Nexus 5K and 7K RADIUS Authorization with Steel Belted RADIUS
I am attempting to provide very basic authorization via Steel Belted RADIUS for a Nexus deployment.
Here is the code from the Nexus:
radius-server host [server] key [key]
radius-server host [server] key [key]
ip radius source-interface mgmt0
aaa group server radius GEN_AAA
server [server]
server [server]
use-vrf management
source-interface mgmt0
aaa authentication login default group GEN_AAA
aaa authentication login console group GEN_AAA
aaa accounting default group GEN_AAA
aaa authentication login error-enable
On the Steel Belted RADIUS server the client is setup as a basic IOS 11.1 or later (Nexus is not an option). The group setup for the relevant user group has a return code of:
shell:roles*"network-admin"
shell:priv-lvl=15
When I authenticate from a Catalyst 6509 with IOS 12.2 the authorization based on the shell:priv-lvl works fine. Only those users in the 'special' group have admin (lvl 15) access.
With the Nexus gear I authenticate fine but the RADIUS user is always put in the network-operator role (default) regardless of the 'special' group shell:roles*"network-admin" return code defined.
In other words it seems to work fine for IOS devices (Catalyst 6500 and 3750E so far) but not at all for Nexus gear. Unfortunately I am not in a position to suggest and implement ACS or another AAA server that supports TACACS.
Is there any way to pull this off with SBR?
Any help is much appreciated.
Hello Nusrat,
I appreciate the pointer. If I was using TACACS for AAA, authorization sets would be a consideration. However, authorization is not permitted when using RADIUS for AAA on the Nexus platform.
In any case I was able to resolve the issue with the assistance of the customer and their support contact at Juniper. For the VSA feature to begin working a change to the INI file and a restart of the SBR services was required. Placing the desired group of users in the network-admin group is functioning as desired.
NOTE:
In addition to the configuration in the original post the following should be added to stop any 'standard' users defined on the SBR server from logging in with network-operator privileges:
no aaa user default-role
If no role is provided from the RADIUS server via the Cisco-AVPAIR VSA (ex. Cisco-AVPAIR = shell:roles*network-admin) by default a Nexus box places the user in the network-operator role. This role has complete read access on the system allowing, among other things, a read view of the configuration. The above command stops any role mapping resulting in non-configured users / groups on the RADIUS box not being able to log in period.
Similar Messages
-
Cisco Nexus 5548UP and FI6248UP compatibility with FC SFP
Cisco Nexus 5548UP and FI 6248UP comes with Unified Ports. What are the SFP types this port can take? 1Gig, 10Gig and 2/4/8FC. Could you please clarify?
Thanks,
CheriyanHi Cheriyan,
Here is te URL to the 6200 series FI data sheet:
http://www.cisco.com/en/US/prod/collateral/ps10265/ps11544/data_sheet_c78-675245.pdf
Check for the table to supported SFPs.
Same for the 5500 switches
http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/data_sheet_c78-618603.html.
Hope this helps!
./Abhinav -
Configuring Cisco ISE for Authorization with External Radius Server attribute
Hi,
I'm trying to integrate an external radius server with Cisco ISE.
I created an External Identity Store>Radius Token Server.
I created a Identity Store sequence with just one identity store just as creadted above.
And I was able to authenticate successfully.
But when it comes to authorization.
I observed we just have one tab named Authorization while creating Radius Token server.
And it always refers to ACS:attribute_name.
If I want to define a IETF radius attribute, (lets say class with attribute id as 25), how could I do it.
In Cisco ACS we have a direct entry option in authorization tab where we can define the radius (IETF) attribute within Radius token server creation (within radius token server>Directory attribute tab).
How ever I try to define the IETF attribute here (class,IETF:Class) I am not able to authorize with this attribute value.
I tried with just one single authorization rule where it could hit.But observed it to go the default(as none of the rules defined matches the condition).
Can anyone guide me how can we define a IETF radius attribute for authorization within Cisco ISE and what policy could we set it to work as authorization.
Thanks in advance
Senthil KThis is the step of Creating and Editing RADIUS Vendors
To create and edit a RADIUS vendor, complete the following steps:
Step 1 From the Administration mega menu, choose Resources > RADIUS Vendors.
The RADIUS Vendors page appears with a list of RADIUS vendors that ISE supports.
Step 2 Click Create to create a new RADIUS vendor or click the radio button next to the RADIUS vendor that
you want to edit and click Edit.
Step 3 Enter the following information:
• Name—(Required) Name of the RADIUS vendor.
• Description—An optional description for the vendor.
• Vendor ID—(Required) The Internet Assigned Numbers Authority (IANA)-approved ID for the
vendor.
