Cisco Nexus 5K + Micrososft Radius for Admin Authentication
Hi,
I have cisco 3750 switches configured to use MS radius for administrator authention. however, now I would like to add our cisco nexus switches to MS radius as well so that administrators are authenticated against the Microsoft radius for admin authention.
I tried it earlier but it won't accept 3750 commands.. Can you please help with me with a configuration example please that I can follow?
the commands I have used on 3750 are as follows:
aaa new-model
aaa authentication login vtylogin group radius local
aaa authentication login conlogin group radius local
aaa authentication enable default group radius enable
aaa authorization console
aaa authorization exec vtylogin group radius local
aaa authorization exec conlogin group radius local
radius-server host x.x.x.x key SECRETE
line con 0
exec-timeout 5 0
authorization exec conlogin
logging synchronous
login authentication conlogin
line vty 0 4
exec-timeout 0 0
authorization exec vtylogin
login authentication vtylogin
transport input ssh
line vty 5 15
exec-timeout 0 0
authorization exec vtylogin
login authentication vtylogin
transport input ssh
I have never done this before with ACS but not with NPS. However, you are in the right path. Nexus uses NX-OS which is different in some regards to regular IOS. One of those differences is the AAA setup. In NX-OS you assign users to roles. So for full access you will need to return the following attributes from your Radius server:
Attribute: cisco-av-pair
Requirement: Mandatory
Value: shell:roles*"network-admin vdc-admin"
For more information take a look at this link:
http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115925-nexus-integration-acs-00.html
Hope this helps
Thank you for rating helpful posts!
Similar Messages
-
Cisco Nexus 1000v Virtual Switch for Hyper-V Availability
Hi,
Does anyone have any information on the availability of the Cisco Nexus 1000v virtual switch for Hyper-V. Is it available to download from Cisco yet? If not when will it be released? Are there any Beta programs etc?
I can download the 1000v for VmWare but cannot find any downloads for the Hyper-V version.
Microsoft PartnerAny updates on the Cisco Nexus 1000v virtual switch for Hyper-V? Just checked on the Cisco site, however still only the download for VMware and no trace of any beta version. Also posted the same question at:
http://blogs.technet.com/b/schadinio/archive/2012/06/09/windows-server-2012-hyper-v-extensible-switch-cisco-nexus-1000v.aspx
"Hyper-V support isn't out yet. We are looking at a beta for Hyper-V starting at the end of February or the begining of March. "
-Ian @ Cisco Community
|| MCITP: EA, VA, EMA, Lync SA, makes a killer sandwich. || -
Configuring Radius for PC Authentication
Hello. Has anyone configured RADIUS for PC authentication? It would be great if I could do both User and PC authentication but I've read that only one can be used. That being said, every time I add "Domain Computers" to the RADIUS settings I
cannot connect to the wi-fi. "Domain Users" however....works with no problems. I'd appreciated the help!!Finally resolved this and figured I'd share my results. For starters in NPS on your RADIUS server, you'll want to use "Machine Groups" and tie that to "Domain Computers" which is the default AD group for all PC objects when added to your domain.
On your GPO for the wireless, you would hit edit > advanced > and select "computer authentication". This works well as it also keeps mobile devices off the network. -
Cisco ISE 1.1.2.145 Admin Authentication using LDAP
I have configured the LDAP and able to retrive our LDAP directory structure. Now, I am trying to point the 'Admin Access' authentication to "External Identity" Source which is the new LDAP IS I created. But I couldn't find an option to authenticate locally if for any reason the LDAP configuration doesn't work. I learnt that ISE can automatically revert to local auth provided the External Idenitity sources are unreachable. How can I test the LDAP authentication with out breaking our Admin Access? I thought of opening two parallel sessions, one with Super Admin Local Account and the other with Domain account. But I noticed that ISE communication is smart enough to logoff/login any other sessions in different browsers so basically I can't open two parallel sessions from same machine to do the tests. Suggestions? or Am I missing something here?
