Cisco Nexus to use Radius AAA authentication using Microsoft 2008 NPS
I have a Nexus 7010 running
Just wondering if you can help me with something. I'm having an issue with command authorization thru our aaa config. We don't have a problem authenticating its command authorization that is not working. From what I have seen and read Nexus NX-OS 6.x does not have any commands for aaa authorization unless you are configuring TACACS+. My basic config is below if you can help it would be much appreciated.
>>ip radius source-interface mgmt 0
>>radius-server key XXXXX
>>radius-server host X.X.X.X key XXXXX authentication accounting
>>radius-server host X.X.X.X key XXXXX authentication accounting aaa
>>authentication login default group Radius_Group aaa authentication
>>login console local aaa group server radius Radius_Group
>> server X.X.X.X
>> server X.X.X.X
>> source-interface mgmt0
Also does anyone know how to configure Microsoft 2008 NPS as a Raduis server to work with Nexus? I have read a few post that suggest changing the
shell:roles="vdc-admin" in the Attribute Value field in the RADIUS server
Does anyone know if this works????
Thanks
I have never done this before with ACS but not with NPS. However, you are in the right path. Nexus uses NX-OS which is different in some regards to regular IOS. One of those differences is the AAA setup. In NX-OS you assign users to roles. So for full access you will need to return the following attributes from your Radius server:
Attribute: cisco-av-pair
Requirement: Mandatory
Value: shell:roles*"network-admin vdc-admin"
For more information take a look at this link:
http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115925-nexus-integration-acs-00.html
Hope this helps
Thank you for rating helpful posts!
Similar Messages
-
Microsoft 2008 NPS Radius + wireless controller.
Hi,
We have implemented new Microsoft 2008 NPS Radius for authentification wireless controller.
i am seeing RADIUS server x.x.x.x:1812 failed to respond to request (ID 119) for client ............. in controller. But there no logs hitting to the NPS server either failed or success or other related.
Layer 3 comminucation is fine between controller & server.
As per the debug logs,controller forwarding request NPS server "Successful transmission of Authentication Packet tp ......NPS proxy ".
But there is no further key exchange or successful authentication logs, any idea on this?
Thanks
Shrinivas.KDownload NTRadPing and test to see if your radius is working. You can put a sniffer on and see if you see packets coming out of the wlc and radius. You can always remove the aaa from the wlc and add it back on and also remove and add back on the wlc as a aaa client on the radius server.
Thanks,
Scott Fella
Sent from my iPhone -
Cisco Nexus 5K + Micrososft Radius for Admin Authentication
Hi,
I have cisco 3750 switches configured to use MS radius for administrator authention. however, now I would like to add our cisco nexus switches to MS radius as well so that administrators are authenticated against the Microsoft radius for admin authention.
I tried it earlier but it won't accept 3750 commands.. Can you please help with me with a configuration example please that I can follow?
the commands I have used on 3750 are as follows:
aaa new-model
aaa authentication login vtylogin group radius local
aaa authentication login conlogin group radius local
aaa authentication enable default group radius enable
aaa authorization console
aaa authorization exec vtylogin group radius local
aaa authorization exec conlogin group radius local
radius-server host x.x.x.x key SECRETE
line con 0
exec-timeout 5 0
authorization exec conlogin
logging synchronous
login authentication conlogin
line vty 0 4
exec-timeout 0 0
authorization exec vtylogin
login authentication vtylogin
transport input ssh
line vty 5 15
exec-timeout 0 0
authorization exec vtylogin
login authentication vtylogin
transport input sshI have never done this before with ACS but not with NPS. However, you are in the right path. Nexus uses NX-OS which is different in some regards to regular IOS. One of those differences is the AAA setup. In NX-OS you assign users to roles. So for full access you will need to return the following attributes from your Radius server:
Attribute: cisco-av-pair
Requirement: Mandatory
Value: shell:roles*"network-admin vdc-admin"
For more information take a look at this link:
http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115925-nexus-integration-acs-00.html
Hope this helps
Thank you for rating helpful posts! -
Authentication Failed to 2008 NPS from Cisco IOS VPN
I'm trying to authenticate VPN connections to a Windows 2008 NPS Radius server.
Local authentication works fine.
