Search This Blog

Wednesday, May 18, 2016

Cisco Nexus RADIUS authentication

How to configure Cisco Nexus switch with RADIUS authentication?

Here I’m using Microsoft NPS (Network Policy Server), which is feature of Windows 2008 R2 server, as RADIUS.

The switch is Nexus 93128TX running NX-OS version 6.1(2)I3(3a)

The first thing to do is to check with which IP address the switch accesses the NPS and that it’s reachable.

In this example the IP address of the NPS is 192.168.10.222 and the switch management IP is 192.168.10.230.

Now let’s configure the Nexus switch for RADIUS authentication:

radius-server host 192.168.10.222 key <PRE-SHARED_KEY> auth-port 1645 acct-port 1646 authentication accounting
!
aaa group server radius RADIUS
    server 192.168.10.222
!
aaa authentication login default group RADIUS
aaa authentication login console local

The default behavior of the Nexus in case of all AAA servers configured for remote authentication are unreachable is fallback to local.

Before we will continue to configure the NPS create security group, on the AD, which will gain access to the switch.

We can create 2 different groups for example – one for network-admin role and the other for vdc-operator with read-only permissions.

We also can create specific roles on the Nexus switch (see notes below).

Next let’s configure the NPS:

Open the NPS console

Click the ‘+’ next to RADIUS Clients and Servers

Right click on RADIUS Clients and select New

Type in a friendly name for the device, type the IP address of the device and the pre-shared key



Click on the Advanced tab

From the Vendor name down-drop menu select Cisco


Click OK

Click the ‘+’ next to Policies

Right click on Network Policies and select New

Type in a Policy name



Click Next

Under Specify Conditions click Add

Scroll down and select Client IPv4 Address, type in the switch IP address and click OK

*This allows us to tie this specific access policy to this specific device


Now click on Add again and select User Groups and select the appropriate group for accessing the switch.


Click Next

On the Specify Access Permissions make sure the Access granted is selected and click Next


On the Configure Authentication Methods, uncheck all and check only Unencrypted authentication (PAP, SPAP)


On the Configure Constraints we can configure various options or just click Next


On the Configure Settings, select Vendor Specific and click Add


From the Vendor drop-down menu select Cisco, click on Cisco-AV-Pair and click Add


Click Add and type in the following attribute:
shell:roles="network-operator vdc-admin"


This will assign network-operator and vdc-admin for the login user, We can change the roles according to our requirements for the specific account/group.

Click OK, Next and Finish.

Now you can try to login into the Nexus switch with your domain account.

Notes

Show roles on the switch:

RHA-DC-NX-SW-01#  show role

Configure new role on the switch:

configure terminal
role name <ROLE_NAME>
rule number {deny | permit} command command-string
rule number {deny | permit} {read | read-write}
rule number {deny | permit} {read | read-write} feature feature-name
rule number {deny | permit} {read | read-write} feature-group group-name
description text
exit

Validate new role:

show role
show role {pending | pending-diff}
role commit
copy running-config startup-config

Now you can use the exactly role name under  Cisco-AV-pair attribute for applying this role to specific account/group.


2 comments:

  1. מחפשים { קבלן שלד } ? האוס בנייה המובילים בתחום הבנייה הפרטית והשלדים הכנסו לאתר וצרו קשר עוד היום

    ReplyDelete
  2. Thank you because you have been willing to share information with us. we will always appreciate all you have done here because I know you are very concerned with our. distributor cisco

    ReplyDelete