Cisco Nexus 5K + Micrososft Radius for Admin Authentication

Similar Messages

• Cisco Nexus 1000v Virtual Switch for Hyper-V Availability

  Hi,
  Does anyone have any information on the availability of the Cisco Nexus 1000v virtual switch for Hyper-V. Is it available to download from Cisco yet? If not when will it be released? Are there any Beta programs etc?
  I can download the 1000v for VmWare but cannot find any downloads for the Hyper-V version.
  Microsoft Partner

  Any updates on the Cisco Nexus 1000v virtual switch for Hyper-V? Just checked on the Cisco site, however still only the download for VMware and no trace of any beta version. Also posted the same question at:
  http://blogs.technet.com/b/schadinio/archive/2012/06/09/windows-server-2012-hyper-v-extensible-switch-cisco-nexus-1000v.aspx
  "Hyper-V support isn't out yet. We are looking at a beta for Hyper-V starting at the end of February or the begining of March. "
  -Ian @ Cisco Community
  || MCITP: EA, VA, EMA, Lync SA, makes a killer sandwich. ||

• Configuring Radius for PC Authentication

  Hello. Has anyone configured RADIUS for PC authentication? It would be great if I could do both User and PC authentication but I've read that only one can be used. That being said, every time I add "Domain Computers" to the RADIUS settings I
  cannot connect to the wi-fi. "Domain Users" however....works with no problems. I'd appreciated the help!!

  Finally resolved this and figured I'd share my results. For starters in NPS on your RADIUS server, you'll want to use "Machine Groups" and tie that to "Domain Computers" which is the default AD group for all PC objects when added to your domain.
  On your GPO for the wireless, you would hit edit > advanced > and select "computer authentication". This works well as it also keeps mobile devices off the network. 

• Cisco ISE 1.1.2.145 Admin Authentication using LDAP

  I have configured the LDAP and able to retrive our LDAP directory structure. Now, I am trying to point the 'Admin Access' authentication to "External Identity" Source which is the new LDAP IS I created. But I couldn't find an option to authenticate locally if for any reason the LDAP configuration doesn't work. I learnt that ISE can automatically revert to local auth provided the External Idenitity sources are unreachable. How can I test the LDAP authentication with out breaking our Admin Access? I thought of opening two parallel sessions, one with Super Admin Local Account and the other with Domain account. But I noticed that ISE communication is smart enough to logoff/login any other sessions in different browsers so basically I can't open two parallel sessions from same machine to do the tests. Suggestions? or Am I missing something here?
  Many thanks in advance.

  Hi Srinivas,
  Even if you set up LDAP as an External Identity source for admin access, you can still fallback to Internal without getting locked out. As per the ISE user guide :
  During operation, Cisco ISE is designed to "fall  back" and attempt to perform authentication from the internal identity  database, if communication with the external identity store has not been  established or if it fails. In addition, whenever an administrator for  whom you have set up external authentication launches a browser and  initiates a login session, the administrator still has the option to  request authentication via the Cisco ISE local database by choosing  "Internal" from the Identity Store drop-down selector in the login dialog.
  http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_man_identities.html#wp1351543
  Please refer to the attached screenshot from my lab ISE:
  I have configured admin authentication against AD, but I still see both "Internal" and "AD" at the time of login.
  Hope this helps.
  Thanks,
  Aastha

• Cisco Nexus to use Radius AAA authentication using Microsoft 2008 NPS

  I have a Nexus 7010 running
  Just wondering if you can help me with something. I'm having an issue with command authorization thru our aaa config. We don't have a problem authenticating its command authorization that is not working. From what I have seen and read Nexus NX-OS 6.x does not have any commands for aaa authorization unless you are configuring TACACS+. My basic config is below if you can help it would be much appreciated.
  >>ip radius source-interface mgmt 0
  >>radius-server key XXXXX
  >>radius-server host X.X.X.X key XXXXX authentication accounting
  >>radius-server host X.X.X.X key XXXXX authentication accounting aaa
  >>authentication login default group Radius_Group aaa authentication
  >>login console local aaa group server radius Radius_Group
  >>    server X.X.X.X
  >>    server X.X.X.X
  >>    source-interface mgmt0
  Also does anyone know how to configure Microsoft 2008 NPS as a Raduis server to work with Nexus? I have read a few post that suggest changing the
  shell:roles="vdc-admin" in the  Attribute Value field in the RADIUS server
  Does anyone know if this works????
  Thanks

  I have never done this before with ACS but not with NPS. However, you are in the right path. Nexus uses NX-OS which is different in some regards to regular IOS. One of those differences is the AAA setup. In NX-OS you assign users to roles. So for full access you will need to return the following attributes from your Radius server:
  Attribute: cisco-av-pair
  Requirement: Mandatory
  Value: shell:roles*"network-admin vdc-admin"
  For more information take a look at this link:
  http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115925-nexus-integration-acs-00.html
  Hope this helps
  Thank you for rating helpful posts!