Here are cisco configs:
aaa new-model
aaa authentication login default local
aaa authentication login VPNauth group radius local
aaa authorization network VPNgroup local
aaa session-id common
ip radius source-interface Loopback0
radius-server host x.x.x.x auth-port 1645 acct-port 1646 key 7 xxxx
crypto map VPNMAP client authentication list VPNauth
crypto map VPNMAP isakmp authorization list VPNgroup
crypto map VPNMAP client configuration address respond
crypto map VPNMAP 10 ipsec-isakmp dynamic dynmap
... other crypto commands
This is the section of the log from NPS:
Authentication Details:
Connection Request Policy Name: VPN
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: x.x.x.x
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
I do have PAP enabled on the Network/Connection Request Policies...
I'm stuck
Please helpCan you run a "teat aaa " command to see if the user can be authenticated successfully?
I think this might be a configuration issue on NPS. You can google it. Here is one I found, refer to "irishHam" post.
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/bfbbbae4-a280-4b3f-b214-02867b7d33e3 -
I couldn't find anything relevant, but apologies if it has already been answered.
Is there any way of encrypting the traffic between a switch and a radius server when using radius to authenticate switch logins? As far as I can tell the traffic is passed between the switch and the radius server in plain text by default.Hi,
Please bear in mind that it is not the RADIUS protocol that bings security, but rather the authentication method inside it.
Example, if you use PEAP or EAP-TLS, the authentication is all carried inside a TLS tunnel.
You can sniff the RADIUS packets but you will not be able to get any critical information from the client.
Think on the RADIUS as a transport mechanism for EAP authentication.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it. -
Cisco ASA 8.3 ldap AAA server setup Microsoft active directory fails
Hello,
I'm trying to set up ldap authentication for remote ssl vpn users like the picture below:
When I try the test button, and enter any username and password I get the message "Authentication Rejected: User was not found"
Why??? Please help, I'm running out of options here... Many many thanks in advance.Use the login DN in the following format.
admin-user-name@domain_name and let me know how it goes.
If the above suggestion doesn't work then please run the debug ldap 255 and paste the output here.
Rgds, Jatin
Do rate helpful posts- -
Microsoft 2008 NPS Radius + WLC
Anyone have any luck getting this to work? I am at this point just trying to get the radius set up and get the certificate pulled into the EAP section of NPS. Or know if Cisco supports this type of setup. My 2003 IAS box was a snap but now have the Windows Team forcing this god-awful OS onto me to use. Any help docs links appreciated.
Wow, this thread is still going?
I found a solution to the issue:
1. Install NPS
Start - Control Panel - Programs and Features - Turn Windows Features on or off
Rt-click Roles - Add Roles - Next - Network Policy and Access Services - Next - Next
Network Policy Server (tick) - Next - Install - Close
2. Start NPS and Register in AD
Start - Administrative Tools - Network Policy Server
Rt-click NPS (local) - Register Server in Active Directory - OK - OK
3. Configure Network Policy for Computers
Expand Policies
Rt-click Network Policies - New
Policy Name Computer Policy (or whatever you want to call it) - Next - Add
Select Windows Groups - Add - Add Groups
Enter Domain Computers - OK - OK
Select NAS Port type - Wireless - IEEE 802.11 (tick) - OK - Next - Access Granted - Next
Microsoft Encrypted Authentication MS CHAP (untick) - Add
Select Microsoft: Protected EAP (PEAP) - OK - Next - Next
Select Framed-Protocol | PPP - Remove
Select Service Type | Framed - Remove
Select Encryption - No encryption (untick) - Next - Finish
4. Configure Network Policy for Users
Repeat steps in 3 above substituting User Policy as name and Domain Users as Group
5. Setup RADIUS client
Expand RADIUS Clients and Servers
Rt-click RADIUS Clients - New RADIUS client
Friendly Name: WLAN Controller Name of your choice
Address (IP or DNS): IP address of Controller
Vendor Name: Cisco
Shared Secret: The Access Key you set on the Controller - Confirm Shared Secret - OK
6. Set up Wireless GPO (if you want to automate client distribution)
Start - Administrative Tools - Group Policy Management
Rt-click your domain object and Create a GPO in this Domain and Link it Here
Call it WirelessClient or whatever floats your boat
Rt-Click the GPO - Edit
Computer Configuration - Policies - Windows Settings - Security Settings - Wireless Network (IEEE 802.11) Policies
Rt-click Wireless Network (IEEE 802.11) Policies - Create a new Wireless Policy
Policy Name WIRELESS (or whatever)
The rest of the settings need to be as per your controller setup, below are settings for WPA2 enterprise
Description: Wireless network - yadayada
Authentication: WPA2
Encryption: AES
IEEE 802.1X tab - Settings
Trusted Roor Certificate Authorities - find your server's root certificate in the list and tick - OK - OK
Repeat for additional SSIDs if necessary
That should do it - it worked for me! -
Aaa authentication enable default group tacacs+ enable
I am implementing CSACS 4.0. First on the client, I will apply aaa authenticatio/ authorization under vty. The issure if I use the followin command
aaa authentication enable default group tacacs+ enable
what will happen if I login via console? Will I be required to enter any username/password?