• Vendor Attribute Type Field Length—(Required) The number of bytes taken from the attribute value
to be used to specify the attribute type. Valid values are 1, 2, and 4. The default value is 1.
• Vendor Attribute Size Field Length—(Required) The number of bytes taken from the attribute value
to be used to specify the attribute length. Valid values are 0 and 1. The default value is 1.
Step 4 Click Submit to save the RADIUS vendor. -
Aironet 350 AP's with Funk's Steel Belted Radius Server
I have heard that the Aironet AP's don't play nice with Funk's Steel Belted Radius Server. Has anyone had an experience with these products or anything you have heard about this problem would be good to know. I have a customer that already has Funk's Software and doesn't want to change if he doesn't have to. Thanks David Beaver
I have used FUNK's beta code with LEAP support with no problems. The only issue we had and still do, is that we can't use the RADIUS server to authenticate against an LDAP server. I believe that they are working on that also.
-
Cisco ISE with both internal and External RADIUS Server
Hi
I have ISE 1.2 , I configured it as management monitor and PSN and it work fine
I would like to know if I can integrate an external radius server and work with both internal and External RADIUS Server simultanously
So some computer (groupe_A in active directory ) will continu to made radius authentication on the ISE internal radius and other computer (groupe_B in active directory) will made radius authentication on an external radius server
I will like to know if it is possible to configure it and how I can do it ?
Thanks in advance for your help
Regards
BlaiseCisco ISE can function both as a RADIUS server and as a RADIUS proxy server. When it acts as a proxy server, Cisco ISE receives authentication and accounting requests from the network access server (NAS) and forwards them to the external RADIUS server. Cisco ISE accepts the results of the requests and returns them to the NAS.
Cisco ISE can simultaneously act as a proxy server to multiple external RADIUS servers. You can use the external RADIUS servers that you configure here in RADIUS server sequences. The External RADIUS Server page lists all the external RADIUS servers that you have defined in Cisco ISE. You can use the filter option to search for specific RADIUS servers based on the name or description, or both. In both simple and rule-based authentication policies, you can use the RADIUS server sequences to proxy the requests to a RADIUS server.
The RADIUS server sequence strips the domain name from the RADIUS-Username attribute for RADIUS authentications. This domain stripping is not applicable for EAP authentications, which use the EAP-Identity attribute. The RADIUS proxy server obtains the username from the RADIUS-Username attribute and strips it from the character that you specify when you configure the RADIUS server sequence. For EAP authentications, the RADIUS proxy server obtains the username from the EAP-Identity attribute. EAP authentications that use the RADIUS server sequence will succeed only if the EAP-Identity and RADIUS-Username values are the same. -
Transport roles and analysis authorization with user assigned
Hi expert,
I face with this problem transport roles and analysis authorization with user assigned. When I have created a transport request to move the roles and analysis authorization from development system to test system. I couldnu2019t maintain the user assigned, after transport I have to assigned manually all of user or create a program to fill AGR_USER table or there are other way.
Thanks for your time,
LuisHi,
In role administration, you have the following options for transporting roles:
You can download the roles from one system and upload them into another
You can import the role from a remote system using RFC
You can transport the roles with the transport function.
Role upload loads all role data, including authorization data from a file into the SAP system. The user assignments for the role and the generated profiles for the role are exceptions in this case.
Transporting Roles with the Role Transport Function
1. Start the role administration function by choosing Tools ® Administration ® User Maintenance ® Role Administration ® Roles (transaction PFCG).
2. Enter the role to be transported and choose Transport Role.
The Mass Transport of Roles screen appears. You can control the default settings for the options Also transport single roles for composite roles and Also transport generated profiles for roles using Customizing switches (see Role Administration Functions in the section Functions of the Utilities Menu).
You should not change the authorizations profiles of the role after you have included the role in a transport request. If you need to change the profiles or generate them for the first time, transport the entire role again afterwards.
For more information go thrpugh the below link
http://help.sap.com/saphelp_nw70/helpdata/EN/6d/7c8cfd410ea040aadf92e1f78107a4/content.htm
Regards,
Marasa. -
How can I authenticate and authorize with Web Service on ESB ?
Hello,
I want to authenticate and authorize client with Web Service published
by HTTP/SOAP BC.
Simply if it is an Web Service as J2EE application, I will use
Basic Authentication with JAX-RPC and Realm.
But I think that Web Service published by HTTP/SOAP BC is not belong
to J2EE Application. Threre is no place to describe security role mapping
(like web.xml).
