authenticate cisco nexus 5000 with freeradius

Dave Funk dbfunk at
Thu Feb 29 15:59:34 UTC 2024

On Thu, 29 Feb 2024, Majed Zouhairy wrote:


> i'm trying to authenticate an old 5k nexus cisco switch with freeradius, but 
> when i enable aaa authentication, i get the error: command not permitted for 
> the current role. it is obvious that an av pair is needed with network 
> operator role for aaa to work, now the question is what is needed to be added 
> to freeradius so that the avpair is activated?
>> -

You need to add a Cisco-AVPair attribute with the correct value to your 
'Access-Accept' response. This can be done by augmenting the correct record 
for your admin-people in your 'authorize' config file.

It could look something like:

admin   Cleartext-Password := "*REDACTED*"
         Service-Type = Administrative-User,
         filter-id = "super user",
         Callback-Number = "admin",
         Cisco-AVPair = "shell:priv-lvl=15",
         TrippLite-Authorization = "default=rw",
         Reply-Message := "Hello, %{User-Name}"

Note the actual value of that Cisco-AVPair attribute will need to be determined 
by you to meet your needs. Look at the Cisco documents to see what they mean.
In that example there are other attributes for other types of equipment (EG: 
TrippLite-Authorization) omit or adjust as appropriate for your needs.

Dave Funk                               University of Iowa
<dbfunk (at)>     College of Engineering
319/335-5751   FAX: 319/384-0549        1256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin         Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{

More information about the Freeradius-Users mailing list