Cisco Nexus RADIUS authentication privilege issue

authenticationciscocisco-nexusradius

I'm trying to set up RADIUS authentication between a Nexus C93180YC and a Microsoft NPS Server.

The RADIUS server is reachable and I'm able to log in and get permission granted, but the network role is not applied to my profile.

This means that, while I am able to log in, I'm not able to do any kind of priv-15 commands like 'copy run start' or anything which needs write permissions.

Here is the config on the Nexus side : 

version 9.3(1) Bios:version 05.38
switchname <hostname>
vdc <vdcname> id 1
  limit-resource vlan minimum 16 maximum 4094
  limit-resource vrf minimum 2 maximum 4096
  limit-resource port-channel minimum 0 maximum 511
  limit-resource u4route-mem minimum 248 maximum 248
  limit-resource u6route-mem minimum 96 maximum 96
  limit-resource m4route-mem minimum 58 maximum 58
  limit-resource m6route-mem minimum 8 maximum 8


no password strength-check
username <username1> password 5 <password1>  role network-admin
username <username2> password 5 <password2>  role network-operator
username <username2> passphrase  lifetime 99999 warntime 14 gracetime 3
username <username3>  password 5 <password3>  role network-admin
username <username3> passphrase  lifetime 99999 warntime 14 gracetime 3

radius-server host <ip> key 7 <key> authentication accounting
aaa group server radius <RADIUSGROUP>
    server <ip>

aaa authentication login default group <RADIUSGROUP>
aaa authentication login console local
aaa accounting default group <RADIUSGROUP>
login on-success log
aaa authentication login error-enable

On the NPS side, I have created a RADIUS client with the NEXUS IP, and have set up a condition so that only a member of a certain AD group can log in.
I have added the privilege settings to be sent back as a "Vendor-ID" specific "Cisco-AV-Pair" and "shell:roles=*"network-admin vdc-admin"

NPS roles

When I check privilege on the Nexus switch, it comes back as "-1".
The roles "network-admin" and "vdc-admin" exist on the Nexus switch.

Can anyone point where this config is going wrong ?

Thanks

Edit : next to no authorization commands are available on that switch :

(config)# aaa authorization ?
  ssh-certificate  Configure ssh certificate
  ssh-publickey    Configure ssh publickey

Best Answer

Using freeradius users:

test1   Cleartext-Password := "testing123"
        Service-Type = Administrative-User,
        Cisco-AVPair = "shell:roles=\"network-admin vdc-admin\""

test2   Cleartext-Password := "testing123"
        Service-Type = Administrative-User,
        Cisco-AVPair = "shell:roles=*\"network-admin vdc-admin\""

test3   Cleartext-Password := "testing123"
        Service-Type = Administrative-User,
        Cisco-AVPair = "shell:roles=\"*network-admin vdc-admin\""

test4   Cleartext-Password := "testing123"
        Service-Type = Administrative-User,
        Cisco-AVPair = "shell:roles=\"network-admin\""

All four test users can login with the correct roles. Of course, it should be either equals (=) or star (*), not both, but it doesn't appear to matter to nxos 9.3.4.

n3k-1# show user-account test1
user:test1
        roles:network-admin vdc-admin

n3k-1# show user-account test2
user:test2
        roles:network-admin vdc-admin

n3k-1# show user-account test3
user:test3
        roles:network-admin vdc-admin

n3k-1# show user-account test4
user:test4
        roles:network-admin
Related Topic