On May 6, 2011, at 2:50 AM, Darren Shaw wrote: > Good morning David, > > To answer your questions > > We do have a local username; all our switches have, 500 of them.
Is the user you are testing with configured on the switch? If so, as what type of user? Have you tried a username which is not configured on the switch? > > I have traced the request and response between the FreeRadius server and the > N5K, the server returns a service-type (6) AVP of Shell user (6) which > according to the Free Radius documentation at > http://freeradius.org/rfc/attributes.html is an Administrative user. Is the Cisco-AVPair also in that response packet? Also, I put the syntax for adding those attributes into the 'users' file. It's probably possible to get them crammed in via the 'default' configuration but it's not necessarily the right place. It may also be the case that you need to make sure you are *not* sending the Cisco-AVPair 'shell:priv-lvl=15'. I know that I needed to put my IOS and NX-OS devices into different huntgroups so that I could assign different AVPair's. I tried just sending both values to both types of devices and did not get the desired effect. -David Mitchell > > The syntax that I have placed into the following file > > Cisco-AVPair += "shell:roles=network-admin", >> Service-Type := Administrative-User, > > I have also tried > > Hint == "XXXXXX", Auth-Type := Accept > Reply-Message = "ACCEPT: Authorizing enable access", > Cisco-AVPair = "shell:roles*\"network-admin\"", > Cisco-AVPair += "shell:priv-lvl=15", > Service-Type = Administrative-User, > Fall-Through = No > > Cisco-AVPair = "shell:roles=\"network-operator vdc-admin\"" >>> Cisco-AVPair = "shell:roles*\"network-operator vdc-admin\"" >>> Cisco-AVPair = "shell:roles=\"network-admin vdc-admin\"" >>> Cisco-AVPair = "shell:roles*\"network-admin\"" > > The configuration I have on the 5K > > radius-server host xxxx key 7 "XXXXXX" authentication accounting > aaa group server radius FreeRadius > server xxxxx > use-vrf management > aaa authentication login default group FreeRadius > source address xxxxx > > It looks as though the 5K is not interpreting the attribute correctly, or I > am not editing the correct file. Whatever syntax I use I get the same > results, I get authenticated but the nexus places me as an operator. > > The file I am editing is /usr/local/etc/raddb/sites-available/default > > Rgds > Darren Shaw > The Network Team > Computing Services > University of Huddersfield > Queensgate > Huddersfield > HD1 3DH > > TEL: 01484 471317 > MOBILE: 07792 773807 > > > -----Original Message----- > From: freeradius-users-bounces+d.shaw=hud.ac...@lists.freeradius.org > [mailto:freeradius-users-bounces+d.shaw=hud.ac...@lists.freeradius.org] On > Behalf Of David Mitchell > Sent: 05 May 2011 15:35 > To: FreeRadius users mailing list > Subject: Re: Nexus Configurations > > > On May 5, 2011, at 4:47 AM, Darren Shaw wrote: > >> Hello David, >> >> Thanks for the syntax. Sadly this still does not work. The free radius >> server will authenticate me as a user but the 5K wants me as an operator and >> not admin. >> >> If you have the 5K working, could I be cheeky and ask if you could mail me >> the radius config on your 5K > > There isn't anything in the radius config that enables this as far as I can > tell. Do you have a > local account on the 5K? That might override the info from the RADIUS server. > Run the command > 'show user-account' after logging in. For me, it indicates that the account > was created via remote > authentication. I assume you have run the radius server in debug mode to > verify that the attributes > are actually in the access accept packets sent back to the switch? > > > -David Mitchell > >> >> thanks >> >> Rgds >> Darren Shaw >> The Network Team >> Computing Services >> University of Huddersfield >> Queensgate >> Huddersfield >> HD1 3DH >> >> TEL: 01484 471317 >> MOBILE: 07792 773807 >> >> -----Original Message----- >> From: freeradius-users-bounces+d.shaw=hud.ac...@lists.freeradius.org >> [mailto:freeradius-users-bounces+d.shaw=hud.ac...@lists.freeradius.org] On >> Behalf Of David Mitchell >> Sent: 04 May 2011 15:14 >> To: FreeRadius users mailing list >> Subject: Re: Nexus Configurations >> >> >> On May 4, 2011, at 4:48 AM, Darren Shaw wrote: >> >>> Good Morning >>> >>> I am new to this forum and to the workings of FreeRadius and I have a query >>> around the Cisco Nexus family. >>> >>> Currently we have all our switches and routers authentication to FreeRadius >>> and all seems to be working. The problem comes when I want to authenticate >>> my Nexus 7K and 5K's. The 7Ks and 5Ks will authenticated me but the Nexus >>> puts me in an operator role and not in an administrator's role. >>> >>> According to Cisco I have to place the following into >>> >>> /usr/local/etc/raddb/sites-available/default >>> >>> Cisco-AVPair = "shell:roles=\"network-operator vdc-admin\"" >>> Cisco-AVPair = "shell:roles*\"network-operator vdc-admin\"" >>> Cisco-AVPair = "shell:roles=\"network-admin vdc-admin\"" >>> Cisco-AVPair = "shell:roles*\"network-admin\"" >> >> This is what I'm adding to the replies for Nexus 5K's. I don't have any 7K's >> but I'd be surprised if >> they were any different. I have not tried to send two roles so I can't >> confirm the syntax for that. >> >> Cisco-AVPair += "shell:roles=network-admin", >> Service-Type := Administrative-User, >> >> -David Mitchell >> >>> >>> >>> The current service type is = Administrative -User >>> >>> I have tried each AVPair and nothing works. Has anyone else had this issue? >>> >>> If anyone has any advice I would be really grateful. >>> >>> Thanks >>> >>> >>> >>> Rgds >>> Darren Shaw >>> The Network Team >>> Computing Services >>> University of Huddersfield >>> Queensgate >>> Huddersfield >>> HD1 3DH >>> >>> TEL: 01484 471317 >>> MOBILE: 07792 773807 >>> >>> >>> >>> ________________________________ >>> >>> --- >>> This transmission is confidential and may be legally privileged. If you >>> receive it in error, please notify us immediately by e-mail and remove it >>> from your system. If the content of this e-mail does not relate to the >>> business of the University of Huddersfield, then we do not endorse it and >>> will accept no liability. >>> - >>> List info/subscribe/unsubscribe? See >>> http://www.freeradius.org/list/users.html >> >> ----------------------------------------------------------------- >> | David Mitchell (mitch...@ucar.edu) Network Engineer IV | >> | Tel: (303) 497-1845 National Center for | >> | FAX: (303) 497-1818 Atmospheric Research | >> ----------------------------------------------------------------- >> >> >> >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> >> >> --- >> This transmission is confidential and may be legally privileged. If you >> receive it in error, please notify us immediately by e-mail and remove it >> from your system. If the content of this e-mail does not relate to the >> business of the University of Huddersfield, then we do not endorse it and >> will accept no liability. >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html > > ----------------------------------------------------------------- > | David Mitchell (mitch...@ucar.edu) Network Engineer IV | > | Tel: (303) 497-1845 National Center for | > | FAX: (303) 497-1818 Atmospheric Research | > ----------------------------------------------------------------- > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > --- > This transmission is confidential and may be legally privileged. If you > receive it in error, please notify us immediately by e-mail and remove it > from your system. If the content of this e-mail does not relate to the > business of the University of Huddersfield, then we do not endorse it and > will accept no liability. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ----------------------------------------------------------------- | David Mitchell (mitch...@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | ----------------------------------------------------------------- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
