Cisco Nexus RADIUS authentication

How to configure Cisco Nexus switch with RADIUS authentication?

Here I’m using Microsoft NPS (Network Policy Server), which is feature of Windows 2008 R2 server, as RADIUS.

The switch is Nexus 93128TX running NX-OS version 6.1(2)I3(3a)

The first thing to do is to check with which IP address the switch accesses the NPS and that it’s reachable.

In this example the IP address of the NPS is 192.168.10.222 and the switch management IP is 192.168.10.230.

Now let’s configure the Nexus switch for RADIUS authentication:

radius-server host 192.168.10.222 key <PRE-SHARED_KEY> auth-port 1645 acct-port 1646 authentication accounting ! aaa group server radius RADIUS     server 192.168.10.222 ! aaa authentication login default group RADIUS aaa authentication login console local

The default behavior of the Nexus in case of all AAA servers configured for remote authentication are unreachable is fallback to local.

Before we will continue to configure the NPS create security group, on the AD, which will gain access to the switch.

We can create 2 different groups for example – one for network-admin role and the other for vdc-operator with read-only permissions.

We also can create specific roles on the Nexus switch (see notes below).

Next let’s configure the NPS:

Open the NPS console

Click the ‘+’ next to RADIUS Clients and Servers

Right click on RADIUS Clients and select New

Type in a friendly name for the device, type the IP address of the device and the pre-shared key

Click on the Advanced tab

From the Vendor name down-drop menu select Cisco

Click OK

Click the ‘+’ next to Policies

Right click on Network Policies and select New

Type in a Policy name

Click Next

Under Specify Conditions click Add

Scroll down and select Client IPv4 Address, type in the switch IP address and click OK

*This allows us to tie this specific access policy to this specific device

Now click on Add again and select User Groups and select the appropriate group for accessing the switch.

Click Next

On the Specify Access Permissions make sure the Access granted is selected and click Next

On the Configure Authentication Methods, uncheck all and check only Unencrypted authentication (PAP, SPAP)

On the Configure Constraints we can configure various options or just click Next

On the Configure Settings, select Vendor Specific and click Add

From the Vendor drop-down menu select Cisco, click on Cisco-AV-Pair and click Add

Click Add and type in the following attribute:

shell:roles="network-operator vdc-admin"

This will assign network-operator and vdc-admin for the login user, We can change the roles according to our requirements for the specific account/group.

Click OK, Next and Finish.

Now you can try to login into the Nexus switch with your domain account.

Notes

Show roles on the switch:

RHA-DC-NX-SW-01#  show role

Configure new role on the switch:

configure terminal role name <ROLE_NAME> rule number {deny | permit} command command-string rule number {deny | permit} {read | read-write} rule number {deny | permit} {read | read-write} feature feature-name rule number {deny | permit} {read | read-write} feature-group group-name description text exit

Validate new role:

show role show role {pending | pending-diff} role commit copy running-config startup-config

Now you can use the exactly role name under  Cisco-AV-pair attribute for applying this role to specific account/group.