authenticate cisco nexus 5000 with freeradius
Dave Funk
dbfunk at engineering.uiowa.edu
Thu Feb 29 15:59:34 UTC 2024
On Thu, 29 Feb 2024, Majed Zouhairy wrote:
>
>
[snip..]
> i'm trying to authenticate an old 5k nexus cisco switch with freeradius, but
> when i enable aaa authentication, i get the error: command not permitted for
> the current role. it is obvious that an av pair is needed with network
> operator role for aaa to work, now the question is what is needed to be added
> to freeradius so that the avpair is activated?
>> -
You need to add a Cisco-AVPair attribute with the correct value to your
'Access-Accept' response. This can be done by augmenting the correct record
for your admin-people in your 'authorize' config file.
It could look something like:
#
admin Cleartext-Password := "*REDACTED*"
Service-Type = Administrative-User,
filter-id = "super user",
Callback-Number = "admin",
Cisco-AVPair = "shell:priv-lvl=15",
TrippLite-Authorization = "default=rw",
Reply-Message := "Hello, %{User-Name}"
#
Note the actual value of that Cisco-AVPair attribute will need to be determined
by you to meet your needs. Look at the Cisco documents to see what they mean.
In that example there are other attributes for other types of equipment (EG:
TrippLite-Authorization) omit or adjust as appropriate for your needs.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
More information about the Freeradius-Users
mailing list