• Cisco 2960 / Linksys SRW2008P - Radius dynamic vlan authentication

  Hi all,
  I am planning on purchasing a Linksys SRW2008P before I buy it I want to know if it has these features.
  This is how my test lab is setup.
  Laptop -> Linksys SRW2008 -> Cisco 2960 -> Linksys WRVS4400N -> Internet
  My Cisco 2960 is going act as the "Distribution Switch" in my Lab. It's main purpose is to implment Radius 802.1X dynamic VLAN(s)
  The Linksys WRV2008 will act as an "Access Switch" the main features I would like to know is if it can support 802.1X dynamic VLAN(s) propagated from the Linksys 2960.
  For exmple: I am going to setup all my VLAN's on the 2960 and I want them to replicate to my SRW 2008 (like VTP). Whoever plugs into a port on the SRW will be authenticated via RADIUS and RADIUS will authenticate the port and send the VLAN information.
  I searched throughout the forms and from what I see is that Linksys switches do not support Dynamic VLAN(s) but I want to double check
  The reason why I am doing this is because I want 802.1X authentication throughout my small office but the problem is some offices have 1 Port with 2 users and a printer. I want both users to authenticate via 802.1X and avoid trying to buy a 2960 8 port switch for 500$ just for 2 users.
  If anybody has any suggestions or past experiences with a situation similiar to mine that would be great!
  Cheers

  HI.  I have read a previous post that can confirm if Linksys switches support dynamic vlans.  Check out the link below.
  http://forums.linksys.com/linksys/board/message?board.id=Switches&message.id=4511

• Cisco ACS for Unix authentication

  My company is looking for a single sign on for all the windows and unix servers mainly for admins. I was wondering if Cisco ACS will work for this.
  Basically the authentication will be all for the servers and routers ofcourse. I am thinking if I specifies windows AD in ACS config,  Can I get the unix boxes to get authenticated against Radius?
  Any help will be appreciated.
  Manny

  Hi,
  Authentication of unix servers  via ACS over radius protocol can be achiveable,check out the below link client end configuration needs to be done for radius authentication
  Hope that helps out your query !!
  http://www.ibm.com/developerworks/library/l-radius/
  Regards
  Ganesh.H

• Use Tacacs+ for Admin auth & Radius for user Auth?

  Can I setup my Aironet 1200 to use TACACS+ for authentication back to the cisco ACS server and RADIUS back to same server for user authentication?
  If I setup a server in Server Manager under Radius, then add that same server as a TACACS+ server, it deletes the RADIUS server, so I assume no.

  dont know about 1200s but you can do this on 1130AGs. Create a aaa group for authentication via radius, and one for tacacs+ then use aaa groups to point console/vty to the tacacs+ aaa group, and EAP authentication to the radius group.
  eg:
  aaa group server radius rad-group
  server x.x.x.x auth-port xxxx acct-port xxxx
  aaa group server tacacs+ admin-access
  server x.x.x.x
  aaa authentication login eap-method group rad-group
  aaa authentication login auth-admin-access group admin-access local
  aaa authorization exec default group admin-access local
  now under the ssid part of the config have:
  dot11 ssid yyyyyy
  authentication open (or whatever method you use) eap eap-method
  under console/vty etc:
  login authentication auth-admin-access
  you need some more stuff like radius and tacacs server keys, but the above should get you started. On 1130AGs dont use aaa auth for http(s), looks like it overloads the aaa server at the moment - see field notices - probably doesnt apply to 1200s.

• ASA , Cisco VPN client with RADIUS authentication

  Hi,
  I have configured ASA for Cisco VPN client with RADIUS authentication using Windows 2003 IAS.
  All seems to be working I get connected and authenticated. However even I use user name and password from Active Directory when connecting with Cisco VPN client I still have to provide these credentials once again when accessing domain resources.
  Should it work like this? Would it be possible to configure ASA/IAS/VPN client in such a way so I enter user name/password just once when connecting and getting access to domain resources straight away?
  Thank you.
  Kind regards,
  Alex

  Hi Alex,
  It is working as it should.
  You can enable the vpn client to start vpn before logon. That way you login to vpn and then logon to the domain. However, you are still entering credentials twice ( vpn and domain) but you have access to domain resources and profiles.
  thanks
  John

• Simulator/Emulator for Cisco Nexus 7k, 5k

  Do you guys know any good simulator or emulator for Cisco Nexus 7k or 5k ?

  There aren't any at the moment. I have heard that Cisco has an internal one that is proprietary and not available to the public. Our only hope is to wait for the release of Cisco's VIRL aka Cisco Modeling Labs and hope that an NX-OS emulator will be included. However, when I was checking it out at this year's Cisco Live the current version did not have one :(
  Thank you for rating helpful posts! 

