AW: User Problem with Cisco Nexus 4.x

Jan.Gnepper at t-systems.com Jan.Gnepper at t-systems.com
Tue Aug 9 17:14:49 CEST 2011


 
>> Cisco Nexus with NXOS Version older than 4.2 (4.0 and 4.1) don?t like 
>> the entry "Vendor-Specific = 9".
>
>  What does that mean?
>
>> It seems that freeradius add this automatically if it?s not within the 
>> config.
>
>  No.  FreeRADIUS adds almost nothing automatically.
>
>> But, when i put it in the config, the dump shows "bad udp checksum", 
>> wireshark "AVP too long". When i remove this line from the config, 
>> "vendor-specific=9" is also transmitted, but without checksum/avp too 
>> long error.
>>  
>> Is this behavior documented anywhere?
>> I didn?t found this.
>
>  See the FAQ for "it doesn't work".
>
>  You haven't shown us the wireshark output.  You haven't shown us the configuration you added.
>
>  Short summaries are *not* enough.  We need the *exact* information.
>
>  Alan DeKok.

Hi Alan,

Please find the dumps attached.

==========================
dump_ok.cap

test Auth-Type := Pap, Huntgroup-Name == "nexus", MD5-Password := "098f6bcd4621d373cade4e832627b4f6"
        Login-Service = Telnet,
#        Vendor-Specific = Cisco,
        Cisco-AVPair = "shell:roles*\"network-admin\" \"vdc-admin\""
==========================
dump_notok.cap

test Auth-Type := Pap, Huntgroup-Name == "nexus", MD5-Password := "098f6bcd4621d373cade4e832627b4f6"
        Login-Service = Telnet,
        Vendor-Specific = Cisco,
        Cisco-AVPair = "shell:roles*\"network-admin\" \"vdc-admin\""
==========================
dump_notok_2.cap

test Auth-Type := Pap, Huntgroup-Name == "nexus", MD5-Password := "098f6bcd4621d373cade4e832627b4f6"
        Login-Service = Telnet,
        Vendor-Specific = 9,
        Cisco-AVPair = "shell:roles*\"network-admin\" \"vdc-admin\""
==========================

On Cisco Nexus older NXOS Version 4.2 login is possible with the last config (dump_notok_2.cap",
But roles within the av-pairs are ignored. Newer devices (NXOS 4.2 and up) will ignore the "AVP too short"
And takeover the roles from the radius paket. Seems that there was an update in the radius implementaion
to make it more robust.

And as you can see in the dump_ok.cap, "Vendor-Specific=9" was send, even if it was not in the config.
But there is an other cisco av-pair in the config, is this the reason why the vendor-id was added to the reply?

Jan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dump_ok.cap
Type: application/octet-stream
Size: 753 bytes
Desc: dump_ok.cap
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110809/67561983/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dump_notok.cap
Type: application/octet-stream
Size: 760 bytes
Desc: dump_notok.cap
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110809/67561983/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dump_notok_2.cap
Type: application/octet-stream
Size: 756 bytes
Desc: dump_notok_2.cap
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110809/67561983/attachment-0002.obj>


More information about the Freeradius-Users mailing list