JBI 1.0 the section "5.5.1.1.3 Normalized Message Properties" comments
JAAS Subject is given in the NM Properties. Really in this package
com.sun.jbi.internal.security.*
implements JAAS autentication and authorization (at JaasAuthenticator).
But I can't see how to configure my Service to use this.
How can I authenticate and authorize with Web Service on ESB ?
I referred to the resources.
Mutual Authentication for Web Services: A Live Example
http://developers.sun.com/prodtech/appserver/reference/techart/mutual_auth.html
XML and Web Services Security
http://java.sun.com/j2ee/1.4/docs/tutorial/doc/Security7.html
JAAS Authentication Tutorial
http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/tutorials/GeneralAcnOnly.html
Thanks,
Takurou
- environment ---------------------------------------------
OpenESB : Project Open ESB Starter Kit
AppServer : Sun Java Systems Application Server 9.0 PE
OS : Windows XP
I don't assume to use SSL (if It's necessary I will try).
User information is stored in a LDAP Server.
-----------------------------------------------------------Hello,
I read this resource.
SecurityDesign
http://www.glassfishwiki.org/jbiwiki/Wiki.jsp?page=SecurityDesign
Then I think [non-ssl and ssl/tls and so on] securing by basic authentication is ongoing feature at this time.
But I can't see well why this page comments 'HTTP over SSL, TLS'.
HTTP/SOAP Binding Component Overview
http://download.java.net/general/open-esb/docs/jbi-components/httpsoap-bc.html
Does BC support only "SSL server authentication" ?
Doesn't BC support "SSL client authentication" by username/password ?
Thanks,
Takurou -
Hi everyone, im having problems in a wireless network, the SSID has security layer 2 WPA, layer 3 web authentication (internal default page), and external RADIUS.
When a client makes a roaming from one AP to another one or when he has a idle time, he needs to re authenticate in the web login page. Somebody knows a solution to avoid this behavior?. Or somebody has a troubleshooting way to determine why the clients have this problems??A few things I can share that might help .. Your actually feet on the ground will be importnat to see this issue for yourself.
I know when a client or if the AP sends a DEAUTH frame the client will need to reestablish its connection and it will 100% of the time require a new web auth. If a client loses connection while roaming and a DEAUTH is sent on either side you will get the page. If youre client isnt romaing cleanly this can be a problem.
Another problem is your using EAP. Are you using CCK or a device that supports OKC. What does your radius server say when a client roams ?
You could also simply your config and then reapply your security and see where it breaks. By this I mean. For testing, create a SSID turn off security and leave layer 3 web auth on. Roam and see what happens. If it works, then start to apply the security and see where it breaks.
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection." -
VN-Tag with Nexus 1000v and Blades
Hi folks,
A while ago there was a discussion on this forum regarding the use of Catalyst 3020/3120 blades switches in conjunction with VN-tag. Specifically, you can't do VN-Tag with that Catalyst blade switch sitting inbetween the Nexus 1000V and the Nexus 5000. I know there's a Blade switch for the IBM blade servers, but will there be a similar version for the HP C-class blades? My guess is NO, since Cisco just kicked HP to the curb. But if that's the case, what are my options? Pass-through switches? (ugh!)
Previous thread:
https://supportforums.cisco.com/message/469303#469303wondering the same...
-
When I set up Adobe reader on my computer to be able to download books from a library and then transfer to my Nook e-reader, I initially stating No authorization required using Adobe. When I try to change it so I can transfer downloaded books by my Nook e-reader it I get an error message stating the Adobe user name and password is associated with another computer. What gives?
This is pretty surprising and wierd that even Reader 10.1.1 is crashing on your system. It works pefectly for me.
Would it be possible for you to get the crash dump, and upload it, so that I can have a look at the same.
Download PROCDUMP from <http://technet.microsoft.com/en-us/sysinternals/dd996900.aspx> and extract it to a folder, say, c:\temp\procdump.exe
Open cmd prompt and type "cd c:\temp".
Launch the browser and open the PDF.
Open task manager, sort processed by name. Two AcroRd32.exe instances should have been launched. Note the PID (a small integer like 5588) corresponding to the AcroRd32.exe with the higher memory usage; this is the process that must be crashing. Note this PID.
On the cmd window, type "procdump -e -ma 5588 c:\temp\01.dmp" (replace 5588 with the actual PID of the process noted in Step 4). Procdump will now wait for the aoolication to crash. If it throws a EULA, accept it.
Perform your steps to cause the crash.
Procdump will have created a dump file at "c:\temp\01.dmp". Zip it up (since it will be 100s of MBs otherwise) and share with me.