• ISE Radius device administration authentication possible?

  Hi,
  does anybody know if Radius device administration authentication and authorization is possible with the actual ISE release? I know that TACACS will be available in future release.           
  Regards
  Joerg

  Yes it's possible according to "Ask the experts" forum :
  https://supportforums.cisco.com/thread/2172532
  "If you use RADIUS for device administration, ISE can be utilized using authorization policy elements that return Cisco av-pairs.  But personally, I think ACS is currently superior to ISE for this task."
  Anyway, I'm about to test "device admin" and "network access" simultaneously in the same switch with Radius and ISE.
  Please rate if it helps

• Cisco WSA : What is RADIUS CLASS attribute ?

  Hello !
  I am trying to use a radius server Cisco ISE as an external authentication server for WSA. I would like to assign roles for groups of users but i don't understand the meaning of RADIUS CLASS attribute. What am I supposed to write in this field ?
  Thank you,
  Stéphane Walker

  The CLASS attribute is generic, in that you can put anything in it.   So you get to decide what you use.
  On your RADIUS box, for the users or group that it applies to, set it to something like "WSAAdmin" for admins, "WSARO" for read only users... 
  Then when you config the WSA, you set them appropriately there...  
  But you can really use any string you want to, they just need to match appropriately.
  HTH, 
  Ken

• Radius server web authentication using ISE

  Hi,
  Can anyone point me in the direction of a guide to implement radius server web authentication using ISE?
  I need this to be layer 3 Web Auth with all authentication requests coming from the wireless anchor controller, therefore don't think I can implement central web auth on ISE as detailed in the user guide as its layer 2 and auth requests come from the foreign controller.
  The following link explains "Radius Server Web Authentication" using ACS.  I need to find something similar for ISE - http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/69340-web-auth-config.html  
  Thanks,

  Hi,
  Please check these:
  Central Web Authentication on the WLC and ISE Configuration Example
  http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html
  Regards
  Dont forget to rate helpful posts

• Nexus 1000v and vcenter domain admin account

  I changed out domain admin account on our domain in which vcenter services runs as and now its using a different services account. I am wondering if I need to update anything on the nexus 1000v switch side between the 1000v and venter

  Hi Dan,
  You are on the right track. However you can perform some of these function "online".
  First you want to ensure that you are running at a minimum, Nexus 1000v SV1(4a) as ESXi 5.0 only began support on this release. With SV1(4a), it provides support for both ESXi 5.0 and ESX/i 4.1.
  Then you can follow the procedure documented here:
  Upgrading from VMware Release 4.0/4.1 to VMware Release 5.0.0
  This document walks you through upgrading your ESX infrastructure to VMware Release 5.0.0 when Cisco Nexus 1000V is installed. It is required to be completed in the following order:
  1. Upgrade the VSMs and VEMs to Release 4.2(1)SV1(4a).
  2. Upgrade the VMware vCenter Server to VMware Release 5.0.0.
  3. Upgrade the VMware Update Manager to VMware Release 5.0.0.
  4. Upgrade your ESX hosts to VMware Release 5.0.0 with a custom ESXi image that includes the VEM bits.
  Upgrading the ESX/ESXi hosts consists of the following procedures:
  –Upgrading the vCenter Server
  –Upgrading the vCenter Update Manager
  –Augmenting the Customized ISO
  –Upgrading the ESXi Hosts
  There is also a 3 part video highlighting the procedure to perfrom the last two steps above (customized ISO and upgrading ESXi hosts)
  Video: Upgrading the VEM to VMware ESXi Release 5.0.0
  Hope that helps you with your upgrade.
  Thanks,
  Michael

• Cisco AAA and Free Radius enable secret failure

  Hi,
  I am currently testing aaa authentication with free radius.
  I can authenticate users through the radius server, however i cannot authenticate the enable secret.
  Here is the router configurations
  aaa new-model
     aaa authentication login default group radius local
     aaa authentication login localauth local
     aaa authentication ppp default if-needed group radius local
     aaa authentication enable default group radius enable
     aaa authorization exec default group radius local
     aaa authorization network default group radius local
     aaa accounting delay-start
     aaa accounting exec default start-stop group radius
     aaa accounting network default start-stop group radius
  radius-server host 192.168.0.135 auth-port 1812 acct-port 1813 key cisco
  I have created a user for the enable secret as such:
  $enable15$   Auth-Type := local
          Service-Type = NAS-Prompt-User
  The router cannot authenticate when logging for priviliged mode. I cannot find any log on the radius server as well.
  PLease help.

  It should be $enab15$ as the user that IOS sends to the radius server.
  Sent from Cisco Technical Support iPhone App