Nexus Configurations

Darren Shaw D.Shaw at hud.ac.uk
Mon May 9 14:10:19 CEST 2011


Hello,

Is the user you are testing with configured on the switch? No, this is my username that is allowed to access the switches. It authenticates me with AD and makes sure I belong to a certain group within AD.

If so, as what type of user?  Admin user.

Have you tried a username which is not configured on the switch? Yes mine, and my colleagues, all work on 6500, 2960, 2950 3524, etc etc.


Rgds
Darren Shaw
The Network Team
Computing Services
University of Huddersfield
Queensgate
Huddersfield
HD1 3DH

TEL: 01484 471317
MOBILE: 07792 773807


-----Original Message-----
From: freeradius-users-bounces+d.shaw=hud.ac.uk at lists.freeradius.org [mailto:freeradius-users-bounces+d.shaw=hud.ac.uk at lists.freeradius.org] On Behalf Of David Mitchell
Sent: 06 May 2011 15:34
To: FreeRadius users mailing list
Subject: Re: Nexus Configurations


On May 6, 2011, at 2:50 AM, Darren Shaw wrote:

> Good morning David,
>
> To answer your questions
>
> We do have a local username; all our switches have, 500 of them.

Is the user you are testing with configured on the switch? If so, as what type
of user? Have you tried a username which is not configured on the switch?

>
> I have traced the request and response between the FreeRadius server and the N5K, the server returns a service-type (6) AVP of Shell user (6) which according to the Free Radius documentation at http://freeradius.org/rfc/attributes.html is an Administrative user.

Is the Cisco-AVPair also in that response packet? Also, I put the syntax for adding those
attributes into the 'users' file. It's probably possible to get them crammed in via the
'default' configuration but it's not necessarily the right place. It may also be the case that
you need to make sure you are *not* sending the Cisco-AVPair 'shell:priv-lvl=15'. I know that
I needed to put my IOS and NX-OS devices into different huntgroups so that I could assign
different AVPair's. I tried just sending both values to both types of devices and did not
get the desired effect.

