Re: AW: User Problem with Cisco Nexus 4.x
Cisco Nexus with NXOS Version older than 4.2 (4.0 and 4.1) don?t like the entry "Vendor-Specific = 9".
What does that mean?
It seems that freeradius add this automatically if it?s not within the config.
No. FreeRADIUS adds almost nothing automatically.
But, when i put it in the config, the dump shows "bad udp checksum", wireshark "AVP too long". When i remove this line from the config, "vendor-specific=9" is also transmitted, but without checksum/avp too long error.
Is this behavior documented anywhere? I didn?t found this.
See the FAQ for "it doesn't work".
You haven't shown us the wireshark output. You haven't shown us the configuration you added.
Short summaries are *not* enough. We need the *exact* information.
Alan DeKok.
Hi Alan, Please find the dumps attached. ========================== dump_ok.cap test Auth-Type := Pap, Huntgroup-Name == "nexus", MD5-Password := "098f6bcd4621d373cade4e832627b4f6" Login-Service = Telnet, # Vendor-Specific = Cisco, Cisco-AVPair = "shell:roles*\"network-admin\" \"vdc-admin\"" ========================== dump_notok.cap test Auth-Type := Pap, Huntgroup-Name == "nexus", MD5-Password := "098f6bcd4621d373cade4e832627b4f6" Login-Service = Telnet, Vendor-Specific = Cisco, Cisco-AVPair = "shell:roles*\"network-admin\" \"vdc-admin\"" ========================== dump_notok_2.cap test Auth-Type := Pap, Huntgroup-Name == "nexus", MD5-Password := "098f6bcd4621d373cade4e832627b4f6" Login-Service = Telnet, Vendor-Specific = 9, Cisco-AVPair = "shell:roles*\"network-admin\" \"vdc-admin\"" ========================== On Cisco Nexus older NXOS Version 4.2 login is possible with the last config (dump_notok_2.cap", But roles within the av-pairs are ignored. Newer devices (NXOS 4.2 and up) will ignore the "AVP too short" And takeover the roles from the radius paket. Seems that there was an update in the radius implementaion to make it more robust. And as you can see in the dump_ok.cap, "Vendor-Specific=9" was send, even if it was not in the config. But there is an other cisco av-pair in the config, is this the reason why the vendor-id was added to the reply? Jan
Jan.Gnepper@t-systems.com wrote:
test Auth-Type := Pap, Huntgroup-Name == "nexus", MD5-Password := "098f6bcd4621d373cade4e832627b4f6" Login-Service = Telnet, Vendor-Specific = Cisco,
What the HECK is that last line? Why is it there? What do you think it's doing? *Nothing* in any of the documentation leads you to believe that line is necessary. Delete it.
Cisco-AVPair = "shell:roles*\"network-admin\" \"vdc-admin\"" ========================== dump_notok_2.cap
test Auth-Type := Pap, Huntgroup-Name == "nexus", MD5-Password := "098f6bcd4621d373cade4e832627b4f6" Login-Service = Telnet, Vendor-Specific = 9,
Delete that line, too.
Cisco-AVPair = "shell:roles*\"network-admin\" \"vdc-admin\"" ==========================
On Cisco Nexus older NXOS Version 4.2 login is possible with the last config (dump_notok_2.cap", But roles within the av-pairs are ignored. Newer devices (NXOS 4.2 and up) will ignore the "AVP too short" And takeover the roles from the radius paket. Seems that there was an update in the radius implementaion to make it more robust.
And as you can see in the dump_ok.cap, "Vendor-Specific=9" was send, even if it was not in the config. But there is an other cisco av-pair in the config, is this the reason why the vendor-id was added to the reply?
Don't add "Vendor-Specific" to the reply. It's not needed. Alan DeKok.
participants (2)
-
Alan DeKok -
Jan.Gnepper@t-systems.com