Below is my configuration
aaa new-model
aaa authentication login authvty group TACACS + local
aaa authentication enable default group tacacs+ enable
aaa authorization commands 15 authvty TACACS+ local
TACACS-server host IP
Tacacs-server key key
Ip tacacs source-interface VLAN 3
aaa accounting send stop-record authentication failure
aaa accounting delay-start
aaa accounting exec authvty start-stop group tacacs+
aaa accounting commands 15 authvty start-stop group tacacs+
aaa accounting connection authvty start-stop group tacacs+
line vty 0 15
login authentication authvty
authorization commands 15 authvty
accounting connection authvty
accounting commands 15 authvty
accunting exec authvty
Any suggestion will be appreciated!It should work because this is a message.banner prompt everytime you try to login (console/vty). I have it configured on my router.
If you have banner motd, it will be displayed as well (see below). So I ahve to remove it to get only the aaa banner & prompt being displayed:
*** Username: cisco, Password: cisco (priv 15f - local) ****
Unauthorized use is prohibited.
Enter your name here: user1
Enter your password now:
Router#
The config more or less looks like:
aaa new-model
aaa authentication banner ^CUnauthorized use is prohibited.^C
aaa authentication password-prompt "Enter your password now:"
aaa authentication username-prompt "Enter your name here:"
aaa authentication login default group radius
aaa authentication login CONSOLE local
HTH
AK -
AAA Authentication for Traffic Passing through ASA
I am setting up AAA authentication for traffic that will pass through my ASA. I am having difficulty enabling 'aaa authentication secure-http-client'. Without secure communications enabled access functions as expected. When I enable access, I get prompted for a username/password. The username/password is entered. Authentication passes (show uauth). The requested page (http://www.cisco.com) switches to https://x.x.x.x (a resolved IP address for the site). Eventually (5 seconds), I am asked to accept or deny a certificated. Interestingly, the certificate is for the ASA and not the requested site (http://www.cisco.com).
Am I missing something?
firewall# show run aaa
aaa authentication http console TACACS+ LOCAL
aaa authentication telnet console TACACS+ LOCAL
aaa authentication serial console TACACS+ LOCAL
aaa authentication ssh console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authentication match guestnetwork_access guestnetwork RADIUS
aaa authentication secure-http-client
firewall# show access-li guestnetwork_access
access-list guestnetwork_access; 2 elements
access-list guestnetwork_access line 1 extended deny udp 10.255.255.0 255.255.255.0 any eq domain (hitcnt=33)
access-list guestnetwork_access line 2 extended permit ip 10.255.255.0 255.255.255.0 any (hitcnt=412)
firewall# show run aaa-s
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.250.14
key xxxxx
firewall# show run http
http server enableyour definition for the aaa-server is different to the aaa authentication server-group
try
aaa authentication http console RADIUS LOCAL
aaa authentication telnet console RADIUS LOCAL -
Hi,
I have a Cisco Nexus 7710 using the 3KW AC power supplies. Based on http://www.cisco.com/c/en/us/products/collateral/switches/nexus-7000-series-switches/data_sheet_c78-729141.html?cachemode=refresh , it seems that the maximum input current is 20A while the power cord indicated on the link is rated 16A; I was wondering if a 20A power cord may be required instead since the maximum input current is 20A?
For the circuit, not too sure if it can be connected to a 16A circuit?
Any suggestion is appreciated.It says...
"With Cisco NX-OS Release 6.2(6), you cannot interoperate the F3 Series plus the F2 and/or F2e Series plus the M2 Series modules in the same VDC."
If I've understood well...is not possible to do a LACP etherchannel on two different modules...right? -
Cisco Nexus 5010 FCOE Interconnection
Hi, i would really apreciate your help on this doubt.
Is it possible to create a link between two cisco nexus 5010
using CNA interfaces ?
I've already configured the ethernet interfaces(where the cna is plugged in),
i've binded the E1/2, mapped the vsan, created specific traffic vlan, and so on ...
