Configurations
> 
> 
> On May 4, 2011, at 4:48 AM, Darren Shaw wrote:
> 
>> Good Morning
>> 
>> I am new to this forum and to the workings of FreeRadius and I have a query around the Cisco Nexus family.
>> 
>> Currently we have all our switches and routers authentication to FreeRadius and all seems to be working. The problem comes when I want to authenticate my Nexus 7K and 5K's.  The 7Ks and 5Ks will authenticated me but the Nexus puts me in an operator role and not in an administrator's role.
>> 
>> According to Cisco I have to place the following into
>> 
>> /usr/local/etc/raddb/sites-available/default
>> 
>> Cisco-AVPair = "shell:roles=\"network-operator vdc-admin\""
>> Cisco-AVPair = "shell:roles*\"network-operator vdc-admin\""
>> Cisco-AVPair = "shell:roles=\"network-admin vdc-admin\""
>> Cisco-AVPair = "shell:roles*\"network-admin\""
> 
> This is what I'm adding to the replies for Nexus 5K's. I don't have any 7K's but I'd be surprised if
> they were any different. I have not tried to send two roles so I can't confirm the syntax for that.
> 
>        Cisco-AVPair += "shell:roles=network-admin",
>        Service-Type := Administrative-User,
> 
> -David Mitchell
> 
>> 
>> 
>> The current service type is = Administrative -User
>> 
>> I have tried each AVPair and nothing works. Has anyone else had this issue?
>> 
>> If anyone has any advice I would be really grateful.
>> 
>> Thanks
>> 
>> 
>> 
>> Rgds
>> Darren Shaw
>> The Network Team
>> Computing Services
>> University of Huddersfield
>> Queensgate
>> Huddersfield
>> HD1 3DH
>> 
>> TEL: 01484 471317
>> MOBILE: 07792 773807
>> 
>> 
>> 
>>  ________________________________
>> 
>> ---
>> This transmission is confidential and may be legally privileged. If you receive it in error, please notify us immediately by e-mail and remove it from your system. If the content of this e-mail does not relate to the business of the University of Huddersfield, then we do not endorse it and will accept no liability.
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
> -----------------------------------------------------------------
> | David Mitchell (mitchell at ucar.edu)       Network Engineer IV  |
> | Tel: (303) 497-1845                      National Center for  |
> | FAX: (303) 497-1818                      Atmospheric Research |
> -----------------------------------------------------------------
> 
> 
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
> 
> ---
> This transmission is confidential and may be legally privileged. If you receive it in error, please notify us immediately by e-mail and remove it from your system. If the content of this e-mail does not relate to the business of the University of Huddersfield, then we do not endorse it and will accept no liability.
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-----------------------------------------------------------------
| David Mitchell (mitchell at ucar.edu)       Network Engineer IV  |
| Tel: (303) 497-1845                      National Center for  |
| FAX: (303) 497-1818                      Atmospheric Research |
-----------------------------------------------------------------







More information about the Freeradius-Users mailing list