Many thanks in advance.Hi Srinivas,
Even if you set up LDAP as an External Identity source for admin access, you can still fallback to Internal without getting locked out. As per the ISE user guide :
During operation, Cisco ISE is designed to "fall back" and attempt to perform authentication from the internal identity database, if communication with the external identity store has not been established or if it fails. In addition, whenever an administrator for whom you have set up external authentication launches a browser and initiates a login session, the administrator still has the option to request authentication via the Cisco ISE local database by choosing "Internal" from the Identity Store drop-down selector in the login dialog.
http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_man_identities.html#wp1351543
Please refer to the attached screenshot from my lab ISE:
I have configured admin authentication against AD, but I still see both "Internal" and "AD" at the time of login.
Hope this helps.
Thanks,
Aastha -
Cisco Nexus to use Radius AAA authentication using Microsoft 2008 NPS
I have a Nexus 7010 running
Just wondering if you can help me with something. I'm having an issue with command authorization thru our aaa config. We don't have a problem authenticating its command authorization that is not working. From what I have seen and read Nexus NX-OS 6.x does not have any commands for aaa authorization unless you are configuring TACACS+. My basic config is below if you can help it would be much appreciated.
>>ip radius source-interface mgmt 0
>>radius-server key XXXXX
>>radius-server host X.X.X.X key XXXXX authentication accounting
>>radius-server host X.X.X.X key XXXXX authentication accounting aaa
>>authentication login default group Radius_Group aaa authentication
>>login console local aaa group server radius Radius_Group
>> server X.X.X.X
>> server X.X.X.X
>> source-interface mgmt0
Also does anyone know how to configure Microsoft 2008 NPS as a Raduis server to work with Nexus? I have read a few post that suggest changing the
shell:roles="vdc-admin" in the Attribute Value field in the RADIUS server
Does anyone know if this works????
ThanksI have never done this before with ACS but not with NPS. However, you are in the right path. Nexus uses NX-OS which is different in some regards to regular IOS. One of those differences is the AAA setup. In NX-OS you assign users to roles. So for full access you will need to return the following attributes from your Radius server:
Attribute: cisco-av-pair
Requirement: Mandatory
Value: shell:roles*"network-admin vdc-admin"
For more information take a look at this link:
http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115925-nexus-integration-acs-00.html
Hope this helps
Thank you for rating helpful posts! -
Cisco 2960 / Linksys SRW2008P - Radius dynamic vlan authentication
Hi all,
I am planning on purchasing a Linksys SRW2008P before I buy it I want to know if it has these features.
This is how my test lab is setup.
Laptop -> Linksys SRW2008 -> Cisco 2960 -> Linksys WRVS4400N -> Internet
My Cisco 2960 is going act as the "Distribution Switch" in my Lab. It's main purpose is to implment Radius 802.1X dynamic VLAN(s)
The Linksys WRV2008 will act as an "Access Switch" the main features I would like to know is if it can support 802.1X dynamic VLAN(s) propagated from the Linksys 2960.
For exmple: I am going to setup all my VLAN's on the 2960 and I want them to replicate to my SRW 2008 (like VTP). Whoever plugs into a port on the SRW will be authenticated via RADIUS and RADIUS will authenticate the port and send the VLAN information.
I searched throughout the forms and from what I see is that Linksys switches do not support Dynamic VLAN(s) but I want to double check
The reason why I am doing this is because I want 802.1X authentication throughout my small office but the problem is some offices have 1 Port with 2 users and a printer. I want both users to authenticate via 802.1X and avoid trying to buy a 2960 8 port switch for 500$ just for 2 users.
If anybody has any suggestions or past experiences with a situation similiar to mine that would be great!
CheersHI. I have read a previous post that can confirm if Linksys switches support dynamic vlans. Check out the link below.
http://forums.linksys.com/linksys/board/message?board.id=Switches&message.id=4511 -
Cisco ACS for Unix authentication
My company is looking for a single sign on for all the windows and unix servers mainly for admins. I was wondering if Cisco ACS will work for this.
Basically the authentication will be all for the servers and routers ofcourse. I am thinking if I specifies windows AD in ACS config, Can I get the unix boxes to get authenticated against Radius?
Any help will be appreciated.