-David Mitchell

>
> The syntax that I have placed into the following file
>
> Cisco-AVPair += "shell:roles=network-admin",
>>       Service-Type := Administrative-User,
>
> I have also tried
>
>  Hint == "XXXXXX", Auth-Type := Accept
>        Reply-Message = "ACCEPT: Authorizing enable access",
>        Cisco-AVPair = "shell:roles*\"network-admin\"",
>        Cisco-AVPair += "shell:priv-lvl=15",
>        Service-Type = Administrative-User,
>        Fall-Through = No
>
> Cisco-AVPair = "shell:roles=\"network-operator vdc-admin\""
>>> Cisco-AVPair = "shell:roles*\"network-operator vdc-admin\""
>>> Cisco-AVPair = "shell:roles=\"network-admin vdc-admin\""
>>> Cisco-AVPair = "shell:roles*\"network-admin\""
>
> The configuration I have on the 5K
>
> radius-server host xxxx key 7 "XXXXXX" authentication accounting
> aaa group server radius FreeRadius
>    server xxxxx
>        use-vrf management
> aaa authentication login default group FreeRadius
> source address xxxxx
>
> It looks as though the 5K is not interpreting the attribute correctly, or I am not editing the correct file. Whatever syntax I use I get the same results, I get authenticated but the nexus places me as an operator.
>
> The file I am editing is  /usr/local/etc/raddb/sites-available/default
>
> Rgds
> Darren Shaw
> The Network Team
> Computing Services
> University of Huddersfield
> Queensgate
> Huddersfield
> HD1 3DH
>
> TEL: 01484 471317
> MOBILE: 07792 773807
>
>
> -----Original Message-----
> From: freeradius-users-bounces+d.shaw=hud.ac.uk at lists.freeradius.org [mailto:freeradius-users-bounces+d.shaw=hud.ac.uk at lists.freeradius.org] On Behalf Of David Mitchell
> Sent: 05 May 2011 15:35
> To: FreeRadius users mailing list
> Subject: Re: Nexus Configurations
>
>
> On May 5, 2011, at 4:47 AM, Darren Shaw wrote:
>
>> Hello David,
>>
>> Thanks for the syntax. Sadly this still does not work. The free radius server will authenticate me as a user but the 5K wants me as an operator and not admin.
>>
>> If you have the 5K working, could I be cheeky and ask if you could mail me the radius config on your 5K
>
> There isn't anything in the radius config that enables this as far as I can tell. Do you have a
> local account on the 5K? That might override the info from the RADIUS server. Run the command
> 'show user-account' after logging in. For me, it indicates that the account was created via remote
> authentication. I assume you have run the radius server in debug mode to verify that the attributes
> are actually in the access accept packets sent back to the switch?
>
>
> -David Mitchell
>
>>
>> thanks
>>
>> Rgds
>> Darren Shaw
>> The Network Team
>> Computing Services
>> University of Huddersfield
>> Queensgate
>> Huddersfield
>> HD1 3DH
>>
>> TEL: 01484 471317
>> MOBILE: 07792 773807
>>
>> -----Original Message-----
>> From: freeradius-users-bounces+d.shaw=hud.ac.uk at lists.freeradius.org [mailto:freeradius-users-bounces+d.shaw=hud.ac.uk at lists.freeradius.org] On Behalf Of David Mitchell
>> Sent: 04 May 2011 15:14
>> To: FreeRadius users mailing list
>> Subject: Re: Nexus Configurations
>>
>>
>> On May 4, 2011, at 4:48 AM, Darren Shaw wrote:
>>
>>> Good Morning
>>>
>>> I am new to this forum and to the workings of FreeRadius and I have a query around the Cisco Nexus family.
>>>
>>> Currently we have all our switches and routers authentication to FreeRadius and all seems to be working. The problem comes when I want to authenticate my Nexus 7K and 5K's.  The 7Ks and 5Ks will authenticated me but the Nexus puts me in an operator role and not in an administrator's role.
>>>
>>> According to Cisco I have to place the following into
>>>
>>> /usr/local/etc/raddb/sites-available/default
>>>
>>> Cisco-AVPair = "shell:roles=\"network-operator vdc-admin\""
>>> Cisco-AVPair = "shell:roles*\"network-operator vdc-admin\""
>>> Cisco-AVPair = "shell:roles=\"network-admin vdc-admin\""
>>> Cisco-AVPair = "shell:roles*\"network-admin\""
>>
>> This is what I'm adding to the replies for Nexus 5K's. I don't have any 7K's but I'd be surprised if
>> they were any different. I have not tried to send two roles so I can't confirm the syntax for that.
>>
>>       Cisco-AVPair += "shell:roles=network-admin",
>>       Service-Type := Administrative-User,
>>
>> -David Mitchell
>>
>>>
>>>
>>> The current service type is = Administrative -User
>>>
>>> I have tried each AVPair and nothing works. Has anyone else had this issue?
>>>
>>> If anyone has any advice I would be really grateful.
>>>
>>> Thanks
>>>
>>>
>>>
>>> Rgds
>>> Darren Shaw
>>> The Network Team
>>> Computing Services
>>> University of Huddersfield
>>> Queensgate
>>> Huddersfield
>>> HD1 3DH
>>>
>>> TEL: 01484 471317
>>> MOBILE: 07792 773807
>>>
>>>
>>>
>>> ________________________________
>>>
>>> ---
>>> This transmission is confidential and may be legally privileged. If you receive it in error, please notify us immediately by e-mail and remove it from your system. If the content of this e-mail does not relate to the business of the University of Huddersfield, then we do not endorse it and will accept no liability.
>>> -
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>
>> -----------------------------------------------------------------
>> | David Mitchell (mitchell at ucar.edu)       Network Engineer IV  |
>> | Tel: (303) 497-1845                      National Center for  |
>> | FAX: (303) 497-1818                      Atmospheric Research |
>> -----------------------------------------------------------------
>>
>>
>>
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>
>>
>> ---
>> This transmission is confidential and may be legally privileged. If you receive it in error, please notify us immediately by e-mail and remove it from your system. If the content of this e-mail does not relate to the business of the University of Huddersfield, then we do not endorse it and will accept no liability.
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
> -----------------------------------------------------------------
> | David Mitchell (mitchell at ucar.edu)       Network Engineer IV  |
> | Tel: (303) 497-1845                      National Center for  |
> | FAX: (303) 497-1818                      Atmospheric Research |
> -----------------------------------------------------------------
>
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
> ---
> This transmission is confidential and may be legally privileged. If you receive it in error, please notify us immediately by e-mail and remove it from your system. If the content of this e-mail does not relate to the business of the University of Huddersfield, then we do not endorse it and will accept no liability.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-----------------------------------------------------------------
| David Mitchell (mitchell at ucar.edu)       Network Engineer IV  |
| Tel: (303) 497-1845                      National Center for  |
| FAX: (303) 497-1818                      Atmospheric Research |
-----------------------------------------------------------------




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


---
This transmission is confidential and may be legally privileged. If you receive it in error, please notify us immediately by e-mail and remove it from your system. If the content of this e-mail does not relate to the business of the University of Huddersfield, then we do not endorse it and will accept no liability.




More information about the Freeradius-Users mailing list