Thanks in advance for all your help
Ankit -
Cisco wlc and steel belted radius
we have cisco wlc controller that have two ssid one for user and one for guest
we need the user in ssid 1 take user name and password from user group in active directory through steel belted radiu
please send to me any integrated guide between cisco wlc and steel belted radius
regardsHi Mohammad,
I am unaware of a specific Steel Belted RADIUS intrgration guide for the WLCs, however the configuration process on the controller will be the same:
Cisco WLC Configuration Guide 7.0 - Configuring RADIUS:
http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70sol.html#wp1388328
You may wish to contact your RADIUS vendor for additional configuration steps on the server.
Best,
Drew -
I created an apple id and tried to authorize my computer but it says that this apple id has not yet been used with the itunes store, why?
FAQ apple id http://support.apple.com/kb/HT5622?viewlocale=en_US
http://support.apple.com/kb/HT1311 -
Issues with a port-channel between Nexus 5K and 4506
I'm having some trouble configuring an up-link from a Cisco 4506 to a set of Nexus 5k switches and cannot get either side to recognize the media. My configuration is as follows...
Nexus 5k
interface Ethernet1/22
description ## 1A ##
switchport mode trunk
switchport trunk native vlan 150
speed 1000
Cisco 4506
interface GigabitEthernet1/6
switchport trunk encapsulation dot1q
switchport trunk native vlan 150
switchport mode trunk
I am using 1gb sfp's (GLC-SX-MM) and I have verified that the fiber cables I am using and the fiber between closets is in working condition. But I cannot get the interface to come up.I tried that and I could see the status light on the ports come on but it still showed not connected.
I configured another switch (a 3560) with the same config and the same layout with the fiber and I got the connection up on it. I just cant seem to get it on the 4506, would it be something with the supervisor? Could it be wanting to use the 10gb port instead of the 1gb ports? -
Fabric with two Nexus-5548 and a brocade switch does not get fabric updates
We have a fabric containing two Nexus 5548 and a Brocade 5000 switch in interop mode 2. When i make changes to the zoning, the first nexus (the fabric principal) and the brocade switch see the zone changes. The second Nexus switch does not see it. There are no error messages but the change just can't be seen. What can i do to find out, what goes wrong ?
Ouch, deprecated is not the word i wanted to read
We are using 5.1(3)N1(1a) on nexus-rz1-a
and 6.0(2)N1(2) on nexus-rz2-a.
The fabric can be seen :
nexus-rz2-a# show fcs ie vsan 10
IE List for VSAN: 10
IE-WWN IE Mgmt-Id Mgmt-Addr (Switch-name)
10:00:00:05:1e:90:57:27 S(Rem) 0xfffc01 10.88.133.110 (bc-san1)
20:0a:00:2a:6a:72:ba:01 S(Loc) 0xfffc1c 10.88.133.105 (nexus-rz2-a)
20:0a:54:7f:ee:7f:dc:01 S(Adj) 0xfffc0b 10.88.133.100 (nexus-rz1-a)
[Total 3 IEs in Fabric]
nexus-rz1-a# show fcs ie vsan 10
IE List for VSAN: 10
IE-WWN IE Mgmt-Id Mgmt-Addr (Switch-name)
10:00:00:05:1e:90:57:27 S(Adj) 0xfffc01 10.88.133.110 (bc-san1)
20:0a:00:2a:6a:72:ba:01 S(Adj) 0xfffc1c 10.88.133.105 (nexus-rz2-a)
20:0a:54:7f:ee:7f:dc:01 S(Loc) 0xfffc0b 10.88.133.100 (nexus-rz1-a)
[Total 3 IEs in Fabric]
I try to distribute the zoneset this way:
zoneset distribute vsan 10
Zoneset distribution initiated. check zone status
nexus-rz1-a# show zone status
VSAN: 10 default-zone: deny distribute: full Interop: 2
mode: basic merge-control: allow
session: none
hard-zoning: enabled broadcast: disabled
Default zone:
qos: none broadcast: disabled ronly: unsupported
Full Zoning Database :
DB size: 6291 bytes
Zonesets:1 Zones:62 Aliases: 44
Active Zoning Database :
DB size: 10243 bytes
Name: FABRIC1 Zonesets:1 Zones:60
Status: Zoneset distribution completed at 08:06:00 UTC Dec 3 2013
nexus-rz2-a# show zone status
VSAN: 1 default-zone: deny distribute: active only Interop: default
mode: basic merge-control: allow
session: none
hard-zoning: enabled broadcast: disabled
Default zone:
qos: none broadcast: disabled ronly: unsupported
Full Zoning Database :
DB size: 4 bytes
Zonesets:0 Zones:0 Aliases: 0
Active Zoning Database :
Database Not Available
Status:
VSAN: 10 default-zone: deny distribute: full Interop: 2
mode: basic merge-control: allow
session: none
hard-zoning: enabled broadcast: disabled
Default zone:
qos: none broadcast: disabled ronly: unsupported
Full Zoning Database :
DB size: 6291 bytes
Zonesets:1 Zones:62 Aliases: 44
Active Zoning Database :
DB size: 10243 bytes
Name: FABRIC1 Zonesets:1 Zones:60
Status: Activation completed at 13:03:42 UTC Dec 2 2013 -
MAB and 802.1x issues with IP-phone
I'm trying to use 802.1x to authenticate clients on my network with dynamic VLAN assignment from RADIUS. We have IP-Phones(powered by PoE) that only supports EAP-MD5, and we would rather use MAB(it also uses LLDP-MED for some settings) to authenticate the phones using the MAC-range from the phones vendor. The following scenario works perfect:
Connect the phone and let it boot up(takes a while) and authenticate with MAB.