MannyHi,
Authentication of unix servers via ACS over radius protocol can be achiveable,check out the below link client end configuration needs to be done for radius authentication
Hope that helps out your query !!
http://www.ibm.com/developerworks/library/l-radius/
Regards
Ganesh.H -
Use Tacacs+ for Admin auth & Radius for user Auth?
Can I setup my Aironet 1200 to use TACACS+ for authentication back to the cisco ACS server and RADIUS back to same server for user authentication?
If I setup a server in Server Manager under Radius, then add that same server as a TACACS+ server, it deletes the RADIUS server, so I assume no.dont know about 1200s but you can do this on 1130AGs. Create a aaa group for authentication via radius, and one for tacacs+ then use aaa groups to point console/vty to the tacacs+ aaa group, and EAP authentication to the radius group.
eg:
aaa group server radius rad-group
server x.x.x.x auth-port xxxx acct-port xxxx
aaa group server tacacs+ admin-access
server x.x.x.x
aaa authentication login eap-method group rad-group
aaa authentication login auth-admin-access group admin-access local
aaa authorization exec default group admin-access local
now under the ssid part of the config have:
dot11 ssid yyyyyy
authentication open (or whatever method you use) eap eap-method
under console/vty etc:
login authentication auth-admin-access
you need some more stuff like radius and tacacs server keys, but the above should get you started. On 1130AGs dont use aaa auth for http(s), looks like it overloads the aaa server at the moment - see field notices - probably doesnt apply to 1200s. -
ASA , Cisco VPN client with RADIUS authentication
Hi,
I have configured ASA for Cisco VPN client with RADIUS authentication using Windows 2003 IAS.
All seems to be working I get connected and authenticated. However even I use user name and password from Active Directory when connecting with Cisco VPN client I still have to provide these credentials once again when accessing domain resources.
Should it work like this? Would it be possible to configure ASA/IAS/VPN client in such a way so I enter user name/password just once when connecting and getting access to domain resources straight away?
Thank you.
Kind regards,
AlexHi Alex,
It is working as it should.
You can enable the vpn client to start vpn before logon. That way you login to vpn and then logon to the domain. However, you are still entering credentials twice ( vpn and domain) but you have access to domain resources and profiles.
thanks
John -
Simulator/Emulator for Cisco Nexus 7k, 5k
Do you guys know any good simulator or emulator for Cisco Nexus 7k or 5k ?
There aren't any at the moment. I have heard that Cisco has an internal one that is proprietary and not available to the public. Our only hope is to wait for the release of Cisco's VIRL aka Cisco Modeling Labs and hope that an NX-OS emulator will be included. However, when I was checking it out at this year's Cisco Live the current version did not have one :(
Thank you for rating helpful posts! -
ISE Radius device administration authentication possible?
Hi,
does anybody know if Radius device administration authentication and authorization is possible with the actual ISE release? I know that TACACS will be available in future release.
Regards
JoergYes it's possible according to "Ask the experts" forum :
https://supportforums.cisco.com/thread/2172532
"If you use RADIUS for device administration, ISE can be utilized using authorization policy elements that return Cisco av-pairs. But personally, I think ACS is currently superior to ISE for this task."
Anyway, I'm about to test "device admin" and "network access" simultaneously in the same switch with Radius and ISE.
Please rate if it helps -
Cisco WSA : What is RADIUS CLASS attribute ?
Hello !
I am trying to use a radius server Cisco ISE as an external authentication server for WSA. I would like to assign roles for groups of users but i don't understand the meaning of RADIUS CLASS attribute. What am I supposed to write in this field ?
Thank you,
Stéphane WalkerThe CLASS attribute is generic, in that you can put anything in it. So you get to decide what you use.
On your RADIUS box, for the users or group that it applies to, set it to something like "WSAAdmin" for admins, "WSARO" for read only users...
Then when you config the WSA, you set them appropriately there...
But you can really use any string you want to, they just need to match appropriately.
HTH,
Ken -
Radius server web authentication using ISE
Hi,
Can anyone point me in the direction of a guide to implement radius server web authentication using ISE?
