Nexus Configurations

Darren Shaw D.Shaw at hud.ac.uk
Fri May 6 10:50:24 CEST 2011 

Good morning David,

To answer your questions

We do have a local username; all our switches have, 500 of them.

I have traced the request and response between the FreeRadius server and the N5K, the server returns a service-type (6) AVP of Shell user (6) which according to the Free Radius documentation at http://freeradius.org/rfc/attributes.html is an Administrative user.

The syntax that I have placed into the following file

Cisco-AVPair += "shell:roles=network-admin",
>        Service-Type := Administrative-User,

I have also tried

  Hint == "XXXXXX", Auth-Type := Accept
        Reply-Message = "ACCEPT: Authorizing enable access",
        Cisco-AVPair = "shell:roles*\"network-admin\"",
        Cisco-AVPair += "shell:priv-lvl=15",
        Service-Type = Administrative-User,
        Fall-Through = No

Cisco-AVPair = "shell:roles=\"network-operator vdc-admin\""
>> Cisco-AVPair = "shell:roles*\"network-operator vdc-admin\""
>> Cisco-AVPair = "shell:roles=\"network-admin vdc-admin\""
>> Cisco-AVPair = "shell:roles*\"network-admin\""

The configuration I have on the 5K

radius-server host xxxx key 7 "XXXXXX" authentication accounting
aaa group server radius FreeRadius
    server xxxxx
        use-vrf management
aaa authentication login default group FreeRadius
source address xxxxx

It looks as though the 5K is not interpreting the attribute correctly, or I am not editing the correct file. Whatever syntax I use I get the same results, I get authenticated but the nexus places me as an operator.

The file I am editing is  /usr/local/etc/raddb/sites-available/default

Rgds
Darren Shaw
The Network Team
Computing Services
University of Huddersfield
Queensgate
Huddersfield
HD1 3DH

TEL: 01484 471317
MOBILE: 07792 773807


-----Original Message-----
From: freeradius-users-bounces+d.shaw=hud.ac.uk at lists.freeradius.org [mailto:freeradius-users-bounces+d.shaw=hud.ac.uk at lists.freeradius.org] On Behalf Of David Mitchell
Sent: 05 May 2011 15:35
To: FreeRadius users mailing list
Subject: Re: Nexus Configurations


On May 5, 2011, at 4:47 AM, Darren Shaw wrote:

> Hello David,
>
> Thanks for the syntax. Sadly this still does not work. The free radius server will authenticate me as a user but the 5K wants me as an operator and not admin.
>
> If you have the 5K working, could I be cheeky and ask if you could mail me the radius config on your 5K

There isn't anything in the radius config that enables this as far as I can tell. Do you have a
local account on the 5K? That might override the info from the RADIUS server. Run the command
'show user-account' after logging in. For me, it indicates that the account was created via remote
authentication. I assume you have run the radius server in debug mode to verify that the attributes
are actually in the access accept packets sent back to the switch?


-David Mitchell

>
> thanks
>
> Rgds
> Darren Shaw
> The Network Team
> Computing Services
> University of Huddersfield
> Queensgate
> Huddersfield
> HD1 3DH
>
> TEL: 01484 471317
> MOBILE: 07792 773807
>
> -----Original Message-----
> From: freeradius-users-bounces+d.shaw=hud.ac.uk at lists.freeradius.org [mailto:freeradius-users-bounces+d.shaw=hud.ac.uk at lists.freeradius.org] On Behalf Of David Mitchell
> Sent: 04 May 2011 15:14
> To: FreeRadius users mailing list
> Subject: Re: Nexus Configurations
>
>
> On May 4, 2011, at 4:48 AM, Darren Shaw wrote:
>
>> Good Morning
>>
>> I am new to this forum and to the workings of FreeRadius and I have a query around the Cisco Nexus family.
>>
>> Currently we have all our switches and routers authentication to FreeRadius and all seems to be working. The problem comes when I want to authenticate my Nexus 7K and 5K's.  The 7Ks and 5Ks will authenticated me but the Nexus puts me in an operator role and not in an administrator's role.
>>
>> According to Cisco I have to place the following into
>>
>> /usr/local/etc/raddb/sites-available/default
>>
>> Cisco-AVPair = "shell:roles=\"network-operator vdc-admin\""
>> Cisco-AVPair = "shell:roles*\"network-operator vdc-admin\""
>> Cisco-AVPair = "shell:roles=\"network-admin vdc-admin\""
>> Cisco-AVPair = "shell:roles*\"network-admin\""
>
> This is what I'm adding to the replies for Nexus 5K's. I don't have any 7K's but I'd be surprised if
> they were any different. I have not tried to send two roles so I can't confirm the syntax for that.
>
>        Cisco-AVPair += "shell:roles=network-admin",
>        Service-Type := Administrative-User,
>
> -David Mitchell
>
>>
>>
>> The current service type is = Administrative -User
>>
>> I have tried each AVPair and nothing works. Has anyone else had this issue?
>>
>> If anyone has any advice I would be really grateful.
>>
>> Thanks
>>
>>
>>
>> Rgds
>> Darren Shaw
>> The Network Team
>> Computing Services
>> University of Huddersfield
>> Queensgate
>> Huddersfield
>> HD1 3DH
>>
>> TEL: 01484 471317
>> MOBILE: 07792 773807
>>
>>
>>
>>  ________________________________
>>
>> ---
>> This transmission is confidential and may be legally privileged. If you receive it in error, please notify us immediately by e-mail and remove it from your system. If the content of this e-mail does not relate to the business of the University of Huddersfield, then we do not endorse it and will accept no liability.
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
> -----------------------------------------------------------------
> | David Mitchell (mitchell at ucar.edu)       Network Engineer IV  |
> | Tel: (303) 497-1845                      National Center for  |
> | FAX: (303) 497-1818                      Atmospheric Research |
> -----------------------------------------------------------------
>
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
> ---
> This transmission is confidential and may be legally privileged. If you receive it in error, please notify us immediately by e-mail and remove it from your system. If the content of this e-mail does not relate to the business of the University of Huddersfield, then we do not endorse it and will accept no liability.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-----------------------------------------------------------------
| David Mitchell (mitchell at ucar.edu)       Network Engineer IV  |
| Tel: (303) 497-1845                      National Center for  |
| FAX: (303) 497-1818                      Atmospheric Research |
-----------------------------------------------------------------




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


---
This transmission is confidential and may be legally privileged. If you receive it in error, please notify us immediately by e-mail and remove it from your system. If the content of this e-mail does not relate to the business of the University of Huddersfield, then we do not endorse it and will accept no liability.

More information about the Freeradius-Users mailing list