Connect a computer in the phones data-port and let it authenticate with 802.1x(or fail and reach guest-vlan)
However, the following scenario doesn't work:
The computer is already connected to the phone
The phone is then connected to the switch
What happends now is that the computer is authenticated using 802.1x before the phone boots up and get's authenticated with MAB. When the phone is ready, it's authenticated with MAB and everything works. However, after a short period(let's say a minute), using `debug authentication all`, we see a "NEW LL MAC: phones mac" message(which is weird since the mac has already been MAB-authenticated), and then we are unable to contact the phone using ping. When I check `show mac address-table` it has now moved the mac from `Port Gi 0/12` to `Port Drop`. However, if I check `show mab interface Gi 0/12` or `show authentication sessions` it lists the phones-mac as `mab auth sucess `.
Can anyone explain why the first scenario works, and not the second?
The switch is a 3560E PoE 24p with IOS 12.2.58SE2. Sample of the switch-config:
network-policy profile 1
voice vlan 90
interface GigabitEthernet0/12
switchport mode access
network-policy 1
authentication control-direction in
authentication event fail retry 1 action authorize vlan 60
authentication event server dead action authorize vlan 60
authentication event no-response action authorize vlan 60
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication periodic
authentication violation replace
mab
dot1x pae authenticator
dot1x timeout tx-period 5
dot1x max-reauth-req 1
spanning-tree portfast
Btw, when we tried authenticating the phones using 802.1x too (EAP-MD5), there are NO problems in any of the scenarios. However, we want to use MAB instead of 802.1x to avoid the requirement of configuring the phones with a username and password. The RADIUS response was the same when using 802.1x as it is with MAB for the phones (including device-traffic-class=voice AV-pair).Hey. Yes, as specified in the last sentence in my post, the phone is placed in the Voice Domain, and both RADIUS and LLDP-MED (network policy profile 1) specifies voice vlan as 90.
The weird thing is that everything works fine if both use 802.1x, and that there is only a problem when phone(using MAB) already has the computer connected to it, when the phone is turned on(connected to PoE-switch). It must be because the computer boots up and authenticates first I think.
The phones are Snom 821.
Maybe you are looking for
-
Macbook late 2008 with Yosemite freezing
I have a late 2008 aluminum 13-inch Macbook running OS X 10.10.1 with a 320 GB (170 of which are free) WD Scorpio Blue hard drive, Intel Core 2 Duo and 4 GB of RAM. Yosemite worked lovely for the first month, but since then my laptop started crashing
-
Third party returns from customer to vendor (Urgent)
Hi, We have an urgent requirement regarding an issue with third party returns from customer. The scenario required is as follows : When the customer returns the goods in Third party proccess the goods should be directly returned to the vendor instead
-
How to use ugm:getGroupNamesForUser tag in jsp
when I use the tag in jsp ,run in server,the console write"weblogic.servlet cannot be resolved or is not a field <p><ugm:getGroupNamesForUser username="weblogic" id="weblogic"/>" I don't how to use it,please tell me,thank you!
-
Hi, I am trying to install EP6 SP3 which i have downloaded from SDN itself. I have successfully installed WAS 6.40 JAVA Stack for MS SQL. Also i have patched oit to SP5. When i try to install the EP6 SP3 it gives an error in the first step ie INSTALL
-
UTF8, UTF-16 & Cloudscape
Hi everyone, I have a problem when I'm trying to store and retrieve Big5 chars into Cloudscape (which claims to support Unicode just the Java does). The following is the steps: 1. Prepare my Big5 chars 2. Run native2ascii -encoding UTF-16 (UTF8 gives