I need this to be layer 3 Web Auth with all authentication requests coming from the wireless anchor controller, therefore don't think I can implement central web auth on ISE as detailed in the user guide as its layer 2 and auth requests come from the foreign controller.
The following link explains "Radius Server Web Authentication" using ACS. I need to find something similar for ISE - http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/69340-web-auth-config.html
Thanks,Hi,
Please check these:
Central Web Authentication on the WLC and ISE Configuration Example
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html
Regards
Dont forget to rate helpful posts -
Nexus 1000v and vcenter domain admin account
I changed out domain admin account on our domain in which vcenter services runs as and now its using a different services account. I am wondering if I need to update anything on the nexus 1000v switch side between the 1000v and venter
Hi Dan,
You are on the right track. However you can perform some of these function "online".
First you want to ensure that you are running at a minimum, Nexus 1000v SV1(4a) as ESXi 5.0 only began support on this release. With SV1(4a), it provides support for both ESXi 5.0 and ESX/i 4.1.
Then you can follow the procedure documented here:
Upgrading from VMware Release 4.0/4.1 to VMware Release 5.0.0
This document walks you through upgrading your ESX infrastructure to VMware Release 5.0.0 when Cisco Nexus 1000V is installed. It is required to be completed in the following order:
1. Upgrade the VSMs and VEMs to Release 4.2(1)SV1(4a).
2. Upgrade the VMware vCenter Server to VMware Release 5.0.0.
3. Upgrade the VMware Update Manager to VMware Release 5.0.0.
4. Upgrade your ESX hosts to VMware Release 5.0.0 with a custom ESXi image that includes the VEM bits.
Upgrading the ESX/ESXi hosts consists of the following procedures:
–Upgrading the vCenter Server
–Upgrading the vCenter Update Manager
–Augmenting the Customized ISO
–Upgrading the ESXi Hosts
There is also a 3 part video highlighting the procedure to perfrom the last two steps above (customized ISO and upgrading ESXi hosts)
Video: Upgrading the VEM to VMware ESXi Release 5.0.0
Hope that helps you with your upgrade.
Thanks,
Michael -
Cisco AAA and Free Radius enable secret failure
Hi,
I am currently testing aaa authentication with free radius.
I can authenticate users through the radius server, however i cannot authenticate the enable secret.
Here is the router configurations
aaa new-model
aaa authentication login default group radius local
aaa authentication login localauth local
aaa authentication ppp default if-needed group radius local
aaa authentication enable default group radius enable
aaa authorization exec default group radius local
aaa authorization network default group radius local
aaa accounting delay-start
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
radius-server host 192.168.0.135 auth-port 1812 acct-port 1813 key cisco
I have created a user for the enable secret as such:
$enable15$ Auth-Type := local
Service-Type = NAS-Prompt-User
The router cannot authenticate when logging for priviliged mode. I cannot find any log on the radius server as well.
PLease help.It should be $enab15$ as the user that IOS sends to the radius server.
Sent from Cisco Technical Support iPhone App
Maybe you are looking for
-
List of names to scheduled email and events
Hi everyone, honestly, this is my first time using Applescript. But after some research I thought that Applescript offers the nicest way to solve my problem. For our research group I'd like to set up a tool which automatically sends an email on a giv
-
Lost toolbar (Typewriter) when reinstall acrobat pro 7 (CS2) under Win 7
Hi There, Recently, my computer has beed updated to Win 7 from Windows XP. When I reinstalled Acrobat pro 7 (CS2), toolbar "typewriter" did not show up. Please help to find out the way to fix it. Thank you very much.
-
Error in IKM SQL to JMS XML Append SQLException: Parameter not set
Hi I am getting following error please can any one help its oracle to JMS XML integration ODI-1228: Task jms_vendor_xml (Integration) fails on the target JMS_QUEUE_XML connection jms_xml_vendor. Caused By: java.sql.SQLException: java.sql.SQLException
-
Update iChat 4.0 to 4.0.3
How do I update iChat from 4.0 to 4.0.3 I had to reinstall the app from the Leopard disk.
-
i install OS X 10.9.1 and my computer became very slow. What can I do?