AW: User Problem with Cisco Nexus 4.x

Alan DeKok aland at deployingradius.com
Tue Aug 9 21:14:51 CEST 2011


Jan.Gnepper at t-systems.com wrote:
> test Auth-Type := Pap, Huntgroup-Name == "nexus", MD5-Password := "098f6bcd4621d373cade4e832627b4f6"
>         Login-Service = Telnet,
>         Vendor-Specific = Cisco,

  What the HECK is that last line?  Why is it there?  What do you think
it's doing?

  *Nothing* in any of the documentation leads you to believe that line
is necessary.

  Delete it.

>         Cisco-AVPair = "shell:roles*\"network-admin\" \"vdc-admin\""
> ==========================
> dump_notok_2.cap
> 
> test Auth-Type := Pap, Huntgroup-Name == "nexus", MD5-Password := "098f6bcd4621d373cade4e832627b4f6"
>         Login-Service = Telnet,
>         Vendor-Specific = 9,

  Delete that line, too.

>         Cisco-AVPair = "shell:roles*\"network-admin\" \"vdc-admin\""
> ==========================
> 
> On Cisco Nexus older NXOS Version 4.2 login is possible with the last config (dump_notok_2.cap",
> But roles within the av-pairs are ignored. Newer devices (NXOS 4.2 and up) will ignore the "AVP too short"
> And takeover the roles from the radius paket. Seems that there was an update in the radius implementaion
> to make it more robust.
> 
> And as you can see in the dump_ok.cap, "Vendor-Specific=9" was send, even if it was not in the config.
> But there is an other cisco av-pair in the config, is this the reason why the vendor-id was added to the reply?

  Don't add "Vendor-Specific" to the reply.  It's not needed.

  Alan DeKok.



More information about the Freeradius-Users mailing list