I have tried everything what's written in the manual but the vcf interface won't set up, keeps telling me "vcf is down" .
What am i doing wrong ? or this connection is imposible ...
Thanks in advance.5020A.1# show vlan fcoe
Original VLAN ID Translated VSAN ID Association State
100 100 Operational
5020A.1# sho feature | grep np
npiv 1 disabled
npv 1 enabled
5020A.1# sho interface brief | grep -i fc
fc2/3 100 NP off up swl NP 4 --
fc2/4 100 NP off up swl NP 4 --
vfc15 100 F on trunking -- TF auto --
!!!here's vfc15 and it's associated interface
5020A.1# sho run int vf15
!Command: show running-config interface vfc15
!Time: Thu Feb 17 12:45:29 2011
version 5.0(2)N2(1)
interface vfc15
bind interface Ethernet1/15
no shutdown
5020A.1# show inter e1/15 status
Port Name Status Vlan Duplex Speed Type
Eth1/15 FCoE ports connected trunk full 10G 1/10g
5020A.1# sho run int e1/15
!Command: show running-config interface Ethernet1/15
!Time: Thu Feb 17 12:45:33 2011
version 5.0(2)N2(1)
interface Ethernet1/15
description FCoE ports
switchport mode trunk
switchport trunk allowed vlan 1,10,30,100
spanning-tree port type edge trunk
load-interval counter 2 30
load-interval counter 3 30
5020A.1#
5020A.1#
5020A.1#
I'd use this to get a look at FIP
ethanalyzer local sniff-interface inbound-hi detailed-dissection display-filter vlan.etype==0x8914 limit-captured 200 write bootflash:fipcap1.pcap
This is assuming that your eth1/2 is working and up.
reply w/your associated show commands
show fcoe vlan
show feature | grep np
show interface brief | grep -i fc
show vsan
sho run inter vfc x
show run inter eth x/y
show inter eth x/y status
other questions
1. what OS?
2. what vendor of CNA card?
Joe -
AAA authentication for networking devices using ACS 4.1 SE
Hi!!!
I want to perform AAA authentication for networking devices using ACS 4.1 SE.
I do have Cisco 4500, 6500,2960, 3750, 3560, ASA, CSMARS, routers (2821) etc in my network. I want to have radius based authentication for the same.
I want telnet, ssh has,console attempt to be verified by radius server & if ACS goes down then it will be via local enable passwordf.
For all users i need to have different privilege levels based upon which access will be granted.
could u plz send me the config that is required to be done in the active devices as well as ACS!!!!Pradeep,
Are you planning MAC authentication for some users while using EAP for others?
For MAC authentication, just use the following in your AP.
aaa authentication login mac_methods group radius
In your AP, select the radius server for mac authentication. You must have already defined your ACS as a radius server.
In your SSID configuration, under client authentication settings,
check "open authentication" and also select "MAC Authentication" from the drop-down list.
If you want both MAC or EAP, then select "MAC Authentication or EAP" from the dropdown.
Define the mac address as the username and password in ACS. Make sure the format of the mac is without any spaces.
You will not need to change anything in XP.
NOTE: XP normally does not require user authentication if machine has already authenticated but it might behave differently. If it does, I can let you know the registry settings to force the behaviour change.
HTH -
Cisco AAA authentication with windows radius server
Cisco - Windows Radius problems
I need to created a limited access group through radius that I can have new network analysts log into
and not be able to commit changes or get into global config.
Here are my current radius settings
aaa new-model
aaa group server radius IAS
server name something.corp
aaa authentication login USERS local group IAS
aaa authorization exec USERS local group IAS
radius server something.corp
address ipv4 1.1.1.1 auth-port 1812 acct-port 1813
key mypassword
line vty 0 4
access-class 1 in
exec-timeout 0 0
authorization exec USERS
logging synchronous
login authentication USERS
transport input ssh
When I log in to the switch, the radius server is passing the corrrect attriubute
***Jan 21 13:59:51.897: RADIUS: Cisco AVpair [1] 18 "shell:priv-lvl=7"
The switch is accepting it and putting you in the correct priv level.
***Radius-Test#sh priv
Current privilege level is 7
I am not sure why it logs you in with the prompt for privileged EXEC mode when
you are in priv level 7. This shows that even though it looks like your in priv exec
mode, you are not.
***Radius-Test#sh run
^
% Invalid input detected at '^' marker.
Radius-Test#
Now this is where I am very lost.
I am in priv level 7, but as soon as I use the enable command It moves me up to 15, and that gives me access to
global config mode.
***Radius-Test#enable
Radius-Test#
Debug log -
Jan 21 14:06:28.689: AAA/MEMORY: free_user (0x2B46E268) user='reynni10'
ruser='NULL' port='tty390' rem_addr='10.100.158.83' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
Now it doesnt matter that I was given priv level 7 by radius because 'enable' put me into priv 15
***Radius-Test#sh priv
Current privilege level is 15
Radius-Test#
I have tried to set
***privilege exec level 15 enable
It works and I am no longer able to use 'enable' when I am at prv level 7, but I also cannot get the commands they will need to work.
Even if I try to do
***privilege exec level 7 show running-config (or other variations)
It will allow you to type sh run without errors, but it doest actually run the command.
What am I doing wrong?
I also want to get PKI working with radius.I can run a test on my radius system, will report back accordingly, as it's a different server than where I am currently located.
Troubleshooting, have you deleted the certificate/network profile on the devices and started from scratch? -
Cisco Nexus AAA authentication and console access
We have nexus 7k with AAA authentication working now i have an issue i can't login using console port because my logins are rejected.Is there anyway we can login into console with local login details or we have to use ACS server (AAA) logins when connected to console (while ACS server is still reachable).
My main question is i want to login using console port while ACS server is still reachable is it possible?Perhaps I am not understanding some parts of the original post and if so I would appreciate clarification of what I missed. But it seems to me that the main question in the original post is whether the original poster would be able to login on the console. And it seems to me that the high level answer is that yes login to the console should be possible. The details of how that would work are dependent on details of how the N7K is configured. If the original poster would provide some details of the configuration (especially all of the aaa authentication commands and the configuration of line con 0) we would be in a much better position to provide helpful answers.
HTH
Rick -
Cisco Nexus 3K Layer 3 Connectivity Issue while using Optical SFP
Dear All,
Am facing L3 reachability issue between N3k switched, even in same subnet. Also checked that VLAN is allowed under trunk port.
I can able to see the switch details as CDP neighbour.
We are using SVI, and found all the SVI and Interface protocol status is up/up. So to test I use a host to directly connect N3k with Optical SFP in access port, found failure on reachability, but while replacing with SFP ethernet module instead of SFP optical module reachability is okay.
Please help me to resolve this issue.
Thanks,
Kannan,Hello Amit,
Pls find the following details..
We use SFP-10G-LR Modules on both end, we also replaced and checked with SFP-10G-SR modules as well..
Software
BIOS: version 1.9.0
loader: version N/A
kickstart: version 6.0(2)A1(1b)
system: version 6.0(2)A1(1b)
Power Sequencer Firmware:
Module 1: version v3.1
BIOS compile time: 10/13/2012
kickstart image file is: bootflash:///n3500-uk9-kickstart.6.0.2.A1.1b.bin
kickstart compile time: 9/5/2013 14:00:00 [09/05/2013 22:37:16]
system image file is: bootflash:///n3500-uk9.6.0.2.A1.1b.bin
system compile time: 9/5/2013 14:00:00 [09/06/2013 02:25:01]
Hardware
cisco Nexus 3548 Chassis ("48x10GE Supervisor")
Thanks for the reply,and sry for my delayed response..
Maybe you are looking for
-
How can I access the Attribute Values from the Search Region
Hi all, I have a table which contains Company id, department id, and PositonId. For a particular Company and Department there may be multiple records. I have to pupulate a table which contains the position and other details that comes under a particu
-
Since updating to Lion I can no longer screen share on Snow Leopard
Hi all, I'm hoping someone might have some insight to the problem I'm experiencing with Screen Sharing. I have two macs that I use - one is a Mac Mini 2010 Server model running Snow Leopard. The other is a MacBook that is running Lion. S
-
BPS_WB: Update on change
Hi, we have BW30B/SEM31B, BW SP25/SEM SP24. We have several planning layouts for the web. On my web application (web interface builder) there are two dropdown list boxes for variable a and b. b is an exit variable with a function module. Now we need
-
Viewing asian / japanese encoding on N95 / S60
Hi, I'm receiving mails encoded in "iso-2022-jp", and the e-mail program on my N95 can't show the text ('Conversion error'). Is there any way to fix this? Please not these are NOT mails in Japanese.They are English but encoded with a different chara
-
How can i email my calendar directly from my ipad?
I know I can "send calendar via email" directly from my Outlook, is there a way I can do that directly from my ipad?